From 76b6a37372261cf0a02c8008ff4be53bb738b061 Mon Sep 17 00:00:00 2001 From: Shaz Qadeer Date: Wed, 11 Jan 2023 10:32:33 -0800 Subject: [PATCH] Monomorphization of polymorphic maps and binders (#669) * first commit * moved test to the correct location * first successful verification of polymorphic lambda * bug fix * more bug fixes * minor cleanup * refactoring * fixpoint now detects increase in instantiated declarations * another bug fix * added support for type instantiation based on instantiated type constructors * enabled binder instantiation * fixed bug * bug fixes * added representative Viper subset for monomorphization * add file with parametric Viper domains * added Dafny files for monomorphization * remove system information from Viper monomorphization files * fixed bugs * refactored MonomorphicExpr() interface method * split axiom conjuncts into separate axioms * some typos and minor cleanup * added dafny and viper tests (but with /noVerify) * added some documentation * some refactoring * fixed bugs and added documentation * more documentation * List -> HashSet for instantiationHints * added two more tests Co-authored-by: gauravpartha --- Source/Core/Monomorphization.cs | 1009 +- Source/Core/StandardVisitor.cs | 1 + Source/ExecutionEngine/CommandLineOptions.cs | 8 +- Source/VCGeneration/Prune/AxiomVisitor.cs | 7 +- Source/VCGeneration/Prune/BlocksVisitor.cs | 2 +- .../VCGeneration/Prune/DependencyEvaluator.cs | 3 +- Source/VCGeneration/Prune/FunctionVisitor.cs | 2 +- Source/VCGeneration/Prune/Prune.cs | 1 - Test/monomorphize/Dafny_frame.bpl | 29 + Test/monomorphize/Dafny_frame.bpl.expect | 2 + Test/monomorphize/dafny/Composite.dfy.bpl | 6626 ++++++++ Test/monomorphize/dafny/FlyingRobots.dfy.bpl | 9478 ++++++++++++ Test/monomorphize/dafny/Problem1.dfy.bpl | 6969 +++++++++ Test/monomorphize/dafny/SchorrWaite.dfy.bpl | 9153 +++++++++++ Test/monomorphize/dafny/TreeBarrier.dfy.bpl | 6421 ++++++++ Test/monomorphize/monomorphize1.bpl | 2 +- Test/{datatypes => monomorphize}/polymap0.bpl | 1 - .../polymap0.bpl.expect | 0 Test/monomorphize/polymap1.bpl | 16 + Test/monomorphize/polymap1.bpl.expect | 5 + Test/monomorphize/polymap2.bpl | 15 + Test/monomorphize/polymap2.bpl.expect | 2 + Test/monomorphize/polymap3.bpl | 9 + Test/monomorphize/polymap3.bpl.expect | 2 + Test/monomorphize/polymap4.bpl | 19 + Test/monomorphize/polymap4.bpl.expect | 5 + Test/monomorphize/polymap5.bpl | 19 + Test/monomorphize/polymap5.bpl.expect | 2 + .../viper/binary-search-array.bpl | 953 ++ Test/monomorphize/viper/binary-search-seq.bpl | 855 ++ Test/monomorphize/viper/domains.bpl | 729 + Test/monomorphize/viper/graph-copy.bpl | 3386 +++++ Test/monomorphize/viper/graph_mark.bpl | 3308 ++++ .../viper/linked-list-predicates.bpl | 5199 +++++++ Test/monomorphize/viper/list_insert_noseq.bpl | 1643 ++ .../viper/longest-common-prefix.bpl | 786 + .../viper/max-array-elimination.bpl | 1125 ++ .../monomorphize/viper/max-array-standard.bpl | 1116 ++ .../viper/parallel-array-replace.bpl | 1158 ++ .../quantification_over_pred_permissions.bpl | 680 + Test/monomorphize/viper/seq-slice-simple1.bpl | 1106 ++ Test/monomorphize/viper/testZeroArray.bpl | 2574 ++++ ...ctionalverificationexamplescav_example.bpl | 10428 +++++++++++++ .../viper/testsresourcesexamplesauction.bpl | 12511 ++++++++++++++++ 44 files changed, 87187 insertions(+), 178 deletions(-) create mode 100644 Test/monomorphize/Dafny_frame.bpl create mode 100644 Test/monomorphize/Dafny_frame.bpl.expect create mode 100644 Test/monomorphize/dafny/Composite.dfy.bpl create mode 100644 Test/monomorphize/dafny/FlyingRobots.dfy.bpl create mode 100644 Test/monomorphize/dafny/Problem1.dfy.bpl create mode 100644 Test/monomorphize/dafny/SchorrWaite.dfy.bpl create mode 100644 Test/monomorphize/dafny/TreeBarrier.dfy.bpl rename Test/{datatypes => monomorphize}/polymap0.bpl (99%) rename Test/{datatypes => monomorphize}/polymap0.bpl.expect (100%) create mode 100644 Test/monomorphize/polymap1.bpl create mode 100644 Test/monomorphize/polymap1.bpl.expect create mode 100644 Test/monomorphize/polymap2.bpl create mode 100644 Test/monomorphize/polymap2.bpl.expect create mode 100644 Test/monomorphize/polymap3.bpl create mode 100644 Test/monomorphize/polymap3.bpl.expect create mode 100644 Test/monomorphize/polymap4.bpl create mode 100644 Test/monomorphize/polymap4.bpl.expect create mode 100644 Test/monomorphize/polymap5.bpl create mode 100644 Test/monomorphize/polymap5.bpl.expect create mode 100644 Test/monomorphize/viper/binary-search-array.bpl create mode 100644 Test/monomorphize/viper/binary-search-seq.bpl create mode 100644 Test/monomorphize/viper/domains.bpl create mode 100644 Test/monomorphize/viper/graph-copy.bpl create mode 100644 Test/monomorphize/viper/graph_mark.bpl create mode 100644 Test/monomorphize/viper/linked-list-predicates.bpl create mode 100644 Test/monomorphize/viper/list_insert_noseq.bpl create mode 100644 Test/monomorphize/viper/longest-common-prefix.bpl create mode 100644 Test/monomorphize/viper/max-array-elimination.bpl create mode 100644 Test/monomorphize/viper/max-array-standard.bpl create mode 100644 Test/monomorphize/viper/parallel-array-replace.bpl create mode 100644 Test/monomorphize/viper/quantification_over_pred_permissions.bpl create mode 100644 Test/monomorphize/viper/seq-slice-simple1.bpl create mode 100644 Test/monomorphize/viper/testZeroArray.bpl create mode 100644 Test/monomorphize/viper/testsfunctionalverificationexamplescav_example.bpl create mode 100644 Test/monomorphize/viper/testsresourcesexamplesauction.bpl diff --git a/Source/Core/Monomorphization.cs b/Source/Core/Monomorphization.cs index 0d732733d..2c3be59ab 100644 --- a/Source/Core/Monomorphization.cs +++ b/Source/Core/Monomorphization.cs @@ -1,13 +1,16 @@ using System; using System.Collections.Generic; -using System.Linq; +using System.Diagnostics; using System.Diagnostics.Contracts; +using System.Linq; using Microsoft.Boogie.GraphUtil; namespace Microsoft.Boogie { public class MonomorphismChecker : ReadOnlyVisitor { + // This visitor checks if the program is already monomorphic. + public static bool DoesTypeCtorDeclNeedMonomorphization(TypeCtorDecl typeCtorDecl) { return typeCtorDecl.Arity > 0 && typeCtorDecl.FindStringAttribute("builtin") == null; @@ -66,6 +69,14 @@ public override Declaration VisitTypeCtorDecl(TypeCtorDecl node) class TypeDependencyVisitor : ReadOnlyVisitor { + /* + * An instance of this visitor is created with a type variable "formal" (passed to the constructor). + * This visitor walks over a type T and adds an edge from any type variable nested inside T + * to the type variable "formal". The class MonomorphizableChecker uses this visitor to check + * that there are no expanding type cycles when a polymorphic function calls another + * polymorphic function or a polymorphic procedure calls another polymorphic procedure. + */ + private Graph typeVariableDependencyGraph; private HashSet> strongDependencyEdges; private TypeVariable formal; @@ -77,7 +88,7 @@ public TypeDependencyVisitor(Graph typeVariableDependencyGraph, this.typeVariableDependencyGraph = typeVariableDependencyGraph; this.strongDependencyEdges = strongDependencyEdges; this.formal = formal; - this.insideContructedType = 0; + insideContructedType = 0; } public override CtorType VisitCtorType(CtorType node) @@ -116,12 +127,14 @@ public enum MonomorphizableStatus class MonomorphizableChecker : ReadOnlyVisitor { - public static MonomorphizableStatus IsMonomorphizable(Program program, - out Dictionary axiomsToBeInstantiated, out HashSet polymorphicFunctionAxioms) + /* + * This visitor checks if the program is monomorphizable. It calculates one status value from + * the enum MonomorphizableStatus for the program. + */ + public static MonomorphizableStatus IsMonomorphizable(Program program, out HashSet polymorphicFunctionAxioms) { var checker = new MonomorphizableChecker(program); checker.VisitProgram(program); - axiomsToBeInstantiated = checker.axiomsToBeInstantiated; polymorphicFunctionAxioms = checker.polymorphicFunctionAxioms; if (!checker.isMonomorphizable) { @@ -133,24 +146,20 @@ public static MonomorphizableStatus IsMonomorphizable(Program program, } return MonomorphizableStatus.Monomorphizable; } - - private Program program; + private bool isMonomorphizable; - private Dictionary axiomsToBeInstantiated; private HashSet polymorphicFunctionAxioms; private Graph typeVariableDependencyGraph; // (T,U) in this graph iff T flows to U private HashSet> strongDependencyEdges; // (T,U) in this set iff a type constructed from T flows into U private MonomorphizableChecker(Program program) { - this.program = program; - this.isMonomorphizable = true; - this.polymorphicFunctionAxioms = program.TopLevelDeclarations.OfType() + isMonomorphizable = true; + polymorphicFunctionAxioms = program.TopLevelDeclarations.OfType() .Where(f => f.TypeParameters.Count > 0 && f.DefinitionAxiom != null) .Select(f => f.DefinitionAxiom).ToHashSet(); - this.axiomsToBeInstantiated = new Dictionary(); - this.typeVariableDependencyGraph = new Graph(); - this.strongDependencyEdges = new HashSet>(); + typeVariableDependencyGraph = new Graph(); + strongDependencyEdges = new HashSet>(); } private bool IsFinitelyInstantiable() @@ -171,15 +180,6 @@ private bool IsFinitelyInstantiable() return true; } - public override Expr VisitBinderExpr(BinderExpr node) - { - if (node.TypeParameters.Count > 0) - { - isMonomorphizable = false; - } - return base.VisitBinderExpr(node); - } - public override Expr VisitNAryExpr(NAryExpr node) { if (node.Fun is FunctionCall functionCall) @@ -190,7 +190,6 @@ public override Expr VisitNAryExpr(NAryExpr node) visitor.Visit(node.TypeParameters[t]); }); } - Visit(node.Type); return base.VisitNAryExpr(node); } @@ -205,94 +204,587 @@ public override Cmd VisitCallCmd(CallCmd node) return base.VisitCallCmd(node); } - public override Type VisitMapType(MapType node) + public override Function VisitFunction(Function node) { - if (node.TypeParameters.Count > 0) + if (polymorphicFunctionAxioms.Contains(node.DefinitionAxiom)) { - isMonomorphizable = false; + var forallExpr = (ForallExpr) node.DefinitionAxiom.Expr; + LinqExtender.Map(node.TypeParameters, forallExpr.TypeParameters) + .Iter(x => typeVariableDependencyGraph.AddEdge(x.Key, x.Value)); + VisitExpr(forallExpr.Body); } - return base.VisitMapType(node); + return base.VisitFunction(node); + } + + public override Implementation VisitImplementation(Implementation node) + { + LinqExtender.Map(node.Proc.TypeParameters, node.TypeParameters) + .Iter(x => typeVariableDependencyGraph.AddEdge(x.Key, x.Value)); + return base.VisitImplementation(node); } - private void CheckTypeCtorInstantiatedAxiom(Axiom axiom, string typeCtorName) + public override Absy Visit(Absy node) { - var tcDecl = program.TopLevelDeclarations.OfType().FirstOrDefault(tcd => tcd.Name == typeCtorName); - if (tcDecl == null) + if (node is ICarriesAttributes attrNode && attrNode.Attributes != null) { - isMonomorphizable = false; - return; + VisitQKeyValue(attrNode.Attributes); } - var forallExpr = (ForallExpr) axiom.Expr; - if (tcDecl.Arity != forallExpr.TypeParameters.Count) + return base.Visit(node); + } + + public override Type VisitTypeProxy(TypeProxy node) + { + if (node.ProxyFor == null) { isMonomorphizable = false; + } + else + { + Visit(TypeProxy.FollowProxy(node)); + } + return node; + } + } + + class InstantiationHintCollector : ReadOnlyVisitor + { + /* + * This visitor walks over a polymorphic quantifier to collect hints for instantiating its type parameters + * in the field instantiationHints. This field maps each type parameter T of the quantifier to a dictionary + * that maps a polymorphic type/function D to a set of integers, such that each integer in the set is a + * valid position in the list of type parameters of D. If position i is in the list corresponding to D, + * then the concrete type at position i among instances of D is a hint for T. + */ + + private HashSet typeParameters; + private Dictionary>> instantiationHints; + + public static Dictionary>> CollectInstantiationHints(QuantifierExpr quantifierExpr) + { + var instantiationHintCollector = new InstantiationHintCollector(quantifierExpr); + instantiationHintCollector.VisitExpr(quantifierExpr); + return instantiationHintCollector.instantiationHints; + } + + private InstantiationHintCollector(QuantifierExpr quantifierExpr) + { + typeParameters = new HashSet(quantifierExpr.TypeParameters); + instantiationHints = quantifierExpr.TypeParameters.ToDictionary(typeParameter => typeParameter, + _ => new Dictionary>()); + } + + public override Expr VisitNAryExpr(NAryExpr node) + { + if (node.Fun is FunctionCall functionCall) + { + var actualTypeParams = node.TypeParameters.FormalTypeParams.Select(x => node.TypeParameters[x]).ToList(); + PopulateInstantiationHints(actualTypeParams, functionCall.Func); + } + return base.VisitNAryExpr(node); + } + + public override CtorType VisitCtorType(CtorType node) + { + PopulateInstantiationHints(node.Arguments, node.Decl); + return base.VisitCtorType(node); + } + + private void PopulateInstantiationHints(List actualTypeParams, NamedDeclaration decl) + { + for (int i = 0; i < actualTypeParams.Count; i++) + { + if (actualTypeParams[i] is TypeVariable typeVariable && typeParameters.Contains(typeVariable)) + { + if (!instantiationHints[typeVariable].ContainsKey(decl)) + { + instantiationHints[typeVariable][decl] = new HashSet(); + } + instantiationHints[typeVariable][decl].Add(i); + } + } + } + } + + abstract class BinderExprMonomorphizer + { + /* + * This is the abstract class that is extended by classes for monomorphizing + * LambdaExpr, ForallExpr, and ExistsExpr. + */ + + protected MonomorphizationVisitor monomorphizationVisitor; + protected Dictionary, Expr> instanceExprs; + + public BinderExprMonomorphizer(MonomorphizationVisitor monomorphizationVisitor) + { + this.monomorphizationVisitor = monomorphizationVisitor; + instanceExprs = new Dictionary, Expr>(new ListComparer()); + } + + // Returns the BinderExpr for which this instance of BinderExprMonomorphizer was created. + public abstract BinderExpr BinderExpr { get; } + + // Instantiates this.BinderExpr using the known function and type instantiations. + // Returns true if fresh instances of this.BinderExpr were created. + public abstract bool Instantiate(); + + // Returns the monomorphized version of this.BinderExpr. + public abstract Expr MonomorphicExpr(PolymorphicMapAndBinderSubstituter substituter); + } + + class LambdaExprMonomorphizer : BinderExprMonomorphizer + { + private LambdaExpr lambdaExpr; + + public LambdaExprMonomorphizer(LambdaExpr lambdaExpr, MonomorphizationVisitor monomorphizationVisitor) : + base(monomorphizationVisitor) + { + this.lambdaExpr = lambdaExpr; + } + + public override BinderExpr BinderExpr => lambdaExpr; + + public override bool Instantiate() + { + var polymorphicMapInfo = monomorphizationVisitor.RegisterPolymorphicMapType(lambdaExpr.Type); + Debug.Assert(instanceExprs.Count <= polymorphicMapInfo.Instances.Count); + if (instanceExprs.Count == polymorphicMapInfo.Instances.Count) + { + return false; + } + polymorphicMapInfo.Instances.Skip(instanceExprs.Count).Iter(x => + instanceExprs[x] = monomorphizationVisitor.InstantiateBinderExpr(lambdaExpr, x)); + return true; + } + + public override Expr MonomorphicExpr(PolymorphicMapAndBinderSubstituter substituter) + { + return substituter.VisitExpr(monomorphizationVisitor.RegisterPolymorphicMapType(lambdaExpr.Type) + .GetLambdaConstructor(instanceExprs)); + } + } + + abstract class QuantifierExprMonomorphizer : BinderExprMonomorphizer + { + private QuantifierExpr quantifierExpr; + private Dictionary>> instantiationHints; + + protected QuantifierExprMonomorphizer(QuantifierExpr quantifierExpr, MonomorphizationVisitor monomorphizationVisitor) : + base(monomorphizationVisitor) + { + this.quantifierExpr = quantifierExpr; + instantiationHints = InstantiationHintCollector.CollectInstantiationHints(quantifierExpr); + } + + public override BinderExpr BinderExpr => quantifierExpr; + + public override bool Instantiate() + { + var instanceExprsCount = instanceExprs.Count; + var typeParameterIndexToTypeHints = Enumerable.Range(0, quantifierExpr.TypeParameters.Count) + .Select(_ => new HashSet()).ToList(); + for (int typeParameterIndex = 0; typeParameterIndex < quantifierExpr.TypeParameters.Count; typeParameterIndex++) + { + var typeParameter = quantifierExpr.TypeParameters[typeParameterIndex]; + foreach (var (decl, actualIndexes) in instantiationHints[typeParameter]) + { + foreach (var actualTypeParameters in monomorphizationVisitor.NamedDeclarationInstantiations(decl)) + { + foreach (var actualIndex in actualIndexes) + { + typeParameterIndexToTypeHints[typeParameterIndex].Add(actualTypeParameters[actualIndex]); + } + } + } + } + InstantiateOne(typeParameterIndexToTypeHints, new List()); + return instanceExprsCount < instanceExprs.Count; + } + + private void InstantiateOne(List> typeParameterIndexToTypeHints, List actualTypeParams) + { + if (typeParameterIndexToTypeHints.Count == actualTypeParams.Count) + { + if (!instanceExprs.ContainsKey(actualTypeParams)) + { + instanceExprs[new List(actualTypeParams)] = + monomorphizationVisitor.InstantiateBinderExpr(quantifierExpr, actualTypeParams); + } return; } - axiomsToBeInstantiated.Add(axiom, tcDecl); - VisitExpr(forallExpr.Body); + + foreach (var type in typeParameterIndexToTypeHints[actualTypeParams.Count]) + { + var addPosition = actualTypeParams.Count; + actualTypeParams.Add(type); + InstantiateOne(typeParameterIndexToTypeHints, actualTypeParams); + actualTypeParams.RemoveAt(addPosition); + } + } + } + + class ForallExprMonomorphizer : QuantifierExprMonomorphizer + { + public ForallExprMonomorphizer(ForallExpr forallExpr, MonomorphizationVisitor monomorphizationVisitor) : + base(forallExpr, monomorphizationVisitor) + { + } + + public override Expr MonomorphicExpr(PolymorphicMapAndBinderSubstituter substituter) + { + return Expr.And(instanceExprs.Values.Select(x => substituter.VisitExpr(x))); + } + } + + class ExistsExprMonomorphizer : QuantifierExprMonomorphizer + { + public ExistsExprMonomorphizer(ExistsExpr existsExpr, MonomorphizationVisitor monomorphizationVisitor) : + base(existsExpr, monomorphizationVisitor) + { + } + + public override Expr MonomorphicExpr(PolymorphicMapAndBinderSubstituter substituter) + { + return Expr.Or(instanceExprs.Values.Select(x => substituter.VisitExpr(x))); + } + } + + class PolymorphicMapInfo + { + /* + * An instance of this class is created for each polymorphic map type. + * This class implements the instantiation of the polymorphic map type + * for concrete instances encountered in the program. This class also + * creates the datatype that represents the polymorphic map type in the + * monomorphized program. + */ + + class FieldInfo + { + public Type type; + + public int index; + + // actualParameters is the original parameter list that created this instance of FieldInfo + public List actualParameters; + + public FieldInfo(Type type, int index, List actualParameters) + { + this.type = type; + this.index = index; + this.actualParameters = actualParameters; + } + } + + private MonomorphizationVisitor monomorphizationVisitor; + private MapType mapType; + private Dictionary, FieldInfo> fieldInfos; + private List> instances; + private DatatypeTypeCtorDecl datatypeTypeCtorDecl; + + public PolymorphicMapInfo(MonomorphizationVisitor monomorphizationVisitor, MapType mapType) + { + this.monomorphizationVisitor = monomorphizationVisitor; + this.mapType = mapType; + fieldInfos = new Dictionary, FieldInfo>(new ListComparer()); + instances = new List>(); + datatypeTypeCtorDecl = new DatatypeTypeCtorDecl(new TypeCtorDecl(Token.NoToken, MapTypeName, 0, + new QKeyValue(Token.NoToken, "datatype", new List(), null))); + } + + public CtorType Datatype => new(Token.NoToken, datatypeTypeCtorDecl, new List()); + + public List> Instances => instances; + + public DatatypeTypeCtorDecl CreateDatatypeTypeCtorDecl(PolymorphicMapAndBinderSubstituter polymorphicMapAndBinderSubstituter) + { + var inParams = instances.Select(x => new Formal(Token.NoToken, + new TypedIdent(Token.NoToken, FieldName(x), polymorphicMapAndBinderSubstituter.VisitType(fieldInfos[x].type)), + true)).ToList(); + var outParam = new Formal(Token.NoToken, + new TypedIdent(Token.NoToken, MapTypeName, new CtorType(Token.NoToken, datatypeTypeCtorDecl, new List())), + false); + var function = new Function(Token.NoToken, MapTypeName, new List(), inParams, outParam, null, + new QKeyValue(Token.NoToken, "constructor", new List(), null)); + var constructor = new DatatypeConstructor(function); + datatypeTypeCtorDecl.AddConstructor(constructor); + return datatypeTypeCtorDecl; + } + + public Expr GetLambdaConstructor(Dictionary, Expr> instanceExprs) + { + var returnExpr = new NAryExpr(Token.NoToken, new FunctionCall(datatypeTypeCtorDecl.Constructors[0]), + instances.Select(x => instanceExprs[x]).ToList()); + returnExpr.Type = Datatype; + returnExpr.TypeParameters = SimpleTypeParamInstantiation.EMPTY; + return returnExpr; + } + + public FieldAccess GetFieldAccess(List actualParameters) + { + Debug.Assert(fieldInfos.ContainsKey(actualParameters)); + actualParameters = PopulateField(actualParameters); + return new FieldAccess(Token.NoToken, FieldName(actualParameters), datatypeTypeCtorDecl, + new List { new(0, fieldInfos[actualParameters].index) }); + } + + public Type GetFieldType(List actualParameters) + { + actualParameters = PopulateField(actualParameters); + return fieldInfos[actualParameters].type; + } + + public List PopulateField(List actualParameters) + { + if (!fieldInfos.ContainsKey(actualParameters)) + { + fieldInfos[actualParameters] = new FieldInfo(Instantiate(actualParameters), instances.Count, actualParameters); + instances.Add(actualParameters); + } + return fieldInfos[actualParameters].actualParameters; + } + + private string MapTypeName => $"PolymorphicMapType_{mapType.UniqueId}"; + + private string FieldName(List actualParameters) + { + return MonomorphizationVisitor.MkInstanceName(MapTypeName, actualParameters); + } + + private MapType Instantiate(List actualParameters) + { + var subst = LinqExtender.Map(mapType.TypeParameters, actualParameters); + List newArgs = new List(); + foreach (Type t in mapType.Arguments) + { + newArgs.Add(t.Substitute(subst)); + } + Type newResult = mapType.Result.Substitute(subst); + var returnType = new MapType(mapType.tok, new List(), newArgs, newResult); + return (MapType)new MonomorphizationDuplicator(monomorphizationVisitor).VisitMapType(returnType); + } + } + + class PolymorphicMapAndBinderSubstituter : VarDeclOnceStandardVisitor + { + /* + * This visitor finalizes the monomorphization of polymorphic maps and binders once + * all instantiations have been discovered. It accomplishes the following substitutions: + * - ach access to a polymorphic map with an access to corresponding datatype + * - each occurrence of a polymorphic map type with the corresponding datatype + * - each polymorphic lambda with a constructor call of the corresponding datatype + * - each polymorphic forall quantifier with a conjunction + * - each polymorphic exists quantifier with a disjunction + */ + + private MonomorphizationVisitor monomorphizationVisitor; + private Dictionary binderExprMonomorphizers; + // The top-level conjuncts of the rewritten axiom are added to this list, thus allowing + // the original axioms to be replaced by the axioms collected in splitAxioms. Splitting + // the axioms makes it easy to read the rewritten program and enables axiom pruning to + // be applied. + private List splitAxioms; + + public PolymorphicMapAndBinderSubstituter(MonomorphizationVisitor monomorphizationVisitor) + { + this.monomorphizationVisitor = monomorphizationVisitor; + splitAxioms = new List(); + } + + public List Substitute(Program program) + { + binderExprMonomorphizers = monomorphizationVisitor.GetBinderExprMonomorphizers(); + Visit(program); + return splitAxioms; + } + + private List ActualTypeParams(TypeParamInstantiation typeParamInstantiation) + { + return typeParamInstantiation.FormalTypeParams.Select(x => TypeProxy.FollowProxy(typeParamInstantiation[x])) + .Select(x => monomorphizationVisitor.LookupType(x)).ToList(); } public override Axiom VisitAxiom(Axiom node) { - if (polymorphicFunctionAxioms.Contains(node)) + var axiom = base.VisitAxiom(node); + var stack = new Stack(); + stack.Push(axiom.Expr); + while (stack.Count > 0) { - return node; + var expr = stack.Pop(); + if (expr is NAryExpr { Fun: BinaryOperator { Op: BinaryOperator.Opcode.And } } nAryExpr) + { + stack.Push(nAryExpr.Args[0]); + stack.Push(nAryExpr.Args[1]); + } + else + { + splitAxioms.Add(new Axiom(Token.NoToken, expr)); + } } - var typeCtorName = node.FindStringAttribute("ctor"); - if (typeCtorName == null || !(node.Expr is ForallExpr)) + return axiom; + } + + public override Expr VisitNAryExpr(NAryExpr node) + { + if (node.Fun is BinaryOperator { Op: BinaryOperator.Opcode.Eq } && !node.Args[0].Type.Equals(node.Args[1].Type)) + { + return Expr.False; + } + if (node.Fun is BinaryOperator { Op: BinaryOperator.Opcode.Neq } && !node.Args[0].Type.Equals(node.Args[1].Type)) { - return base.VisitAxiom(node); + return Expr.True; + } + if (!(node.Fun is MapSelect || node.Fun is MapStore) || node.TypeParameters.FormalTypeParams.Count == 0) + { + return base.VisitNAryExpr(node); + } + var polymorphicMapInfo = monomorphizationVisitor.RegisterPolymorphicMapType(node.Args[0].Type); + node = (NAryExpr)base.VisitNAryExpr(node); + var actualTypeParams = ActualTypeParams(node.TypeParameters); + var fieldAccess = polymorphicMapInfo.GetFieldAccess(actualTypeParams); + var polymorphicMapDatatypeExpr = node.Args[0]; + var fieldAccessExpr = new NAryExpr(Token.NoToken, fieldAccess, new List { polymorphicMapDatatypeExpr }); + fieldAccessExpr.Type = polymorphicMapInfo.GetFieldType(actualTypeParams); + fieldAccessExpr.TypeParameters = SimpleTypeParamInstantiation.EMPTY; + node.Args[0] = fieldAccessExpr; + node.TypeParameters = SimpleTypeParamInstantiation.EMPTY; + if (node.Fun is MapStore) + { + node.Type = fieldAccessExpr.Type; + var fieldUpdate = new FieldUpdate(fieldAccess); + node = new NAryExpr(Token.NoToken, fieldUpdate, new List { polymorphicMapDatatypeExpr, node }); + node.Type = polymorphicMapInfo.Datatype; } - CheckTypeCtorInstantiatedAxiom(node, typeCtorName); return node; } - public override Function VisitFunction(Function node) + public override AssignLhs VisitMapAssignLhs(MapAssignLhs node) { - if (polymorphicFunctionAxioms.Contains(node.DefinitionAxiom)) + var polymorphicMapInfo = monomorphizationVisitor.RegisterPolymorphicMapType(node.Map.Type); + var mapAssignLhs = (MapAssignLhs)base.VisitMapAssignLhs(node); + if (mapAssignLhs.TypeParameters.FormalTypeParams.Count > 0) { - var forallExpr = (ForallExpr) node.DefinitionAxiom.Expr; - LinqExtender.Map(node.TypeParameters, forallExpr.TypeParameters) - .Iter(x => typeVariableDependencyGraph.AddEdge(x.Key, x.Value)); - VisitExpr(forallExpr.Body); + var actualTypeParams = ActualTypeParams(mapAssignLhs.TypeParameters); + var fieldAccess = polymorphicMapInfo.GetFieldAccess(actualTypeParams); + var fieldAssignLhs = new FieldAssignLhs(Token.NoToken, mapAssignLhs.Map, fieldAccess) + { + TypeParameters = SimpleTypeParamInstantiation.EMPTY + }; + mapAssignLhs = new MapAssignLhs(Token.NoToken, fieldAssignLhs, mapAssignLhs.Indexes) + { + TypeParameters = SimpleTypeParamInstantiation.EMPTY + }; } - return base.VisitFunction(node); + else + { + mapAssignLhs = new MapAssignLhs(Token.NoToken, mapAssignLhs.Map, mapAssignLhs.Indexes) + { + TypeParameters = SimpleTypeParamInstantiation.EMPTY + }; + } + return mapAssignLhs; } - public override Implementation VisitImplementation(Implementation node) + public override AssignLhs VisitFieldAssignLhs(FieldAssignLhs node) { - LinqExtender.Map(node.Proc.TypeParameters, node.TypeParameters) - .Iter(x => typeVariableDependencyGraph.AddEdge(x.Key, x.Value)); - return base.VisitImplementation(node); + var fieldAssignLhs = (FieldAssignLhs)base.VisitFieldAssignLhs(node); + fieldAssignLhs = new FieldAssignLhs(Token.NoToken, fieldAssignLhs.Datatype, fieldAssignLhs.FieldAccess) + { + TypeParameters = SimpleTypeParamInstantiation.EMPTY + }; + return fieldAssignLhs; } - public override Absy Visit(Absy node) + public override Type VisitMapType(MapType node) { - if (node is ICarriesAttributes attrNode && attrNode.Attributes != null) + node = (MapType)base.VisitMapType(node); + if (node.TypeParameters.Count > 0) { - VisitQKeyValue(attrNode.Attributes); + var polymorphicMapInfo = monomorphizationVisitor.RegisterPolymorphicMapType(node); + return polymorphicMapInfo.Datatype; } - return base.Visit(node); + return node; } - - public override Type VisitTypeProxy(TypeProxy node) + + public override Expr VisitBinderExpr(BinderExpr node) { - if (node.ProxyFor == null) + var returnExpr = binderExprMonomorphizers.ContainsKey(node) + ? binderExprMonomorphizers[node].MonomorphicExpr(this) + : base.VisitBinderExpr(node); + if (returnExpr is QuantifierExpr { Triggers: { } } quantifierExpr) { - isMonomorphizable = false; + quantifierExpr.Triggers = VisitTrigger(quantifierExpr.Triggers); } - else + if (returnExpr is BinderExpr { Attributes: { } } binderExpr) { - Visit(TypeProxy.FollowProxy(node)); + binderExpr.Attributes = VisitQKeyValue(binderExpr.Attributes); } + return returnExpr; + } + + public override Expr VisitLambdaExpr(LambdaExpr node) + { + return VisitBinderExpr(node); + } + + public override Expr VisitForallExpr(ForallExpr node) + { + return VisitBinderExpr(node); + } + + public override Expr VisitExistsExpr(ExistsExpr node) + { + return VisitBinderExpr(node); + } + + public override Type VisitType(Type node) + { + return (Type)Visit(node); + } + + public override Type VisitBasicType(BasicType node) + { return node; } + + public override Type VisitTypeVariable(TypeVariable node) + { + return node; + } + + public override Expr VisitExpr(Expr node) + { + node = base.VisitExpr(node); + node.Type = VisitType(node.Type); + return node; + } + + public override Expr VisitIdentifierExpr(IdentifierExpr node) + { + var identifierExpr = base.VisitIdentifierExpr(node); + identifierExpr.Type = VisitType(identifierExpr.Type); + return identifierExpr; + } + + public override Declaration VisitTypeSynonymDecl(TypeSynonymDecl node) + { + node.Body = VisitType(node.Body); + return node; + } + + public override Constant VisitConstant(Constant node) + { + return (Constant)VisitVariable(node); + } } class MonomorphizationDuplicator : Duplicator { + // This class works together with MonomorphizationVisitor to accomplish monomorphization + // of a Boogie program. + private MonomorphizationVisitor monomorphizationVisitor; - private Absy parentAbsy; private Dictionary typeParamInstantiation; private Dictionary variableMapping; private Dictionary boundVarSubst; @@ -300,7 +792,6 @@ class MonomorphizationDuplicator : Duplicator public MonomorphizationDuplicator(MonomorphizationVisitor monomorphizationVisitor) { this.monomorphizationVisitor = monomorphizationVisitor; - this.parentAbsy = null; typeParamInstantiation = new Dictionary(); variableMapping = new Dictionary(); boundVarSubst = new Dictionary(); @@ -310,20 +801,18 @@ public MonomorphizationDuplicator(MonomorphizationVisitor monomorphizationVisito Dictionary typeParamInstantiation) { this.monomorphizationVisitor = monomorphizationVisitor; - this.parentAbsy = null; this.typeParamInstantiation = typeParamInstantiation; - this.variableMapping = new Dictionary(); - this.boundVarSubst = new Dictionary(); + variableMapping = new Dictionary(); + boundVarSubst = new Dictionary(); } - public MonomorphizationDuplicator(MonomorphizationVisitor monomorphizationVisitor, Absy parentAbsy, + public MonomorphizationDuplicator(MonomorphizationVisitor monomorphizationVisitor, Dictionary typeParamInstantiation, Dictionary variableMapping) { this.monomorphizationVisitor = monomorphizationVisitor; - this.parentAbsy = parentAbsy; this.typeParamInstantiation = typeParamInstantiation; this.variableMapping = variableMapping; - this.boundVarSubst = new Dictionary(); + boundVarSubst = new Dictionary(); } public override AssignLhs VisitFieldAssignLhs(FieldAssignLhs node) @@ -333,6 +822,12 @@ public override AssignLhs VisitFieldAssignLhs(FieldAssignLhs node) fieldAssignLhs.TypeParameters.FormalTypeParams.Select(x => TypeProxy.FollowProxy(fieldAssignLhs.TypeParameters[x]).Substitute(typeParamInstantiation)) .Select(x => monomorphizationVisitor.LookupType(x)).ToList(); + fieldAssignLhs.TypeParameters = + SimpleTypeParamInstantiation.From(fieldAssignLhs.TypeParameters.FormalTypeParams, actualTypeParams); + if (actualTypeParams.Any(HasFreeTypeVariables)) + { + return fieldAssignLhs; + } var fieldAccess = fieldAssignLhs.FieldAccess; var datatypeTypeCtorDecl = fieldAccess.DatatypeTypeCtorDecl; if (datatypeTypeCtorDecl.Arity == 0) @@ -347,6 +842,22 @@ public override AssignLhs VisitFieldAssignLhs(FieldAssignLhs node) return fieldAssignLhs; } + public override AssignLhs VisitMapAssignLhs(MapAssignLhs node) + { + var mapAssignLhs = (MapAssignLhs)base.VisitMapAssignLhs(node); + var actualTypeParams = + mapAssignLhs.TypeParameters.FormalTypeParams.Select(x => + TypeProxy.FollowProxy(mapAssignLhs.TypeParameters[x]).Substitute(typeParamInstantiation)) + .Select(x => monomorphizationVisitor.LookupType(x)).ToList(); + mapAssignLhs.TypeParameters = + SimpleTypeParamInstantiation.From(mapAssignLhs.TypeParameters.FormalTypeParams, actualTypeParams); + if (!actualTypeParams.Any(HasFreeTypeVariables) && actualTypeParams.Count > 0) + { + monomorphizationVisitor.RegisterPolymorphicMapType(node.Map.Type).PopulateField(actualTypeParams); + } + return mapAssignLhs; + } + public override Expr VisitNAryExpr(NAryExpr node) { var returnExpr = (NAryExpr)base.VisitNAryExpr(node); @@ -362,7 +873,20 @@ public override Expr VisitNAryExpr(NAryExpr node) return returnExpr.Args[0]; } - if (returnExpr.Fun is IsConstructor isConstructor) + if (actualTypeParams.Any(HasFreeTypeVariables)) + { + return returnExpr; + } + + if (returnExpr.Fun is MapSelect && returnExpr.TypeParameters.FormalTypeParams.Count > 0) + { + monomorphizationVisitor.RegisterPolymorphicMapType(returnExpr.Args[0].Type).PopulateField(actualTypeParams); + } + else if (returnExpr.Fun is MapStore && returnExpr.TypeParameters.FormalTypeParams.Count > 0) + { + monomorphizationVisitor.RegisterPolymorphicMapType(returnExpr.Type).PopulateField(actualTypeParams); + } + else if (returnExpr.Fun is IsConstructor isConstructor) { var datatypeTypeCtorDecl = isConstructor.DatatypeTypeCtorDecl; if (datatypeTypeCtorDecl.Arity == 0) @@ -403,7 +927,7 @@ public override Expr VisitNAryExpr(NAryExpr node) } else if (returnExpr.Fun is FunctionCall functionCall) { - // a non-generic function must be processed to rewrite any generic types it uses + // a non-polymorphic function must be processed to rewrite any polymorphic types it uses // to the corresponding instantiated types if (functionCall.Func.TypeParameters.Count == 0) { @@ -457,11 +981,11 @@ public override Cmd VisitCallCmd(CallCmd node) public override Type VisitTypeVariable(TypeVariable node) { - if (typeParamInstantiation.Count == 0) + if (typeParamInstantiation.ContainsKey(node)) { - return node; + return typeParamInstantiation[node]; } - return typeParamInstantiation[node]; + return node; } public override Type VisitMapType(MapType node) @@ -469,10 +993,13 @@ public override Type VisitMapType(MapType node) node = (MapType)node.Clone(); for (int i = 0; i < node.Arguments.Count; ++i) { - node.Arguments[i] = (Type)this.Visit(node.Arguments[i]); + node.Arguments[i] = (Type)Visit(node.Arguments[i]); + } + node.Result = (Type)Visit(node.Result); + if (node.FreeVariables.Count == 0 && node.TypeParameters.Count > 0) + { + monomorphizationVisitor.RegisterPolymorphicMapType(node); } - - node.Result = (Type)this.Visit(node.Result); return node; } @@ -481,12 +1008,15 @@ public override CtorType VisitCtorType(CtorType node) node = (CtorType)node.Clone(); for (int i = 0; i < node.Arguments.Count; ++i) { - node.Arguments[i] = (Type)this.Visit(node.Arguments[i]); + node.Arguments[i] = (Type)Visit(node.Arguments[i]); } + if (node.Arguments.Any(HasFreeTypeVariables)) + { + return node; + } + var typeCtorDecl = node.Decl; - monomorphizationVisitor.AddTriggerType(typeCtorDecl, node); - if (MonomorphismChecker.DoesTypeCtorDeclNeedMonomorphization(typeCtorDecl)) { return new CtorType(node.tok, monomorphizationVisitor.InstantiateTypeCtorDecl(typeCtorDecl, node.Arguments), @@ -498,15 +1028,14 @@ public override CtorType VisitCtorType(CtorType node) public override Type VisitTypeSynonymAnnotation(TypeSynonymAnnotation node) { - base.VisitTypeSynonymAnnotation(node); - return node.ExpandedType; + return VisitType(node.ExpandedType); } public override Type VisitType(Type node) { return (Type)Visit(node); } - + public override Type VisitTypeProxy(TypeProxy node) { return VisitType(TypeProxy.FollowProxy(node)); @@ -547,6 +1076,7 @@ public override Expr VisitBinderExpr(BinderExpr node) } var expr = (BinderExpr)base.VisitBinderExpr(node); + expr.Type = VisitType(expr.Type); expr.Dummies = node.Dummies.Select(x => oldToNew[x]).ToList(); // We process triggers of quantifier expressions here, because otherwise the // substitutions for bound variables have to be leaked outside this procedure. @@ -554,7 +1084,7 @@ public override Expr VisitBinderExpr(BinderExpr node) { if (quantifierExpr.Triggers != null) { - ((QuantifierExpr)expr).Triggers = this.VisitTrigger(quantifierExpr.Triggers); + ((QuantifierExpr)expr).Triggers = VisitTrigger(quantifierExpr.Triggers); } } @@ -568,13 +1098,33 @@ public override Expr VisitBinderExpr(BinderExpr node) boundVarSubst.Remove(x); } + if (expr.TypeParameters.Count > 0) + { + if (expr is LambdaExpr lambdaExpr) + { + monomorphizationVisitor.AddBinderExprMonomorphizer(new LambdaExprMonomorphizer(lambdaExpr, monomorphizationVisitor)); + } + else if (expr is ForallExpr forallExpr) + { + monomorphizationVisitor.AddBinderExprMonomorphizer(new ForallExprMonomorphizer(forallExpr, monomorphizationVisitor)); + } + else if (expr is ExistsExpr existsExpr) + { + monomorphizationVisitor.AddBinderExprMonomorphizer(new ExistsExprMonomorphizer(existsExpr, monomorphizationVisitor)); + } + else + { + throw new cce.UnreachableException(); + } + } + return expr; } public override QuantifierExpr VisitQuantifierExpr(QuantifierExpr node) { // Don't remove this implementation! Triggers should be duplicated in VisitBinderExpr. - return (QuantifierExpr)this.VisitBinderExpr(node); + return (QuantifierExpr)VisitBinderExpr(node); } public override Expr VisitLetExpr(LetExpr node) @@ -597,9 +1147,43 @@ public override Expr VisitLetExpr(LetExpr node) return expr; } + + private static bool HasFreeTypeVariables(Type type) + { + return new FreeTypeVariableChecker().IsPolymorphic(type); + } + + class FreeTypeVariableChecker + { + private HashSet boundTypeVariables = new HashSet(); + public bool IsPolymorphic(Type type) + { + type = TypeProxy.FollowProxy(type).Expanded; + if (type is BasicType) + { + return false; + } + if (type is TypeVariable typeVariable) + { + return !boundTypeVariables.Contains(typeVariable); + } + if (type is CtorType ctorType) + { + return ctorType.Arguments.Any(IsPolymorphic); + } + if (type is MapType mapType) + { + mapType.TypeParameters.Iter(x => boundTypeVariables.Add(x)); + var returnVal = mapType.Arguments.Any(IsPolymorphic) || IsPolymorphic(mapType.Result); + mapType.TypeParameters.Iter(x => boundTypeVariables.Remove(x)); + return returnVal; + } + throw new cce.UnreachableException(); + } + } } - class MonomorphizationVisitor : StandardVisitor + class MonomorphizationVisitor : VarDeclOnceStandardVisitor { /* * This class monomorphizes a Boogie program. Monomorphization starts from @@ -616,12 +1200,42 @@ class MonomorphizationVisitor : StandardVisitor * the latter creates a duplicate copy. MonomorphizationDuplicator is needed * because a polymorphic function, type, or procedure may be visited several * times in different type contexts. + * + * A polymorphic map type T is converted into a single-constructor datatype with + * one field for each instantiation I of T encountered in the program. An operation + * on a value of I-instantiation of T is translated to the corresponding operation + * on the field corresponding to I in the datatype corresponding to T. Polymorphic + * lambdas are translated to a constructed value of the datatype; the field + * corresponding to I is initialized by instantiating the polymorphic lambda on I. + * + * A polymorphic forall quantifier is translated to a conjunction of monomorphic + * instances of the quantifier obtained by instantiating the bound type parameters + * on concrete types collected from the program. Similarly, a polymorphic exists + * quantifier is translated to a disjunction. This instantiation scheme is "sound" + * if each forall quantifier occurs in positive polarity and each exists quantifier + * occurs in negative polarity in the verification condition submitted for + * satisfiability checking. + * + * The implementation uses a heuristic for collecting types for monomorphizing quantifiers. + * The body of the quantifier is examined to collect all instances of polymorphic types + * and functions mentioned in it. Suppose an instantiation T X of the polymorphic type T + * (with one parameter instantiated to X) is collected. If X is a type parameter of the + * enclosing quantifier, then each concrete type used in any instantiation of T becomes a + * candidate for instantiating the type quantifier. This scheme is easily generalized to + * types with more than one type parameter. References to polymorphic functions are handled + * similarly. Once candidates for all bound type parameters of the quantifier are collected, + * instantiation is performed using the Cartesian product of the candidates for each parameter. + * + * A big source of complexity in the implementation is the handling of nested binders. + * To handle nesting appropriately, the implementation + * (1) dynamically discovers polymorphic binders that become candidates for instantiation, and + * (2) finalizes the instantiation of a binder only when the instantiation of all of its + * children has been finalized. */ public CoreOptions Options { get; } private Program program; - private Dictionary axiomsToBeInstantiated; private Dictionary nameToFunction; private Dictionary nameToProcedure; private Dictionary nameToImplementation; @@ -631,20 +1245,18 @@ class MonomorphizationVisitor : StandardVisitor private Dictionary, Implementation>> implInstantiations; private Dictionary, TypeCtorDecl>> typeInstantiations; private HashSet newInstantiatedDeclarations; + private List binderExprMonomorphizers; + private Dictionary polymorphicMapInfos; private Dictionary>> declWithFormalsToTypeInstantiation; private Dictionary>> typeCtorDeclToTypeInstantiation; - private Dictionary> triggerTypes; - private Dictionary> newTriggerTypes; private HashSet visitedTypeCtorDecls; private HashSet visitedFunctions; private Dictionary procToImpl; - private MonomorphizationVisitor(CoreOptions options, Program program, - Dictionary axiomsToBeInstantiated, HashSet polymorphicFunctionAxioms) + private MonomorphizationVisitor(CoreOptions options, Program program, HashSet polymorphicFunctionAxioms) { Options = options; this.program = program; - this.axiomsToBeInstantiated = axiomsToBeInstantiated; implInstantiations = new Dictionary, Implementation>>(); nameToImplementation = new Dictionary(); program.TopLevelDeclarations.OfType().Where(impl => impl.TypeParameters.Count > 0).Iter( @@ -673,6 +1285,8 @@ private MonomorphizationVisitor(CoreOptions options, Program program, typeCtorDeclToTypeInstantiation = new Dictionary>>(); typeInstantiations = new Dictionary, TypeCtorDecl>>(); newInstantiatedDeclarations = new HashSet(); + binderExprMonomorphizers = new List(); + polymorphicMapInfos = new Dictionary(); nameToTypeCtorDecl = new Dictionary(); program.TopLevelDeclarations.OfType() .Where(typeCtorDecl => MonomorphismChecker.DoesTypeCtorDeclNeedMonomorphization(typeCtorDecl)).Iter( @@ -681,31 +1295,22 @@ private MonomorphizationVisitor(CoreOptions options, Program program, nameToTypeCtorDecl.Add(typeCtorDecl.Name, typeCtorDecl); typeInstantiations.Add(typeCtorDecl, new Dictionary, TypeCtorDecl>(new ListComparer())); }); - triggerTypes = new Dictionary>(); - newTriggerTypes = new Dictionary>(); - axiomsToBeInstantiated.Values.ToHashSet().Iter(typeCtorDecl => - { - triggerTypes.Add(typeCtorDecl, new HashSet()); - newTriggerTypes.Add(typeCtorDecl, new HashSet()); - }); - this.visitedTypeCtorDecls = new HashSet(); - this.visitedFunctions = new HashSet(); - this.procToImpl = new Dictionary(); - program.TopLevelDeclarations.OfType().Iter(impl => this.procToImpl[impl.Proc] = impl); + visitedTypeCtorDecls = new HashSet(); + visitedFunctions = new HashSet(); + procToImpl = new Dictionary(); + program.TopLevelDeclarations.OfType().Iter(impl => procToImpl[impl.Proc] = impl); program.RemoveTopLevelDeclarations(decl => decl is Implementation impl && implInstantiations.ContainsKey(impl) || decl is Procedure proc && procInstantiations.ContainsKey(proc) || decl is Function function && functionInstantiations.ContainsKey(function) || decl is TypeCtorDecl typeCtorDecl && typeInstantiations.ContainsKey(typeCtorDecl) || decl is TypeSynonymDecl typeSynonymDecl && typeSynonymDecl.TypeParameters.Count > 0 || - decl is Axiom axiom && (axiomsToBeInstantiated.ContainsKey(axiom) || polymorphicFunctionAxioms.Contains(axiom))); + decl is Axiom axiom && polymorphicFunctionAxioms.Contains(axiom)); } - public static MonomorphizationVisitor Initialize(CoreOptions options, Program program, - Dictionary axiomsToBeInstantiated, - HashSet polymorphicFunctionAxioms) + public static MonomorphizationVisitor Initialize(CoreOptions options, Program program, HashSet polymorphicFunctionAxioms) { - var monomorphizationVisitor = new MonomorphizationVisitor(options, program, axiomsToBeInstantiated, polymorphicFunctionAxioms); + var monomorphizationVisitor = new MonomorphizationVisitor(options, program, polymorphicFunctionAxioms); // ctorTypes contains all the uninterpreted types created for monomorphizing top-level polymorphic implementations // that must be verified. The types in ctorTypes are reused across different implementations. var ctorTypes = new List(); @@ -724,21 +1329,92 @@ public static MonomorphizationVisitor Initialize(CoreOptions options, Program pr instantiatedImpl.Proc = monomorphizationVisitor.InstantiateProcedure(impl.Proc, actualTypeParams); }); monomorphizationVisitor.VisitProgram(program); - monomorphizationVisitor.InstantiateAxioms(); - monomorphizationVisitor.AddInstantiatedDeclarations(program); + monomorphizationVisitor.AddInstantiatedDeclarations(); program.AddTopLevelDeclarations(typeCtorDecls); + monomorphizationVisitor.FixpointOnBinderExprMonomorphizers(); + var polymorphicMapAndBinderSubstituter = new PolymorphicMapAndBinderSubstituter(monomorphizationVisitor); + var polymorphicMapDatatypeCtorDecls = + monomorphizationVisitor.polymorphicMapInfos.Values.Select(polymorphicMapInfo => + polymorphicMapInfo.CreateDatatypeTypeCtorDecl(polymorphicMapAndBinderSubstituter)).ToList(); + var splitAxioms = polymorphicMapAndBinderSubstituter.Substitute(program); + program.RemoveTopLevelDeclarations(decl => decl is Axiom); + program.AddTopLevelDeclarations(splitAxioms); + program.AddTopLevelDeclarations(polymorphicMapDatatypeCtorDecls); Contract.Assert(MonomorphismChecker.IsMonomorphic(program)); return monomorphizationVisitor; } - public void AddTriggerType(TypeCtorDecl typeCtorDecl, CtorType ctorType) + /* + * Binder expressions may be nested inside other binder expressions. The instantiation of known binder + * expressions using known type and function instantiations may discover more binder expressions and + * create more type and function instantiation. After the program has been visited, the top-level binder + * expressions have been discovered. The following method is called subsequently to execute a fixpoint + * on the set of binder expressions, function instantiations, and type instantiations. + */ + private void FixpointOnBinderExprMonomorphizers() { - if (triggerTypes.ContainsKey(typeCtorDecl) && - !triggerTypes[typeCtorDecl].Contains(ctorType)) + var moreWorkNeeded = true; + while (moreWorkNeeded) { - triggerTypes[typeCtorDecl].Add(ctorType); - newTriggerTypes[typeCtorDecl].Add(ctorType); + moreWorkNeeded = false; + + // binderExprMonomorphizers is modified inside the loop so iterate over a copy of it + var oldBinderExprMonomorphizers = new List(binderExprMonomorphizers); + foreach (var binderExprMonomorphizer in oldBinderExprMonomorphizers) + { + if (binderExprMonomorphizer.Instantiate()) + { + // more instances created in binderExprMonomorphizer + moreWorkNeeded = true; + } + } + + if (newInstantiatedDeclarations.Count > 0) + { + // more function/type instantiations were created + AddInstantiatedDeclarations(); + moreWorkNeeded = true; + } + + if (oldBinderExprMonomorphizers.Count < binderExprMonomorphizers.Count) + { + // the instantiation in some binderExprMonomorphizer resulted in the discovery of a binder expression + moreWorkNeeded = true; + } + } + } + + public Dictionary GetBinderExprMonomorphizers() + { + return binderExprMonomorphizers.ToDictionary(x => x.BinderExpr, x => x); + } + + public IEnumerable> NamedDeclarationInstantiations(NamedDeclaration decl) + { + if (decl is Function function) + { + return functionInstantiations[function].Keys; + } + if (decl is TypeCtorDecl typeCtorDecl) + { + return typeInstantiations[typeCtorDecl].Keys; + } + throw new cce.UnreachableException(); + } + + public PolymorphicMapInfo RegisterPolymorphicMapType(Type type) + { + var mapType = (MapType)LookupType(type); + if (!polymorphicMapInfos.ContainsKey(mapType)) + { + polymorphicMapInfos[mapType] = new PolymorphicMapInfo(this, mapType); } + return polymorphicMapInfos[mapType]; + } + + public void AddBinderExprMonomorphizer(BinderExprMonomorphizer binderExprMonomorphizer) + { + binderExprMonomorphizers.Add(binderExprMonomorphizer); } public void InlineCallCmd(CallCmd callCmd, List actualTypeParams) @@ -769,20 +1445,30 @@ private bool IsInlined(Implementation impl) private Axiom InstantiateAxiom(Axiom axiom, List actualTypeParams) { - var forallExpr = (ForallExpr)InstantiateBinderExpr((BinderExpr)axiom.Expr, actualTypeParams); - var instantiatedAxiom = new Axiom(axiom.tok, forallExpr.Dummies.Count == 0 ? forallExpr.Body : forallExpr, - axiom.Comment, axiom.Attributes); + var axiomExpr = InstantiateBinderExpr((BinderExpr)axiom.Expr, actualTypeParams); + var instantiatedAxiom = new Axiom(axiom.tok, axiomExpr, axiom.Comment, axiom.Attributes); newInstantiatedDeclarations.Add(instantiatedAxiom); return instantiatedAxiom; - } + } - public BinderExpr InstantiateBinderExpr(BinderExpr binderExpr, List actualTypeParams) + public Expr InstantiateBinderExpr(BinderExpr binderExpr, List actualTypeParams) { - binderExpr = (BinderExpr)InstantiateAbsy(binderExpr, LinqExtender.Map(binderExpr.TypeParameters, actualTypeParams), - new Dictionary()); + var binderExprTypeParameters = binderExpr.TypeParameters; binderExpr.TypeParameters = new List(); - return binderExpr; - } + var newBinderExpr = (BinderExpr)InstantiateAbsy(binderExpr, LinqExtender.Map(binderExprTypeParameters, actualTypeParams), + new Dictionary()); + binderExpr.TypeParameters = binderExprTypeParameters; + if (newBinderExpr is QuantifierExpr quantifierExpr && quantifierExpr.Dummies.Count == 0) + { + return quantifierExpr.Body; + } + if (binderExpr is LambdaExpr) + { + var polymorphicMapInfo = RegisterPolymorphicMapType(newBinderExpr.Type); + newBinderExpr.Type = polymorphicMapInfo.GetFieldType(actualTypeParams); + } + return newBinderExpr; + } public Function InstantiateFunction(Function func, List actualTypeParams) { @@ -809,13 +1495,13 @@ public Function InstantiateFunction(Function func, List actualTypeParams) else if (func.DefinitionAxiom != null) { instantiatedFunction.DefinitionAxiom = - this.InstantiateAxiom(func.DefinitionAxiom, actualTypeParams); + InstantiateAxiom(func.DefinitionAxiom, actualTypeParams); } } return functionInstantiations[func][actualTypeParams]; } - private void AddInstantiatedDeclarations(Program program) + private void AddInstantiatedDeclarations() { program.AddTopLevelDeclarations(newInstantiatedDeclarations); newInstantiatedDeclarations = new HashSet(); @@ -825,7 +1511,7 @@ private Absy InstantiateAbsy(Absy absy, Dictionary typeParam Dictionary variableMapping) { var monomorphizationDuplicator = - new MonomorphizationDuplicator(this, absy, typeParamInstantiation, variableMapping); + new MonomorphizationDuplicator(this, typeParamInstantiation, variableMapping); return monomorphizationDuplicator.Visit(absy); } @@ -976,17 +1662,15 @@ public static string MkInstanceName(string name, List actualTypeParams) public Type LookupType(Type type) { - type = TypeProxy.FollowProxy(type); - if (type is CtorType ctorType && MonomorphismChecker.DoesTypeCtorDeclNeedMonomorphization(ctorType.Decl)) + type = TypeProxy.FollowProxy(type.Expanded); + if (type is CtorType ctorType && ctorType.FreeVariables.Count == 0 && + MonomorphismChecker.DoesTypeCtorDeclNeedMonomorphization(ctorType.Decl)) { var instantiatedTypeArguments = ctorType.Arguments.Select(x => LookupType(x)).ToList(); return new CtorType(Token.NoToken, typeInstantiations[ctorType.Decl][instantiatedTypeArguments], new List()); } - else - { - return type; - } + return type; } public IsConstructor InstantiateIsConstructor(IsConstructor isConstructor, List actualTypeParams) @@ -1020,8 +1704,7 @@ public TypeCtorDecl InstantiateTypeCtorDecl(string typeName, List actualTy return null; } var instantiatedFunction = InstantiateTypeCtorDecl(typeCtorDecl, actualTypeParams); - InstantiateAxioms(); - AddInstantiatedDeclarations(program); + AddInstantiatedDeclarations(); return instantiatedFunction; } @@ -1033,25 +1716,10 @@ public Function InstantiateFunction(string functionName, Dictionary typeParamInstantiationMap[tp.Name]).ToList(); var instantiatedFunction = InstantiateFunction(function, actualTypeParams); - InstantiateAxioms(); - AddInstantiatedDeclarations(program); + AddInstantiatedDeclarations(); return instantiatedFunction; } - private void InstantiateAxioms() - { - while (newTriggerTypes.Any(x => x.Value.Count != 0)) - { - var nextTriggerTypes = this.newTriggerTypes; - newTriggerTypes = new Dictionary>(); - nextTriggerTypes.Iter(x => { newTriggerTypes.Add(x.Key, new HashSet()); }); - foreach ((var axiom, var tcDecl) in axiomsToBeInstantiated) - { - nextTriggerTypes[tcDecl].Iter(trigger => InstantiateAxiom(axiom, trigger.Arguments)); - } - } - } - public bool GetFunction(string functionName, out Function function) { return nameToFunction.TryGetValue(functionName, out function); @@ -1078,10 +1746,8 @@ public override Cmd VisitCallCmd(CallCmd node) { return base.VisitCallCmd(node); } - else - { - return new MonomorphizationDuplicator(this).VisitCallCmd(node); - } + + return new MonomorphizationDuplicator(this).VisitCallCmd(node); } public override CtorType VisitCtorType(CtorType node) @@ -1121,8 +1787,13 @@ public override AssignLhs VisitFieldAssignLhs(FieldAssignLhs node) return new MonomorphizationDuplicator(this).VisitFieldAssignLhs(node); } + public override AssignLhs VisitMapAssignLhs(MapAssignLhs node) + { + return new MonomorphizationDuplicator(this).VisitMapAssignLhs(node); + } + // this function may be called directly by monomorphizationDuplicator - // if a non-generic call to a datatype constructor/selector/membership + // if a non-polymorphic call to a datatype constructor/selector/membership // is discovered in an expression public override Declaration VisitTypeCtorDecl(TypeCtorDecl node) { @@ -1139,7 +1810,7 @@ public override Declaration VisitTypeCtorDecl(TypeCtorDecl node) } // this function may be called directly by monomorphizationDuplicator - // if a non-generic function call is discovered in an expression + // if a non-polymorphic function call is discovered in an expression public override Function VisitFunction(Function node) { if (visitedFunctions.Contains(node)) @@ -1152,22 +1823,30 @@ public override Function VisitFunction(Function node) public override Constant VisitConstant(Constant node) { - node = base.VisitConstant(node); + node = (Constant)base.VisitVariable(node); node.TypedIdent = new TypedIdent(node.TypedIdent.tok, node.TypedIdent.Name, - new MonomorphizationDuplicator(this).VisitType(node.TypedIdent.Type)); + new MonomorphizationDuplicator(this).VisitType(node.TypedIdent.Type), node.TypedIdent.WhereExpr); return node; } } public class Monomorphizer { + /* + * This class exposes monomorphization to the rest of Boogie. After type checking a Boogie program, + * the static factory method Monomorphize is invoked with a Program object as a parameter. This factory + * method does the following: + * (1) returns if the input program is not monomorphizable, + * (2) otherwise, creates a Monomorphizer object and monomorphizes the program, + * (3) stashes the created Monomorphizer object inside the provided Program object. + */ + public static MonomorphizableStatus Monomorphize(CoreOptions options, Program program) { - var monomorphizableStatus = MonomorphizableChecker.IsMonomorphizable(program, out var axiomsToBeInstantiated, - out var polymorphicFunctionAxioms); + var monomorphizableStatus = MonomorphizableChecker.IsMonomorphizable(program, out var polymorphicFunctionAxioms); if (monomorphizableStatus == MonomorphizableStatus.Monomorphizable) { - var monomorphizationVisitor = MonomorphizationVisitor.Initialize(options, program, axiomsToBeInstantiated, polymorphicFunctionAxioms); + var monomorphizationVisitor = MonomorphizationVisitor.Initialize(options, program, polymorphicFunctionAxioms); program.monomorphizer = new Monomorphizer(monomorphizationVisitor); } return monomorphizableStatus; diff --git a/Source/Core/StandardVisitor.cs b/Source/Core/StandardVisitor.cs index 826968738..92bbdbafe 100644 --- a/Source/Core/StandardVisitor.cs +++ b/Source/Core/StandardVisitor.cs @@ -530,6 +530,7 @@ public virtual Implementation VisitImplementation(Implementation node) node.Blocks = this.VisitBlockList(node.Blocks); node.Proc = this.VisitProcedure(cce.NonNull(node.Proc)); node = (Implementation) this.VisitDeclWithFormals(node); // do this first or last? + VisitAttributes(node); return node; } diff --git a/Source/ExecutionEngine/CommandLineOptions.cs b/Source/ExecutionEngine/CommandLineOptions.cs index 50d451479..896c099cd 100644 --- a/Source/ExecutionEngine/CommandLineOptions.cs +++ b/Source/ExecutionEngine/CommandLineOptions.cs @@ -1799,7 +1799,7 @@ status in `/trace` and selecting procedures to verify with the original name of an identifier translated into Boogie from some other source language. - ---- On Axioms ------------------------------------------------------------- + ---- On axioms ------------------------------------------------------------- {:include_dep} @@ -1898,6 +1898,8 @@ after substituting variables with their incarnations at the command. bound variables with fresh skolem constants, whenever the quantifier is skolemized. + These attributes are not effective for quantifiers inside the scope of axioms. + ---- Civl ------------------------------------------------------------------ {:yields} @@ -2002,7 +2004,9 @@ inductive sequentialization. These are exempt from the overall pool of Multiple .bpl files supplied on the command line are concatenated into one Boogie program. - /lib : Include library definitions + /lib: : Include definitions in library . The file .bpl + must be an included resource in Core.dll. Currently, the + following libraries are supported---base, node. /proc:

: Only check procedures matched by pattern

. This option may be specified multiple times to match multiple patterns. The pattern

matches the whole procedure name and may diff --git a/Source/VCGeneration/Prune/AxiomVisitor.cs b/Source/VCGeneration/Prune/AxiomVisitor.cs index 6d2c4a337..b822e5050 100644 --- a/Source/VCGeneration/Prune/AxiomVisitor.cs +++ b/Source/VCGeneration/Prune/AxiomVisitor.cs @@ -1,5 +1,4 @@ using System; -using System.Collections.Generic; using System.Diagnostics.Contracts; using System.Linq; @@ -80,10 +79,10 @@ public override Expr VisitExpr(Expr node) { bvc.E1.pos = Expr.Position.Neither; } else if (node is BinderExpr bexp) { bexp.Body.pos = Expr.Position.Neither; - } else if (node is LetExpr l){ + } else if (node is LetExpr l) { l.Body.pos = Expr.Position.Neither; } else { - if(node is LiteralExpr || node is IdentifierExpr) { + if (node is LiteralExpr || node is IdentifierExpr) { } else { Console.WriteLine(node); @@ -93,7 +92,7 @@ public override Expr VisitExpr(Expr node) { return base.VisitExpr(node); } - public override Boogie.Type VisitType(Boogie.Type node) + public override Type VisitType(Type node) { types.Add(node); return base.VisitType(node); diff --git a/Source/VCGeneration/Prune/BlocksVisitor.cs b/Source/VCGeneration/Prune/BlocksVisitor.cs index ea5149ac4..bfdad38cb 100644 --- a/Source/VCGeneration/Prune/BlocksVisitor.cs +++ b/Source/VCGeneration/Prune/BlocksVisitor.cs @@ -21,7 +21,7 @@ public override Expr VisitExpr(Expr node) return base.VisitExpr(node); } - public override Boogie.Type VisitType(Boogie.Type node) + public override Type VisitType(Type node) { types.Add(node); return base.VisitType(node); diff --git a/Source/VCGeneration/Prune/DependencyEvaluator.cs b/Source/VCGeneration/Prune/DependencyEvaluator.cs index e1831e8fa..05cf6f125 100644 --- a/Source/VCGeneration/Prune/DependencyEvaluator.cs +++ b/Source/VCGeneration/Prune/DependencyEvaluator.cs @@ -1,5 +1,4 @@ using System.Collections.Generic; -using System.Linq; namespace Microsoft.Boogie { @@ -10,7 +9,7 @@ public class DependencyEvaluator : ReadOnlyVisitor // Most incoming dependents correspond to exactly one function or constant, but some of them are tuples. // For example, consider an axiom of the form: // axiom forall x, y :: {P(x, y), Q(y)} {R(x)} P(x, y) ==> R(x) - // The axiom may (only) be triggerd by a declaration/implementation that either mentions + // The axiom may (only) be triggered by a declaration/implementation that either mentions // both P and Q or mentions function R. // Thus, it has two incoming dependents: // 1) the tuple (P, Q) and 2) the function R. I store tuples in the variable incomingTuples. diff --git a/Source/VCGeneration/Prune/FunctionVisitor.cs b/Source/VCGeneration/Prune/FunctionVisitor.cs index 5ed808fe3..90912df19 100644 --- a/Source/VCGeneration/Prune/FunctionVisitor.cs +++ b/Source/VCGeneration/Prune/FunctionVisitor.cs @@ -28,7 +28,7 @@ public override Expr VisitExpr(Expr node) } return base.VisitExpr(node); } - public override Boogie.Type VisitType(Boogie.Type node) + public override Type VisitType(Boogie.Type node) { types.Add(node); return base.VisitType(node); diff --git a/Source/VCGeneration/Prune/Prune.cs b/Source/VCGeneration/Prune/Prune.cs index c9864cb0a..0943d87f7 100644 --- a/Source/VCGeneration/Prune/Prune.cs +++ b/Source/VCGeneration/Prune/Prune.cs @@ -1,4 +1,3 @@ -using System; using System.Linq; using System.Collections.Generic; using Microsoft.Boogie.GraphUtil; diff --git a/Test/monomorphize/Dafny_frame.bpl b/Test/monomorphize/Dafny_frame.bpl new file mode 100644 index 000000000..4274448e2 --- /dev/null +++ b/Test/monomorphize/Dafny_frame.bpl @@ -0,0 +1,29 @@ +// RUN: %parallel-boogie /monomorphize "%s" > "%t" +// RUN: %diff "%s.expect" "%t" + +type Field T; +type ref; +type HeapType = [ref][Field alpha]alpha; + +var $Heap: HeapType; +const unique alloc: Field bool; +const null: ref; + +function {:inline} read(H: HeapType, r: ref, f: Field alpha) : alpha +{ + H[r][f] +} + +procedure p($r: ref) +requires $r != null; +requires $Heap[$r][alloc]; +{ + var $Frame: [ref,Field beta]bool; + var i: int; + + $Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + + assert $Frame[null, alloc]; + assert !$Frame[$r, alloc]; +} diff --git a/Test/monomorphize/Dafny_frame.bpl.expect b/Test/monomorphize/Dafny_frame.bpl.expect new file mode 100644 index 000000000..37fad75c9 --- /dev/null +++ b/Test/monomorphize/Dafny_frame.bpl.expect @@ -0,0 +1,2 @@ + +Boogie program verifier finished with 1 verified, 0 errors diff --git a/Test/monomorphize/dafny/Composite.dfy.bpl b/Test/monomorphize/dafny/Composite.dfy.bpl new file mode 100644 index 000000000..35d229e7a --- /dev/null +++ b/Test/monomorphize/dafny/Composite.dfy.bpl @@ -0,0 +1,6626 @@ +// Dafny 3.7.3.40719 +// Command Line Options: /compile:0 /print:Composite.dfy.bpl +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +type Ty; + +type TyTag; + +type TyTagFamily; + +type char; + +type ref; + +type Box; + +type ClassName; + +type HandleType; + +type DatatypeType; + +type DtCtorId; + +type LayerType; + +type Field _; + +type NameFamily; + +type TickType; + +type Seq _; + +type Map _ _; + +type IMap _ _; + +const $$Language$Dafny: bool; + +axiom $$Language$Dafny; + +type Bv0 = int; + +const unique TBool: Ty; + +axiom Tag(TBool) == TagBool; + +const unique TChar: Ty; + +axiom Tag(TChar) == TagChar; + +const unique TInt: Ty; + +axiom Tag(TInt) == TagInt; + +const unique TReal: Ty; + +axiom Tag(TReal) == TagReal; + +const unique TORDINAL: Ty; + +axiom Tag(TORDINAL) == TagORDINAL; + +axiom (forall w: int :: { TBitvector(w) } Inv0_TBitvector(TBitvector(w)) == w); + +function TBitvector(int) : Ty; + +axiom (forall t: Ty :: { TSet(t) } Inv0_TSet(TSet(t)) == t); + +axiom (forall t: Ty :: { TSet(t) } Tag(TSet(t)) == TagSet); + +function TSet(Ty) : Ty; + +axiom (forall t: Ty :: { TISet(t) } Inv0_TISet(TISet(t)) == t); + +axiom (forall t: Ty :: { TISet(t) } Tag(TISet(t)) == TagISet); + +function TISet(Ty) : Ty; + +axiom (forall t: Ty :: { TMultiSet(t) } Inv0_TMultiSet(TMultiSet(t)) == t); + +axiom (forall t: Ty :: { TMultiSet(t) } Tag(TMultiSet(t)) == TagMultiSet); + +function TMultiSet(Ty) : Ty; + +axiom (forall t: Ty :: { TSeq(t) } Inv0_TSeq(TSeq(t)) == t); + +axiom (forall t: Ty :: { TSeq(t) } Tag(TSeq(t)) == TagSeq); + +function TSeq(Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv0_TMap(TMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv1_TMap(TMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Tag(TMap(t, u)) == TagMap); + +function TMap(Ty, Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv0_TIMap(TIMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv1_TIMap(TIMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Tag(TIMap(t, u)) == TagIMap); + +function TIMap(Ty, Ty) : Ty; + +function Inv0_TBitvector(Ty) : int; + +function Inv0_TSet(Ty) : Ty; + +function Inv0_TISet(Ty) : Ty; + +function Inv0_TSeq(Ty) : Ty; + +function Inv0_TMultiSet(Ty) : Ty; + +function Inv0_TMap(Ty) : Ty; + +function Inv1_TMap(Ty) : Ty; + +function Inv0_TIMap(Ty) : Ty; + +function Inv1_TIMap(Ty) : Ty; + +function Tag(Ty) : TyTag; + +const unique TagBool: TyTag; + +const unique TagChar: TyTag; + +const unique TagInt: TyTag; + +const unique TagReal: TyTag; + +const unique TagORDINAL: TyTag; + +const unique TagSet: TyTag; + +const unique TagISet: TyTag; + +const unique TagMultiSet: TyTag; + +const unique TagSeq: TyTag; + +const unique TagMap: TyTag; + +const unique TagIMap: TyTag; + +const unique TagClass: TyTag; + +function TagFamily(Ty) : TyTagFamily; + +axiom (forall x: T :: { $Box(Lit(x)) } $Box(Lit(x)) == Lit($Box(x))); + +function {:identity} Lit(x: T) : T; + +axiom (forall x: T :: {:identity} { Lit(x): T } Lit(x): T == x); + +axiom (forall x: int :: { $Box(LitInt(x)) } $Box(LitInt(x)) == Lit($Box(x))); + +function {:identity} LitInt(x: int) : int; + +axiom (forall x: int :: {:identity} { LitInt(x): int } LitInt(x): int == x); + +axiom (forall x: real :: { $Box(LitReal(x)) } $Box(LitReal(x)) == Lit($Box(x))); + +function {:identity} LitReal(x: real) : real; + +axiom (forall x: real :: {:identity} { LitReal(x): real } LitReal(x): real == x); + +axiom (forall n: int :: + { char#FromInt(n) } + 0 <= n && n < 65536 ==> char#ToInt(char#FromInt(n)) == n); + +function char#FromInt(int) : char; + +axiom (forall ch: char :: + { char#ToInt(ch) } + char#FromInt(char#ToInt(ch)) == ch + && 0 <= char#ToInt(ch) + && char#ToInt(ch) < 65536); + +function char#ToInt(char) : int; + +axiom (forall a: char, b: char :: + { char#Plus(a, b) } + char#Plus(a, b) == char#FromInt(char#ToInt(a) + char#ToInt(b))); + +function char#Plus(char, char) : char; + +axiom (forall a: char, b: char :: + { char#Minus(a, b) } + char#Minus(a, b) == char#FromInt(char#ToInt(a) - char#ToInt(b))); + +function char#Minus(char, char) : char; + +const null: ref; + +const $ArbitraryBoxValue: Box; + +axiom (forall x: T :: { $Box(x) } $Unbox($Box(x)) == x); + +function $Box(T) : Box; + +function $Unbox(Box) : T; + +function $IsBox(T, Ty) : bool; + +function $IsAllocBox(T, Ty, Heap) : bool; + +axiom (forall bx: Box :: + { $IsBox(bx, TInt) } + $IsBox(bx, TInt) ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, TInt)); + +axiom (forall bx: Box :: + { $IsBox(bx, TReal) } + $IsBox(bx, TReal) + ==> $Box($Unbox(bx): real) == bx && $Is($Unbox(bx): real, TReal)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBool) } + $IsBox(bx, TBool) + ==> $Box($Unbox(bx): bool) == bx && $Is($Unbox(bx): bool, TBool)); + +axiom (forall bx: Box :: + { $IsBox(bx, TChar) } + $IsBox(bx, TChar) + ==> $Box($Unbox(bx): char) == bx && $Is($Unbox(bx): char, TChar)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBitvector(0)) } + $IsBox(bx, TBitvector(0)) + ==> $Box($Unbox(bx): Bv0) == bx && $Is($Unbox(bx): Set Box, TBitvector(0))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSet(t)) } + $IsBox(bx, TSet(t)) + ==> $Box($Unbox(bx): Set Box) == bx && $Is($Unbox(bx): Set Box, TSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TISet(t)) } + $IsBox(bx, TISet(t)) + ==> $Box($Unbox(bx): ISet Box) == bx && $Is($Unbox(bx): ISet Box, TISet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TMultiSet(t)) } + $IsBox(bx, TMultiSet(t)) + ==> $Box($Unbox(bx): MultiSet Box) == bx + && $Is($Unbox(bx): MultiSet Box, TMultiSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSeq(t)) } + $IsBox(bx, TSeq(t)) + ==> $Box($Unbox(bx): Seq Box) == bx && $Is($Unbox(bx): Seq Box, TSeq(t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TMap(s, t)) } + $IsBox(bx, TMap(s, t)) + ==> $Box($Unbox(bx): Map Box Box) == bx && $Is($Unbox(bx): Map Box Box, TMap(s, t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TIMap(s, t)) } + $IsBox(bx, TIMap(s, t)) + ==> $Box($Unbox(bx): IMap Box Box) == bx + && $Is($Unbox(bx): IMap Box Box, TIMap(s, t))); + +axiom (forall v: T, t: Ty :: + { $IsBox($Box(v), t) } + $IsBox($Box(v), t) <==> $Is(v, t)); + +axiom (forall v: T, t: Ty, h: Heap :: + { $IsAllocBox($Box(v), t, h) } + $IsAllocBox($Box(v), t, h) <==> $IsAlloc(v, t, h)); + +axiom (forall v: int :: { $Is(v, TInt) } $Is(v, TInt)); + +axiom (forall v: real :: { $Is(v, TReal) } $Is(v, TReal)); + +axiom (forall v: bool :: { $Is(v, TBool) } $Is(v, TBool)); + +axiom (forall v: char :: { $Is(v, TChar) } $Is(v, TChar)); + +axiom (forall v: ORDINAL :: { $Is(v, TORDINAL) } $Is(v, TORDINAL)); + +axiom (forall v: Bv0 :: { $Is(v, TBitvector(0)) } $Is(v, TBitvector(0))); + +axiom (forall v: Set Box, t0: Ty :: + { $Is(v, TSet(t0)) } + $Is(v, TSet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: ISet Box, t0: Ty :: + { $Is(v, TISet(t0)) } + $Is(v, TISet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) ==> $IsGoodMultiSet(v)); + +axiom (forall v: Seq Box, t0: Ty :: + { $Is(v, TSeq(t0)) } + $Is(v, TSeq(t0)) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsBox(Seq#Index(v, i), t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] ==> $IsBox(Map#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + ==> $Is(Map#Domain(v), TSet(t0)) + && $Is(Map#Values(v), TSet(t1)) + && $Is(Map#Items(v), TSet(Tclass._System.Tuple2(t0, t1)))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] ==> $IsBox(IMap#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + ==> $Is(IMap#Domain(v), TISet(t0)) + && $Is(IMap#Values(v), TISet(t1)) + && $Is(IMap#Items(v), TISet(Tclass._System.Tuple2(t0, t1)))); + +function $Is(T, Ty) : bool; + +axiom (forall h: Heap, v: int :: { $IsAlloc(v, TInt, h) } $IsAlloc(v, TInt, h)); + +axiom (forall h: Heap, v: real :: { $IsAlloc(v, TReal, h) } $IsAlloc(v, TReal, h)); + +axiom (forall h: Heap, v: bool :: { $IsAlloc(v, TBool, h) } $IsAlloc(v, TBool, h)); + +axiom (forall h: Heap, v: char :: { $IsAlloc(v, TChar, h) } $IsAlloc(v, TChar, h)); + +axiom (forall h: Heap, v: ORDINAL :: + { $IsAlloc(v, TORDINAL, h) } + $IsAlloc(v, TORDINAL, h)); + +axiom (forall v: Bv0, h: Heap :: + { $IsAlloc(v, TBitvector(0), h) } + $IsAlloc(v, TBitvector(0), h)); + +axiom (forall v: Set Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSet(t0), h) } + $IsAlloc(v, TSet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: ISet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TISet(t0), h) } + $IsAlloc(v, TISet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: MultiSet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TMultiSet(t0), h) } + $IsAlloc(v, TMultiSet(t0), h) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: Seq Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSeq(t0), h) } + $IsAlloc(v, TSeq(t0), h) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsAllocBox(Seq#Index(v, i), t0, h))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TMap(t0, t1), h) } + $IsAlloc(v, TMap(t0, t1), h) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] + ==> $IsAllocBox(Map#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TIMap(t0, t1), h) } + $IsAlloc(v, TIMap(t0, t1), h) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] + ==> $IsAllocBox(IMap#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +function $IsAlloc(T, Ty, Heap) : bool; + +axiom (forall ty: Ty :: + { $AlwaysAllocated(ty) } + $AlwaysAllocated(ty) + ==> (forall h: Heap, v: Box :: + { $IsAllocBox(v, ty, h) } + $IsBox(v, ty) ==> $IsAllocBox(v, ty, h))); + +function $AlwaysAllocated(Ty) : bool; + +function $OlderTag(Heap) : bool; + +const unique class._System.int: ClassName; + +const unique class._System.bool: ClassName; + +const unique class._System.set: ClassName; + +const unique class._System.seq: ClassName; + +const unique class._System.multiset: ClassName; + +function Tclass._System.object?() : Ty; + +function Tclass._System.Tuple2(Ty, Ty) : Ty; + +function dtype(ref) : Ty; + +function TypeTuple(a: ClassName, b: ClassName) : ClassName; + +function TypeTupleCar(ClassName) : ClassName; + +function TypeTupleCdr(ClassName) : ClassName; + +axiom (forall a: ClassName, b: ClassName :: + { TypeTuple(a, b) } + TypeTupleCar(TypeTuple(a, b)) == a && TypeTupleCdr(TypeTuple(a, b)) == b); + +function SetRef_to_SetBox(s: [ref]bool) : Set Box; + +axiom (forall s: [ref]bool, bx: Box :: + { SetRef_to_SetBox(s)[bx] } + SetRef_to_SetBox(s)[bx] == s[$Unbox(bx): ref]); + +axiom (forall s: [ref]bool :: + { SetRef_to_SetBox(s) } + $Is(SetRef_to_SetBox(s), TSet(Tclass._System.object?()))); + +function Apply1(Ty, Ty, Heap, HandleType, Box) : Box; + +function DatatypeCtorId(DatatypeType) : DtCtorId; + +function DtRank(DatatypeType) : int; + +function BoxRank(Box) : int; + +axiom (forall d: DatatypeType :: { BoxRank($Box(d)) } BoxRank($Box(d)) == DtRank(d)); + +type ORDINAL = Box; + +function ORD#IsNat(ORDINAL) : bool; + +function ORD#Offset(ORDINAL) : int; + +axiom (forall o: ORDINAL :: { ORD#Offset(o) } 0 <= ORD#Offset(o)); + +function {:inline} ORD#IsLimit(o: ORDINAL) : bool +{ + ORD#Offset(o) == 0 +} + +function {:inline} ORD#IsSucc(o: ORDINAL) : bool +{ + 0 < ORD#Offset(o) +} + +function ORD#FromNat(int) : ORDINAL; + +axiom (forall n: int :: + { ORD#FromNat(n) } + 0 <= n ==> ORD#IsNat(ORD#FromNat(n)) && ORD#Offset(ORD#FromNat(n)) == n); + +axiom (forall o: ORDINAL :: + { ORD#Offset(o) } { ORD#IsNat(o) } + ORD#IsNat(o) ==> o == ORD#FromNat(ORD#Offset(o))); + +function ORD#Less(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p) } + (ORD#Less(o, p) ==> o != p) + && (ORD#IsNat(o) && !ORD#IsNat(p) ==> ORD#Less(o, p)) + && (ORD#IsNat(o) && ORD#IsNat(p) + ==> ORD#Less(o, p) == (ORD#Offset(o) < ORD#Offset(p))) + && (ORD#Less(o, p) && ORD#IsNat(p) ==> ORD#IsNat(o))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, o) } + ORD#Less(o, p) || o == p || ORD#Less(p, o)); + +axiom (forall o: ORDINAL, p: ORDINAL, r: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, r) } { ORD#Less(o, p), ORD#Less(o, r) } + ORD#Less(o, p) && ORD#Less(p, r) ==> ORD#Less(o, r)); + +function ORD#LessThanLimit(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#LessThanLimit(o, p) } + ORD#LessThanLimit(o, p) == ORD#Less(o, p)); + +function ORD#Plus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (ORD#IsNat(ORD#Plus(o, p)) ==> ORD#IsNat(o) && ORD#IsNat(p)) + && (ORD#IsNat(p) + ==> ORD#IsNat(ORD#Plus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Plus(o, p)) == ORD#Offset(o) + ORD#Offset(p))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#Plus(o, p) || ORD#Less(o, ORD#Plus(o, p))) + && (p == ORD#Plus(o, p) || ORD#Less(p, ORD#Plus(o, p)))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#FromNat(0) ==> ORD#Plus(o, p) == p) + && (p == ORD#FromNat(0) ==> ORD#Plus(o, p) == o)); + +function ORD#Minus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> ORD#IsNat(ORD#Minus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Minus(o, p)) == ORD#Offset(o) - ORD#Offset(p)); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> (p == ORD#FromNat(0) && ORD#Minus(o, p) == o) + || (p != ORD#FromNat(0) && ORD#Less(ORD#Minus(o, p), o))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n + ==> ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && m + n <= ORD#Offset(o) + ==> ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(n - m)))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(n - m)))); + +const $ModuleContextHeight: int; + +const $FunctionContextHeight: int; + +const $LZ: LayerType; + +function $LS(LayerType) : LayerType; + +function AsFuelBottom(LayerType) : LayerType; + +function AtLayer([LayerType]A, LayerType) : A; + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, ly) } + AtLayer(f, ly) == f[ly]); + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, $LS(ly)) } + AtLayer(f, $LS(ly)) == AtLayer(f, ly)); + +axiom FDim(alloc) == 0; + +function FDim(Field T) : int; + +function IndexField(int) : Field Box; + +axiom (forall i: int :: { IndexField(i) } FDim(IndexField(i)) == 1); + +function IndexField_Inverse(Field T) : int; + +axiom (forall i: int :: { IndexField(i) } IndexField_Inverse(IndexField(i)) == i); + +function MultiIndexField(Field Box, int) : Field Box; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + FDim(MultiIndexField(f, i)) == FDim(f) + 1); + +function MultiIndexField_Inverse0(Field T) : Field T; + +function MultiIndexField_Inverse1(Field T) : int; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + MultiIndexField_Inverse0(MultiIndexField(f, i)) == f + && MultiIndexField_Inverse1(MultiIndexField(f, i)) == i); + +function DeclType(Field T) : ClassName; + +axiom DeclName(alloc) == allocName; + +function DeclName(Field T) : NameFamily; + +function FieldOfDecl(ClassName, NameFamily) : Field alpha; + +axiom (forall cl: ClassName, nm: NameFamily :: + { FieldOfDecl(cl, nm): Field T } + DeclType(FieldOfDecl(cl, nm): Field T) == cl + && DeclName(FieldOfDecl(cl, nm): Field T) == nm); + +axiom $IsGhostField(alloc); + +axiom (forall h: Heap, k: Heap :: + { $HeapSuccGhost(h, k) } + $HeapSuccGhost(h, k) + ==> $HeapSucc(h, k) + && (forall o: ref, f: Field alpha :: + { read(k, o, f) } + !$IsGhostField(f) ==> read(h, o, f) == read(k, o, f))); + +function $IsGhostField(Field T) : bool; + +axiom (forall h: Heap, k: Heap, v: T, t: Ty :: + { $HeapSucc(h, k), $IsAlloc(v, t, h) } + $HeapSucc(h, k) ==> $IsAlloc(v, t, h) ==> $IsAlloc(v, t, k)); + +axiom (forall h: Heap, k: Heap, bx: Box, t: Ty :: + { $HeapSucc(h, k), $IsAllocBox(bx, t, h) } + $HeapSucc(h, k) ==> $IsAllocBox(bx, t, h) ==> $IsAllocBox(bx, t, k)); + +const unique alloc: Field bool; + +const unique allocName: NameFamily; + +axiom (forall o: ref :: 0 <= _System.array.Length(o)); + +function _System.array.Length(a: ref) : int; + +function Int(x: real) : int; + +axiom (forall x: real :: { Int(x): int } Int(x): int == int(x)); + +function Real(x: int) : real; + +axiom (forall x: int :: { Real(x): real } Real(x): real == real(x)); + +axiom (forall i: int :: { Int(Real(i)) } Int(Real(i)) == i); + +function {:inline} _System.real.Floor(x: real) : int +{ + Int(x) +} + +type Heap = [ref][Field alpha]alpha; + +function {:inline} read(H: Heap, r: ref, f: Field alpha) : alpha +{ + H[r][f] +} + +function {:inline} update(H: Heap, r: ref, f: Field alpha, v: alpha) : Heap +{ + H[r := H[r][f := v]] +} + +function $IsGoodHeap(Heap) : bool; + +function $IsHeapAnchor(Heap) : bool; + +var $Heap: Heap where $IsGoodHeap($Heap) && $IsHeapAnchor($Heap); + +const $OneHeap: Heap; + +axiom $IsGoodHeap($OneHeap); + +function $HeapSucc(Heap, Heap) : bool; + +axiom (forall h: Heap, r: ref, f: Field alpha, x: alpha :: + { update(h, r, f, x) } + $IsGoodHeap(update(h, r, f, x)) ==> $HeapSucc(h, update(h, r, f, x))); + +axiom (forall a: Heap, b: Heap, c: Heap :: + { $HeapSucc(a, b), $HeapSucc(b, c) } + a != c ==> $HeapSucc(a, b) && $HeapSucc(b, c) ==> $HeapSucc(a, c)); + +axiom (forall h: Heap, k: Heap :: + { $HeapSucc(h, k) } + $HeapSucc(h, k) + ==> (forall o: ref :: { read(k, o, alloc) } read(h, o, alloc) ==> read(k, o, alloc))); + +function $HeapSuccGhost(Heap, Heap) : bool; + +var $Tick: TickType; + +procedure $YieldHavoc(this: ref, rds: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + $o == this || rds[$Box($o)] || nw[$Box($o)] + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc0(this: ref, rds: Set Box, modi: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + rds[$Box($o)] && !modi[$Box($o)] && $o != this + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc1(this: ref, modi: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f) + || $o == this + || modi[$Box($o)] + || nw[$Box($o)]); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterCollectNewObjects(prevHeap: Heap, newHeap: Heap, this: ref, NW: Field (Set Box)) + returns (s: Set Box); + ensures (forall bx: Box :: + { s[bx] } + s[bx] + <==> read(newHeap, this, NW)[bx] + || ( + $Unbox(bx) != null + && !read(prevHeap, $Unbox(bx): ref, alloc) + && read(newHeap, $Unbox(bx): ref, alloc))); + + + +type Set T = [T]bool; + +function Set#Card(Set T) : int; + +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty() : Set T; + +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); + +axiom (forall s: Set T :: + { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) + && (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T) : Set T; + +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); + +axiom (forall r: T, o: T :: + { Set#Singleton(r)[o] } + Set#Singleton(r)[o] <==> r == o); + +axiom (forall r: T :: + { Set#Card(Set#Singleton(r)) } + Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T) : Set T; + +axiom (forall a: Set T, x: T, o: T :: + { Set#UnionOne(a, x)[o] } + Set#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } Set#UnionOne(a, x)[x]); + +axiom (forall a: Set T, x: T, y: T :: + { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Union(a, b)[o] } + Set#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, b) } + Set#Disjoint(a, b) + ==> Set#Difference(Set#Union(a, b), a) == b + && Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Intersection(a, b)[o] } + Set#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Union(a, b)) } { Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) + == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Difference(a, b)[o] } + Set#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) + && Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Subset(a, b) } + Set#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function Set#Equal(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Equal(a, b) } + Set#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: Set T, b: Set T :: { Set#Equal(a, b) } Set#Equal(a, b) ==> a == b); + +function Set#Disjoint(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Disjoint(a, b) } + Set#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +type ISet T = [T]bool; + +function ISet#Empty() : Set T; + +axiom (forall o: T :: { ISet#Empty()[o] } !ISet#Empty()[o]); + +function ISet#UnionOne(ISet T, T) : ISet T; + +axiom (forall a: ISet T, x: T, o: T :: + { ISet#UnionOne(a, x)[o] } + ISet#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: ISet T, x: T :: { ISet#UnionOne(a, x) } ISet#UnionOne(a, x)[x]); + +axiom (forall a: ISet T, x: T, y: T :: + { ISet#UnionOne(a, x), a[y] } + a[y] ==> ISet#UnionOne(a, x)[y]); + +function ISet#Union(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Union(a, b)[o] } + ISet#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Union(a, b), a[y] } + a[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { ISet#Union(a, b), b[y] } + b[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(a, b) } + ISet#Disjoint(a, b) + ==> ISet#Difference(ISet#Union(a, b), a) == b + && ISet#Difference(ISet#Union(a, b), b) == a); + +function ISet#Intersection(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Intersection(a, b)[o] } + ISet#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(ISet#Union(a, b), b) } + ISet#Union(ISet#Union(a, b), b) == ISet#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { ISet#Union(a, ISet#Union(a, b)) } + ISet#Union(a, ISet#Union(a, b)) == ISet#Union(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(ISet#Intersection(a, b), b) } + ISet#Intersection(ISet#Intersection(a, b), b) == ISet#Intersection(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(a, ISet#Intersection(a, b)) } + ISet#Intersection(a, ISet#Intersection(a, b)) == ISet#Intersection(a, b)); + +function ISet#Difference(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Difference(a, b)[o] } + ISet#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Difference(a, b), b[y] } + b[y] ==> !ISet#Difference(a, b)[y]); + +function ISet#Subset(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Subset(a, b) } + ISet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function ISet#Equal(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) ==> a == b); + +function ISet#Disjoint(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Disjoint(a, b) } + ISet#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +function Math#min(a: int, b: int) : int; + +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); + +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); + +axiom (forall a: int, b: int :: + { Math#min(a, b) } + Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int) : int; + +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); + +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T = [T]int; + +function $IsGoodMultiSet(ms: MultiSet T) : bool; + +axiom (forall ms: MultiSet T :: + { $IsGoodMultiSet(ms) } + $IsGoodMultiSet(ms) + <==> (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +function MultiSet#Card(MultiSet T) : int; + +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); + +axiom (forall s: MultiSet T, x: T, n: int :: + { MultiSet#Card(s[x := n]) } + 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); + +function MultiSet#Empty() : MultiSet T; + +axiom (forall o: T :: { MultiSet#Empty()[o] } MultiSet#Empty()[o] == 0); + +axiom (forall s: MultiSet T :: + { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) + && (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < s[x]))); + +function MultiSet#Singleton(T) : MultiSet T; + +axiom (forall r: T, o: T :: + { MultiSet#Singleton(r)[o] } + (MultiSet#Singleton(r)[o] == 1 <==> r == o) + && (MultiSet#Singleton(r)[o] == 0 <==> r != o)); + +axiom (forall r: T :: + { MultiSet#Singleton(r) } + MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); + +function MultiSet#UnionOne(MultiSet T, T) : MultiSet T; + +axiom (forall a: MultiSet T, x: T, o: T :: + { MultiSet#UnionOne(a, x)[o] } + 0 < MultiSet#UnionOne(a, x)[o] <==> o == x || 0 < a[o]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#UnionOne(a, x) } + MultiSet#UnionOne(a, x)[x] == a[x] + 1); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + 0 < a[y] ==> 0 < MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + x != y ==> a[y] == MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#Card(MultiSet#UnionOne(a, x)) } + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); + +function MultiSet#Union(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Union(a, b)[o] } + MultiSet#Union(a, b)[o] == a[o] + b[o]); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Union(a, b)) } + MultiSet#Card(MultiSet#Union(a, b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Intersection(a, b)[o] } + MultiSet#Intersection(a, b)[o] == Math#min(a[o], b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) + == MultiSet#Intersection(a, b)); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) + == MultiSet#Intersection(a, b)); + +function MultiSet#Difference(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Difference(a, b)[o] } + MultiSet#Difference(a, b)[o] == Math#clip(a[o] - b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T, y: T :: + { MultiSet#Difference(a, b), b[y], a[y] } + a[y] <= b[y] ==> MultiSet#Difference(a, b)[y] == 0); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) + && MultiSet#Card(MultiSet#Difference(a, b)) + == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +function MultiSet#Subset(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Subset(a, b) } + MultiSet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <= b[o])); + +function MultiSet#Equal(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] == b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Disjoint(a, b) } + MultiSet#Disjoint(a, b) + <==> (forall o: T :: { a[o] } { b[o] } a[o] == 0 || b[o] == 0)); + +function MultiSet#FromSet(Set T) : MultiSet T; + +axiom (forall s: Set T, a: T :: + { MultiSet#FromSet(s)[a] } + (MultiSet#FromSet(s)[a] == 0 <==> !s[a]) + && (MultiSet#FromSet(s)[a] == 1 <==> s[a])); + +axiom (forall s: Set T :: + { MultiSet#Card(MultiSet#FromSet(s)) } + MultiSet#Card(MultiSet#FromSet(s)) == Set#Card(s)); + +axiom (forall :: + MultiSet#FromSeq(Seq#Empty(): Seq T) == MultiSet#Empty(): MultiSet T); + +function MultiSet#FromSeq(Seq T) : MultiSet T; + +axiom (forall s: Seq T :: + { MultiSet#FromSeq(s) } + $IsGoodMultiSet(MultiSet#FromSeq(s))); + +axiom (forall s: Seq T :: + { MultiSet#Card(MultiSet#FromSeq(s)) } + MultiSet#Card(MultiSet#FromSeq(s)) == Seq#Length(s)); + +axiom (forall s: Seq T, v: T :: + { MultiSet#FromSeq(Seq#Build(s, v)) } + MultiSet#FromSeq(Seq#Build(s, v)) == MultiSet#UnionOne(MultiSet#FromSeq(s), v)); + +axiom (forall a: Seq T, b: Seq T :: + { MultiSet#FromSeq(Seq#Append(a, b)) } + MultiSet#FromSeq(Seq#Append(a, b)) + == MultiSet#Union(MultiSet#FromSeq(a), MultiSet#FromSeq(b))); + +axiom (forall s: Seq T, i: int, v: T, x: T :: + { MultiSet#FromSeq(Seq#Update(s, i, v))[x] } + 0 <= i && i < Seq#Length(s) + ==> MultiSet#FromSeq(Seq#Update(s, i, v))[x] + == MultiSet#Union(MultiSet#Difference(MultiSet#FromSeq(s), MultiSet#Singleton(Seq#Index(s, i))), + MultiSet#Singleton(v))[x]); + +axiom (forall s: Seq T, x: T :: + { MultiSet#FromSeq(s)[x] } + (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && x == Seq#Index(s, i)) + <==> 0 < MultiSet#FromSeq(s)[x]); + +function Seq#Length(Seq T) : int; + +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty() : Seq T; + +axiom (forall :: { Seq#Empty(): Seq T } Seq#Length(Seq#Empty(): Seq T) == 0); + +axiom (forall s: Seq T :: + { Seq#Length(s) } + Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T) : Seq T; + +axiom (forall t: T :: + { Seq#Length(Seq#Singleton(t)) } + Seq#Length(Seq#Singleton(t)) == 1); + +function Seq#Build(s: Seq T, val: T) : Seq T; + +function Seq#Build_inv0(s: Seq T) : Seq T; + +function Seq#Build_inv1(s: Seq T) : T; + +axiom (forall s: Seq T, val: T :: + { Seq#Build(s, val) } + Seq#Build_inv0(Seq#Build(s, val)) == s + && Seq#Build_inv1(Seq#Build(s, val)) == val); + +axiom (forall s: Seq T, v: T :: + { Seq#Build(s, v) } + Seq#Length(Seq#Build(s, v)) == 1 + Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Index(Seq#Build(s, v), i) } + (i == Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == v) + && (i != Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == Seq#Index(s, i))); + +axiom (forall s: Seq Box, bx: Box, t: Ty :: + { $Is(Seq#Build(s, bx), TSeq(t)) } + $Is(s, TSeq(t)) && $IsBox(bx, t) ==> $Is(Seq#Build(s, bx), TSeq(t))); + +function Seq#Create(ty: Ty, heap: Heap, len: int, init: HandleType) : Seq Box; + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType :: + { Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) } + $IsGoodHeap(heap) && 0 <= len + ==> Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) == len); + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType, i: int :: + { Seq#Index(Seq#Create(ty, heap, len, init), i) } + $IsGoodHeap(heap) && 0 <= i && i < len + ==> Seq#Index(Seq#Create(ty, heap, len, init), i) + == Apply1(TInt, TSeq(ty), heap, init, $Box(i))); + +function Seq#Append(Seq T, Seq T) : Seq T; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Length(Seq#Append(s0, s1)) } + Seq#Length(Seq#Append(s0, s1)) == Seq#Length(s0) + Seq#Length(s1)); + +function Seq#Index(Seq T, int) : T; + +axiom (forall t: T :: + { Seq#Index(Seq#Singleton(t), 0) } + Seq#Index(Seq#Singleton(t), 0) == t); + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#Index(Seq#Append(s0, s1), n) } + (n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s0, n)) + && (Seq#Length(s0) <= n + ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s1, n - Seq#Length(s0)))); + +function Seq#Update(Seq T, int, T) : Seq T; + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Length(Seq#Update(s, i, v)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s, i, v)) == Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Index(Seq#Update(s, i, v), n) } + 0 <= n && n < Seq#Length(s) + ==> (i == n ==> Seq#Index(Seq#Update(s, i, v), n) == v) + && (i != n ==> Seq#Index(Seq#Update(s, i, v), n) == Seq#Index(s, n))); + +function Seq#Contains(Seq T, T) : bool; + +axiom (forall s: Seq T, x: T :: + { Seq#Contains(s, x) } + Seq#Contains(s, x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) + <==> Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, v: T, x: T :: + { Seq#Contains(Seq#Build(s, v), x) } + Seq#Contains(Seq#Build(s, v), x) <==> v == x || Seq#Contains(s, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +function Seq#Equal(Seq T, Seq T) : bool; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Equal(s0, s1) } + Seq#Equal(s0, s1) + <==> Seq#Length(s0) == Seq#Length(s1) + && (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a, b) } Seq#Equal(a, b) ==> a == b); + +function Seq#SameUntil(Seq T, Seq T, int) : bool; + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#SameUntil(s0, s1, n) } + Seq#SameUntil(s0, s1, n) + <==> (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < n ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +function Seq#Take(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Take(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s, n)) == n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Take(s, n), j) } { Seq#Index(s, j), Seq#Take(s, n) } + 0 <= j && j < n && j < Seq#Length(s) + ==> Seq#Index(Seq#Take(s, n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Drop(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s, n)) == Seq#Length(s) - n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Drop(s, n), j) } + 0 <= n && 0 <= j && j < Seq#Length(s) - n + ==> Seq#Index(Seq#Drop(s, n), j) == Seq#Index(s, j + n)); + +axiom (forall s: Seq T, n: int, k: int :: + {:weight 25} { Seq#Index(s, k), Seq#Drop(s, n) } + 0 <= n && n <= k && k < Seq#Length(s) + ==> Seq#Index(Seq#Drop(s, n), k - n) == Seq#Index(s, k)); + +axiom (forall s: Seq T, t: Seq T, n: int :: + { Seq#Take(Seq#Append(s, t), n) } { Seq#Drop(Seq#Append(s, t), n) } + n == Seq#Length(s) + ==> Seq#Take(Seq#Append(s, t), n) == s && Seq#Drop(Seq#Append(s, t), n) == t); + +function Seq#FromArray(h: Heap, a: ref) : Seq Box; + +axiom (forall h: Heap, a: ref :: + { Seq#Length(Seq#FromArray(h, a)) } + Seq#Length(Seq#FromArray(h, a)) == _System.array.Length(a)); + +axiom (forall h: Heap, a: ref :: + { Seq#FromArray(h, a) } + (forall i: int :: + { read(h, a, IndexField(i)) } { Seq#Index(Seq#FromArray(h, a): Seq Box, i) } + 0 <= i && i < Seq#Length(Seq#FromArray(h, a)) + ==> Seq#Index(Seq#FromArray(h, a), i) == read(h, a, IndexField(i)))); + +axiom (forall h0: Heap, h1: Heap, a: ref :: + { Seq#FromArray(h1, a), $HeapSucc(h0, h1) } + $IsGoodHeap(h0) && $IsGoodHeap(h1) && $HeapSucc(h0, h1) && h0[a] == h1[a] + ==> Seq#FromArray(h0, a) == Seq#FromArray(h1, a)); + +axiom (forall h: Heap, i: int, v: Box, a: ref :: + { Seq#FromArray(update(h, a, IndexField(i), v), a) } + 0 <= i && i < _System.array.Length(a) + ==> Seq#FromArray(update(h, a, IndexField(i), v), a) + == Seq#Update(Seq#FromArray(h, a), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= n && n <= i && i < Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i - n, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + +axiom (forall h: Heap, a: ref, n0: int, n1: int :: + { Seq#Take(Seq#FromArray(h, a), n0), Seq#Take(Seq#FromArray(h, a), n1) } + n0 + 1 == n1 && 0 <= n0 && n1 <= _System.array.Length(a) + ==> Seq#Take(Seq#FromArray(h, a), n1) + == Seq#Build(Seq#Take(Seq#FromArray(h, a), n0), read(h, a, IndexField(n0): Field Box))); + +axiom (forall s: Seq T, v: T, n: int :: + { Seq#Drop(Seq#Build(s, v), n) } + 0 <= n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Build(s, v), n) == Seq#Build(Seq#Drop(s, n), v)); + +function Seq#Rank(Seq T) : int; + +axiom (forall s: Seq Box, i: int :: + { DtRank($Unbox(Seq#Index(s, i)): DatatypeType) } + 0 <= i && i < Seq#Length(s) + ==> DtRank($Unbox(Seq#Index(s, i)): DatatypeType) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Drop(s, i)) } + 0 < i && i <= Seq#Length(s) ==> Seq#Rank(Seq#Drop(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Take(s, i)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Rank(Seq#Take(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int, j: int :: + { Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) } + 0 <= i && i < j && j <= Seq#Length(s) + ==> Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) < Seq#Rank(s)); + +axiom (forall s: Seq T, n: int :: + { Seq#Drop(s, n) } + n == 0 ==> Seq#Drop(s, n) == s); + +axiom (forall s: Seq T, n: int :: + { Seq#Take(s, n) } + n == 0 ==> Seq#Take(s, n) == Seq#Empty()); + +axiom (forall s: Seq T, m: int, n: int :: + { Seq#Drop(Seq#Drop(s, m), n) } + 0 <= m && 0 <= n && m + n <= Seq#Length(s) + ==> Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, m + n)); + +function Map#Domain(Map U V) : Set U; + +function Map#Elements(Map U V) : [U]V; + +function Map#Card(Map U V) : int; + +axiom (forall m: Map U V :: { Map#Card(m) } 0 <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Map#Card(m) } + Map#Card(m) == 0 <==> m == Map#Empty()); + +axiom (forall m: Map U V :: + { Map#Domain(m) } + m == Map#Empty() || (exists k: U :: Map#Domain(m)[k])); + +axiom (forall m: Map U V :: + { Map#Values(m) } + m == Map#Empty() || (exists v: V :: Map#Values(m)[v])); + +axiom (forall m: Map U V :: + { Map#Items(m) } + m == Map#Empty() + || (exists k: Box, v: Box :: Map#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: Map U V :: + { Set#Card(Map#Domain(m)) } + Set#Card(Map#Domain(m)) == Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Values(m)) } + Set#Card(Map#Values(m)) <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Items(m)) } + Set#Card(Map#Items(m)) == Map#Card(m)); + +function Map#Values(Map U V) : Set V; + +axiom (forall m: Map U V, v: V :: + { Map#Values(m)[v] } + Map#Values(m)[v] + == (exists u: U :: + { Map#Domain(m)[u] } { Map#Elements(m)[u] } + Map#Domain(m)[u] && v == Map#Elements(m)[u])); + +function Map#Items(Map U V) : Set Box; + +function #_System._tuple#2._#Make2(Box, Box) : DatatypeType; + +function _System.Tuple2._0(DatatypeType) : Box; + +function _System.Tuple2._1(DatatypeType) : Box; + +axiom (forall m: Map Box Box, item: Box :: + { Map#Items(m)[item] } + Map#Items(m)[item] + <==> Map#Domain(m)[_System.Tuple2._0($Unbox(item))] + && Map#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function Map#Empty() : Map U V; + +axiom (forall u: U :: + { Map#Domain(Map#Empty(): Map U V)[u] } + !Map#Domain(Map#Empty(): Map U V)[u]); + +function Map#Glue([U]bool, [U]V, Ty) : Map U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Domain(Map#Glue(a, b, t)) } + Map#Domain(Map#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Elements(Map#Glue(a, b, t)) } + Map#Elements(Map#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { Map#Glue(a, b, TMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TMap(t0, t1)), TMap(t0, t1))); + +function Map#Build(Map U V, U, V) : Map U V; + +axiom (forall m: Map U V, u: U, u': U, v: V :: + { Map#Domain(Map#Build(m, u, v))[u'] } { Map#Elements(Map#Build(m, u, v))[u'] } + (u' == u + ==> Map#Domain(Map#Build(m, u, v))[u'] && Map#Elements(Map#Build(m, u, v))[u'] == v) + && (u' != u + ==> Map#Domain(Map#Build(m, u, v))[u'] == Map#Domain(m)[u'] + && Map#Elements(Map#Build(m, u, v))[u'] == Map#Elements(m)[u'])); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m)); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + !Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m) + 1); + +function Map#Merge(Map U V, Map U V) : Map U V; + +axiom (forall m: Map U V, n: Map U V :: + { Map#Domain(Map#Merge(m, n)) } + Map#Domain(Map#Merge(m, n)) == Set#Union(Map#Domain(m), Map#Domain(n))); + +axiom (forall m: Map U V, n: Map U V, u: U :: + { Map#Elements(Map#Merge(m, n))[u] } + Map#Domain(Map#Merge(m, n))[u] + ==> (!Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(m)[u]) + && (Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(n)[u])); + +function Map#Subtract(Map U V, Set U) : Map U V; + +axiom (forall m: Map U V, s: Set U :: + { Map#Domain(Map#Subtract(m, s)) } + Map#Domain(Map#Subtract(m, s)) == Set#Difference(Map#Domain(m), s)); + +axiom (forall m: Map U V, s: Set U, u: U :: + { Map#Elements(Map#Subtract(m, s))[u] } + Map#Domain(Map#Subtract(m, s))[u] + ==> Map#Elements(Map#Subtract(m, s))[u] == Map#Elements(m)[u]); + +function Map#Equal(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') + <==> (forall u: U :: Map#Domain(m)[u] == Map#Domain(m')[u]) + && (forall u: U :: Map#Domain(m)[u] ==> Map#Elements(m)[u] == Map#Elements(m')[u])); + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') ==> m == m'); + +function Map#Disjoint(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Disjoint(m, m') } + Map#Disjoint(m, m') + <==> (forall o: U :: + { Map#Domain(m)[o] } { Map#Domain(m')[o] } + !Map#Domain(m)[o] || !Map#Domain(m')[o])); + +function IMap#Domain(IMap U V) : Set U; + +function IMap#Elements(IMap U V) : [U]V; + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() || (exists k: U :: IMap#Domain(m)[k])); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() || (exists v: V :: IMap#Values(m)[v])); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() + || (exists k: Box, v: Box :: IMap#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() <==> IMap#Domain(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() <==> IMap#Values(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() <==> IMap#Items(m) == ISet#Empty()); + +function IMap#Values(IMap U V) : Set V; + +axiom (forall m: IMap U V, v: V :: + { IMap#Values(m)[v] } + IMap#Values(m)[v] + == (exists u: U :: + { IMap#Domain(m)[u] } { IMap#Elements(m)[u] } + IMap#Domain(m)[u] && v == IMap#Elements(m)[u])); + +function IMap#Items(IMap U V) : Set Box; + +axiom (forall m: IMap Box Box, item: Box :: + { IMap#Items(m)[item] } + IMap#Items(m)[item] + <==> IMap#Domain(m)[_System.Tuple2._0($Unbox(item))] + && IMap#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function IMap#Empty() : IMap U V; + +axiom (forall u: U :: + { IMap#Domain(IMap#Empty(): IMap U V)[u] } + !IMap#Domain(IMap#Empty(): IMap U V)[u]); + +function IMap#Glue([U]bool, [U]V, Ty) : IMap U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Domain(IMap#Glue(a, b, t)) } + IMap#Domain(IMap#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Elements(IMap#Glue(a, b, t)) } + IMap#Elements(IMap#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { IMap#Glue(a, b, TIMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TIMap(t0, t1)), TIMap(t0, t1))); + +function IMap#Build(IMap U V, U, V) : IMap U V; + +axiom (forall m: IMap U V, u: U, u': U, v: V :: + { IMap#Domain(IMap#Build(m, u, v))[u'] } + { IMap#Elements(IMap#Build(m, u, v))[u'] } + (u' == u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == v) + && (u' != u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] == IMap#Domain(m)[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == IMap#Elements(m)[u'])); + +function IMap#Equal(IMap U V, IMap U V) : bool; + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') + <==> (forall u: U :: IMap#Domain(m)[u] == IMap#Domain(m')[u]) + && (forall u: U :: + IMap#Domain(m)[u] ==> IMap#Elements(m)[u] == IMap#Elements(m')[u])); + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') ==> m == m'); + +function IMap#Merge(IMap U V, IMap U V) : IMap U V; + +axiom (forall m: IMap U V, n: IMap U V :: + { IMap#Domain(IMap#Merge(m, n)) } + IMap#Domain(IMap#Merge(m, n)) == Set#Union(IMap#Domain(m), IMap#Domain(n))); + +axiom (forall m: IMap U V, n: IMap U V, u: U :: + { IMap#Elements(IMap#Merge(m, n))[u] } + IMap#Domain(IMap#Merge(m, n))[u] + ==> (!IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(m)[u]) + && (IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(n)[u])); + +function IMap#Subtract(IMap U V, Set U) : IMap U V; + +axiom (forall m: IMap U V, s: Set U :: + { IMap#Domain(IMap#Subtract(m, s)) } + IMap#Domain(IMap#Subtract(m, s)) == Set#Difference(IMap#Domain(m), s)); + +axiom (forall m: IMap U V, s: Set U, u: U :: + { IMap#Elements(IMap#Subtract(m, s))[u] } + IMap#Domain(IMap#Subtract(m, s))[u] + ==> IMap#Elements(IMap#Subtract(m, s))[u] == IMap#Elements(m)[u]); + +function INTERNAL_add_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_add_boogie(x, y): int } + INTERNAL_add_boogie(x, y): int == x + y); + +function INTERNAL_sub_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_sub_boogie(x, y): int } + INTERNAL_sub_boogie(x, y): int == x - y); + +function INTERNAL_mul_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mul_boogie(x, y): int } + INTERNAL_mul_boogie(x, y): int == x * y); + +function INTERNAL_div_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_div_boogie(x, y): int } + INTERNAL_div_boogie(x, y): int == x div y); + +function INTERNAL_mod_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mod_boogie(x, y): int } + INTERNAL_mod_boogie(x, y): int == x mod y); + +function {:never_pattern true} INTERNAL_lt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_lt_boogie(x, y): bool } + INTERNAL_lt_boogie(x, y): bool == (x < y)); + +function {:never_pattern true} INTERNAL_le_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_le_boogie(x, y): bool } + INTERNAL_le_boogie(x, y): bool == (x <= y)); + +function {:never_pattern true} INTERNAL_gt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_gt_boogie(x, y): bool } + INTERNAL_gt_boogie(x, y): bool == (x > y)); + +function {:never_pattern true} INTERNAL_ge_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_ge_boogie(x, y): bool } + INTERNAL_ge_boogie(x, y): bool == (x >= y)); + +function Mul(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mul(x, y): int } Mul(x, y): int == x * y); + +function Div(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Div(x, y): int } Div(x, y): int == x div y); + +function Mod(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mod(x, y): int } Mod(x, y): int == x mod y); + +function Add(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Add(x, y): int } Add(x, y): int == x + y); + +function Sub(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Sub(x, y): int } Sub(x, y): int == x - y); + +function Tclass._System.nat() : Ty; + +const unique Tagclass._System.nat: TyTag; + +// Tclass._System.nat Tag +axiom Tag(Tclass._System.nat()) == Tagclass._System.nat + && TagFamily(Tclass._System.nat()) == tytagFamily$nat; + +// Box/unbox axiom for Tclass._System.nat +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.nat()) } + $IsBox(bx, Tclass._System.nat()) + ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, Tclass._System.nat())); + +// _System.nat: subset type $Is +axiom (forall x#0: int :: + { $Is(x#0, Tclass._System.nat()) } + $Is(x#0, Tclass._System.nat()) <==> LitInt(0) <= x#0); + +// _System.nat: subset type $IsAlloc +axiom (forall x#0: int, $h: Heap :: + { $IsAlloc(x#0, Tclass._System.nat(), $h) } + $IsAlloc(x#0, Tclass._System.nat(), $h)); + +const unique class._System.object?: ClassName; + +const unique Tagclass._System.object?: TyTag; + +// Tclass._System.object? Tag +axiom Tag(Tclass._System.object?()) == Tagclass._System.object? + && TagFamily(Tclass._System.object?()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object?()) } + $IsBox(bx, Tclass._System.object?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object?())); + +// object: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._System.object?()) } + $Is($o, Tclass._System.object?())); + +// object: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.object?(), $h) } + $IsAlloc($o, Tclass._System.object?(), $h) + <==> $o == null || read($h, $o, alloc)); + +function implements$_System.object(ty: Ty) : bool; + +function Tclass._System.object() : Ty; + +const unique Tagclass._System.object: TyTag; + +// Tclass._System.object Tag +axiom Tag(Tclass._System.object()) == Tagclass._System.object + && TagFamily(Tclass._System.object()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object()) } + $IsBox(bx, Tclass._System.object()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object())); + +// _System.object: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._System.object()) } + $Is(c#0, Tclass._System.object()) + <==> $Is(c#0, Tclass._System.object?()) && c#0 != null); + +// _System.object: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.object(), $h) } + $IsAlloc(c#0, Tclass._System.object(), $h) + <==> $IsAlloc(c#0, Tclass._System.object?(), $h)); + +const unique class._System.array?: ClassName; + +function Tclass._System.array?(Ty) : Ty; + +const unique Tagclass._System.array?: TyTag; + +// Tclass._System.array? Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tag(Tclass._System.array?(_System.array$arg)) == Tagclass._System.array? + && TagFamily(Tclass._System.array?(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array?_0(Ty) : Ty; + +// Tclass._System.array? injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tclass._System.array?_0(Tclass._System.array?(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array? +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array?(_System.array$arg)) } + $IsBox(bx, Tclass._System.array?(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array?(_System.array$arg))); + +// array.: Type axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + ==> $IsBox(read($h, $o, IndexField($i0)), _System.array$arg)); + +// array.: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + && read($h, $o, alloc) + ==> $IsAllocBox(read($h, $o, IndexField($i0)), _System.array$arg, $h)); + +// array: Class $Is +axiom (forall _System.array$arg: Ty, $o: ref :: + { $Is($o, Tclass._System.array?(_System.array$arg)) } + $Is($o, Tclass._System.array?(_System.array$arg)) + <==> $o == null || dtype($o) == Tclass._System.array?(_System.array$arg)); + +// array: Class $IsAlloc +axiom (forall _System.array$arg: Ty, $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) } + $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) + <==> $o == null || read($h, $o, alloc)); + +// array.Length: Type axiom +axiom (forall _System.array$arg: Ty, $o: ref :: + { _System.array.Length($o), Tclass._System.array?(_System.array$arg) } + $o != null && dtype($o) == Tclass._System.array?(_System.array$arg) + ==> $Is(_System.array.Length($o), TInt)); + +// array.Length: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref :: + { _System.array.Length($o), read($h, $o, alloc), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && read($h, $o, alloc) + ==> $IsAlloc(_System.array.Length($o), TInt, $h)); + +function Tclass._System.array(Ty) : Ty; + +const unique Tagclass._System.array: TyTag; + +// Tclass._System.array Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tag(Tclass._System.array(_System.array$arg)) == Tagclass._System.array + && TagFamily(Tclass._System.array(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array_0(Ty) : Ty; + +// Tclass._System.array injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tclass._System.array_0(Tclass._System.array(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array(_System.array$arg)) } + $IsBox(bx, Tclass._System.array(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array(_System.array$arg))); + +// _System.array: non-null type $Is +axiom (forall _System.array$arg: Ty, c#0: ref :: + { $Is(c#0, Tclass._System.array(_System.array$arg)) } + $Is(c#0, Tclass._System.array(_System.array$arg)) + <==> $Is(c#0, Tclass._System.array?(_System.array$arg)) && c#0 != null); + +// _System.array: non-null type $IsAlloc +axiom (forall _System.array$arg: Ty, c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) } + $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) + <==> $IsAlloc(c#0, Tclass._System.array?(_System.array$arg), $h)); + +function Tclass._System.___hFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc1: TyTag; + +// Tclass._System.___hFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tag(Tclass._System.___hFunc1(#$T0, #$R)) == Tagclass._System.___hFunc1 + && TagFamily(Tclass._System.___hFunc1(#$T0, #$R)) == tytagFamily$_#Func1); + +function Tclass._System.___hFunc1_0(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_0(Tclass._System.___hFunc1(#$T0, #$R)) == #$T0); + +function Tclass._System.___hFunc1_1(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_1(Tclass._System.___hFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc1(#$T0, #$R))); + +function Handle1([Heap,Box]Box, [Heap,Box]bool, [Heap,Box]Set Box) : HandleType; + +function Requires1(Ty, Ty, Heap, HandleType, Box) : bool; + +function Reads1(Ty, Ty, Heap, HandleType, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) } + Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) == h[heap, bx0]); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Requires1(t0, t1, heap, Handle1(h, r, rd), bx0) } + r[heap, bx0] ==> Requires1(t0, t1, heap, Handle1(h, r, rd), bx0)); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box, + bx: Box :: + { Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] } + Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] == rd[heap, bx0][bx]); + +function {:inline} Requires1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +function {:inline} Reads1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// empty-reads property for Reads1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Reads1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Reads1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) && $IsBox(bx0, t0) && $Is(f, Tclass._System.___hFunc1(t0, t1)) + ==> (Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + <==> Set#Equal(Reads1(t0, t1, heap, f, bx0), Set#Empty(): Set Box))); + +// empty-reads property for Requires1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Requires1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Requires1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + ==> Requires1(t0, t1, $OneHeap, f, bx0) == Requires1(t0, t1, heap, f, bx0)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + <==> (forall h: Heap, bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsGoodHeap(h) && $IsBox(bx0, t0) && Requires1(t0, t1, h, f, bx0) + ==> $IsBox(Apply1(t0, t1, h, f, bx0), t1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, u0: Ty, u1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)), $Is(f, Tclass._System.___hFunc1(u0, u1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, t1) } { $IsBox(bx, u1) } + $IsBox(bx, t1) ==> $IsBox(bx, u1)) + ==> $Is(f, Tclass._System.___hFunc1(u0, u1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + <==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } { Reads1(t0, t1, h, f, bx0) } + $IsBox(bx0, t0) && $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> (forall r: ref :: + { Reads1(t0, t1, h, f, bx0)[$Box(r)] } + r != null && Reads1(t0, t1, h, f, bx0)[$Box(r)] ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + ==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> $IsAllocBox(Apply1(t0, t1, h, f, bx0), t1, h))); + +function Tclass._System.___hPartialFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc1: TyTag; + +// Tclass._System.___hPartialFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tag(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == Tagclass._System.___hPartialFunc1 + && TagFamily(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == tytagFamily$_#PartialFunc1); + +function Tclass._System.___hPartialFunc1_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_0(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc1_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_1(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc1(#$T0, #$R))); + +// _System._#PartialFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) + ==> Set#Equal(Reads1(#$T0, #$R, $OneHeap, f#0, x0#0), Set#Empty(): Set Box))); + +// _System._#PartialFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hTotalFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc1: TyTag; + +// Tclass._System.___hTotalFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tag(Tclass._System.___hTotalFunc1(#$T0, #$R)) == Tagclass._System.___hTotalFunc1 + && TagFamily(Tclass._System.___hTotalFunc1(#$T0, #$R)) == tytagFamily$_#TotalFunc1); + +function Tclass._System.___hTotalFunc1_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_0(Tclass._System.___hTotalFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc1_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_1(Tclass._System.___hTotalFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc1(#$T0, #$R))); + +// _System._#TotalFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) ==> Requires1(#$T0, #$R, $OneHeap, f#0, x0#0))); + +// _System._#TotalFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hFunc0(Ty) : Ty; + +const unique Tagclass._System.___hFunc0: TyTag; + +// Tclass._System.___hFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tag(Tclass._System.___hFunc0(#$R)) == Tagclass._System.___hFunc0 + && TagFamily(Tclass._System.___hFunc0(#$R)) == tytagFamily$_#Func0); + +function Tclass._System.___hFunc0_0(Ty) : Ty; + +// Tclass._System.___hFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tclass._System.___hFunc0_0(Tclass._System.___hFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc0(#$R))); + +function Handle0([Heap]Box, [Heap]bool, [Heap]Set Box) : HandleType; + +function Apply0(Ty, Heap, HandleType) : Box; + +function Requires0(Ty, Heap, HandleType) : bool; + +function Reads0(Ty, Heap, HandleType) : Set Box; + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Apply0(t0, heap, Handle0(h, r, rd)) } + Apply0(t0, heap, Handle0(h, r, rd)) == h[heap]); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Requires0(t0, heap, Handle0(h, r, rd)) } + r[heap] ==> Requires0(t0, heap, Handle0(h, r, rd))); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box, bx: Box :: + { Reads0(t0, heap, Handle0(h, r, rd))[bx] } + Reads0(t0, heap, Handle0(h, r, rd))[bx] == rd[heap][bx]); + +function {:inline} Requires0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +function {:inline} Reads0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// empty-reads property for Reads0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Reads0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Reads0(t0, heap, f) } + $IsGoodHeap(heap) && $Is(f, Tclass._System.___hFunc0(t0)) + ==> (Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + <==> Set#Equal(Reads0(t0, heap, f), Set#Empty(): Set Box))); + +// empty-reads property for Requires0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Requires0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Requires0(t0, heap, f) } + $IsGoodHeap(heap) + && $Is(f, Tclass._System.___hFunc0(t0)) + && Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + ==> Requires0(t0, $OneHeap, f) == Requires0(t0, heap, f)); + +axiom (forall f: HandleType, t0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + <==> (forall h: Heap :: + { Apply0(t0, h, f) } + $IsGoodHeap(h) && Requires0(t0, h, f) ==> $IsBox(Apply0(t0, h, f), t0))); + +axiom (forall f: HandleType, t0: Ty, u0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)), $Is(f, Tclass._System.___hFunc0(u0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + && (forall bx: Box :: + { $IsBox(bx, t0) } { $IsBox(bx, u0) } + $IsBox(bx, t0) ==> $IsBox(bx, u0)) + ==> $Is(f, Tclass._System.___hFunc0(u0))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc0(t0), h) + <==> Requires0(t0, h, f) + ==> (forall r: ref :: + { Reads0(t0, h, f)[$Box(r)] } + r != null && Reads0(t0, h, f)[$Box(r)] ==> read(h, r, alloc)))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc0(t0), h) + ==> + Requires0(t0, h, f) + ==> $IsAllocBox(Apply0(t0, h, f), t0, h)); + +function Tclass._System.___hPartialFunc0(Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc0: TyTag; + +// Tclass._System.___hPartialFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tag(Tclass._System.___hPartialFunc0(#$R)) == Tagclass._System.___hPartialFunc0 + && TagFamily(Tclass._System.___hPartialFunc0(#$R)) == tytagFamily$_#PartialFunc0); + +function Tclass._System.___hPartialFunc0_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tclass._System.___hPartialFunc0_0(Tclass._System.___hPartialFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc0(#$R))); + +// _System._#PartialFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) } + $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hFunc0(#$R)) + && Set#Equal(Reads0(#$R, $OneHeap, f#0), Set#Empty(): Set Box)); + +// _System._#PartialFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc0(#$R), $h)); + +function Tclass._System.___hTotalFunc0(Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc0: TyTag; + +// Tclass._System.___hTotalFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tag(Tclass._System.___hTotalFunc0(#$R)) == Tagclass._System.___hTotalFunc0 + && TagFamily(Tclass._System.___hTotalFunc0(#$R)) == tytagFamily$_#TotalFunc0); + +function Tclass._System.___hTotalFunc0_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tclass._System.___hTotalFunc0_0(Tclass._System.___hTotalFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc0(#$R))); + +// _System._#TotalFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) } + $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) && Requires0(#$R, $OneHeap, f#0)); + +// _System._#TotalFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h)); + +// Constructor identifier +axiom (forall a#0#0#0: Box, a#0#1#0: Box :: + { #_System._tuple#2._#Make2(a#0#0#0, a#0#1#0) } + DatatypeCtorId(#_System._tuple#2._#Make2(a#0#0#0, a#0#1#0)) + == ##_System._tuple#2._#Make2); + +const unique ##_System._tuple#2._#Make2: DtCtorId; + +function _System.Tuple2.___hMake2_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#2._#Make2); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + ==> (exists a#1#0#0: Box, a#1#1#0: Box :: + d == #_System._tuple#2._#Make2(a#1#0#0, a#1#1#0))); + +const unique Tagclass._System.Tuple2: TyTag; + +// Tclass._System.Tuple2 Tag +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tag(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == Tagclass._System.Tuple2 + && TagFamily(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == tytagFamily$_tuple#2); + +function Tclass._System.Tuple2_0(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 0 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_0(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T0); + +function Tclass._System.Tuple2_1(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 1 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_1(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T1); + +// Box/unbox axiom for Tclass._System.Tuple2 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1))); + +// Constructor $Is +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, a#2#0#0: Box, a#2#1#0: Box :: + { $Is(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + <==> $IsBox(a#2#0#0, _System._tuple#2$T0) && $IsBox(a#2#1#0, _System._tuple#2$T1)); + +// Constructor $IsAlloc +axiom (forall _System._tuple#2$T0: Ty, + _System._tuple#2$T1: Ty, + a#2#0#0: Box, + a#2#1#0: Box, + $h: Heap :: + { $IsAlloc(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) } + $IsGoodHeap($h) + ==> ($IsAlloc(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) + <==> $IsAllocBox(a#2#0#0, _System._tuple#2$T0, $h) + && $IsAllocBox(a#2#1#0, _System._tuple#2$T1, $h))); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T0: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T1: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h)); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T1: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T0: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h)); + +// Constructor literal +axiom (forall a#3#0#0: Box, a#3#1#0: Box :: + { #_System._tuple#2._#Make2(Lit(a#3#0#0), Lit(a#3#1#0)) } + #_System._tuple#2._#Make2(Lit(a#3#0#0), Lit(a#3#1#0)) + == Lit(#_System._tuple#2._#Make2(a#3#0#0, a#3#1#0))); + +// Constructor injectivity +axiom (forall a#4#0#0: Box, a#4#1#0: Box :: + { #_System._tuple#2._#Make2(a#4#0#0, a#4#1#0) } + _System.Tuple2._0(#_System._tuple#2._#Make2(a#4#0#0, a#4#1#0)) == a#4#0#0); + +// Inductive rank +axiom (forall a#5#0#0: Box, a#5#1#0: Box :: + { #_System._tuple#2._#Make2(a#5#0#0, a#5#1#0) } + BoxRank(a#5#0#0) < DtRank(#_System._tuple#2._#Make2(a#5#0#0, a#5#1#0))); + +// Constructor injectivity +axiom (forall a#6#0#0: Box, a#6#1#0: Box :: + { #_System._tuple#2._#Make2(a#6#0#0, a#6#1#0) } + _System.Tuple2._1(#_System._tuple#2._#Make2(a#6#0#0, a#6#1#0)) == a#6#1#0); + +// Inductive rank +axiom (forall a#7#0#0: Box, a#7#1#0: Box :: + { #_System._tuple#2._#Make2(a#7#0#0, a#7#1#0) } + BoxRank(a#7#1#0) < DtRank(#_System._tuple#2._#Make2(a#7#0#0, a#7#1#0))); + +// Depth-one case-split function +function $IsA#_System.Tuple2(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple2(d) } + $IsA#_System.Tuple2(d) ==> _System.Tuple2.___hMake2_q(d)); + +// Questionmark data type disjunctivity +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d), $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> _System.Tuple2.___hMake2_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple2#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#2._#Make2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + true + ==> (_System.Tuple2#Equal(a, b) + <==> _System.Tuple2._0(a) == _System.Tuple2._0(b) + && _System.Tuple2._1(a) == _System.Tuple2._1(b))); + +// Datatype extensionality axiom: _System._tuple#2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + _System.Tuple2#Equal(a, b) <==> a == b); + +const unique class._System.Tuple2: ClassName; + +// Constructor function declaration +function #_System._tuple#0._#Make0() : DatatypeType; + +// Constructor identifier +axiom DatatypeCtorId(#_System._tuple#0._#Make0()) == ##_System._tuple#0._#Make0; + +const unique ##_System._tuple#0._#Make0: DtCtorId; + +function _System.Tuple0.___hMake0_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#0._#Make0); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) ==> d == #_System._tuple#0._#Make0()); + +function Tclass._System.Tuple0() : Ty; + +const unique Tagclass._System.Tuple0: TyTag; + +// Tclass._System.Tuple0 Tag +axiom Tag(Tclass._System.Tuple0()) == Tagclass._System.Tuple0 + && TagFamily(Tclass._System.Tuple0()) == tytagFamily$_tuple#0; + +// Box/unbox axiom for Tclass._System.Tuple0 +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.Tuple0()) } + $IsBox(bx, Tclass._System.Tuple0()) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, Tclass._System.Tuple0())); + +// Constructor $Is +axiom $Is(#_System._tuple#0._#Make0(), Tclass._System.Tuple0()); + +// Constructor $IsAlloc +axiom (forall $h: Heap :: + { $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h) } + $IsGoodHeap($h) + ==> $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h)); + +// Constructor literal +axiom #_System._tuple#0._#Make0() == Lit(#_System._tuple#0._#Make0()); + +// Depth-one case-split function +function $IsA#_System.Tuple0(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple0(d) } + $IsA#_System.Tuple0(d) ==> _System.Tuple0.___hMake0_q(d)); + +// Questionmark data type disjunctivity +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d), $Is(d, Tclass._System.Tuple0()) } + $Is(d, Tclass._System.Tuple0()) ==> _System.Tuple0.___hMake0_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple0#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#0._#Make0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + true ==> (_System.Tuple0#Equal(a, b) <==> true)); + +// Datatype extensionality axiom: _System._tuple#0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + _System.Tuple0#Equal(a, b) <==> a == b); + +const unique class._System.Tuple0: ClassName; + +const unique class._module.Composite?: ClassName; + +function Tclass._module.Composite?() : Ty; + +const unique Tagclass._module.Composite?: TyTag; + +// Tclass._module.Composite? Tag +axiom Tag(Tclass._module.Composite?()) == Tagclass._module.Composite? + && TagFamily(Tclass._module.Composite?()) == tytagFamily$Composite; + +// Box/unbox axiom for Tclass._module.Composite? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Composite?()) } + $IsBox(bx, Tclass._module.Composite?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Composite?())); + +// Composite: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.Composite?()) } + $Is($o, Tclass._module.Composite?()) + <==> $o == null || dtype($o) == Tclass._module.Composite?()); + +// Composite: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.Composite?(), $h) } + $IsAlloc($o, Tclass._module.Composite?(), $h) + <==> $o == null || read($h, $o, alloc)); + +axiom FDim(_module.Composite.left) == 0 + && FieldOfDecl(class._module.Composite?, field$left) == _module.Composite.left + && !$IsGhostField(_module.Composite.left); + +const _module.Composite.left: Field ref; + +// Composite.left: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.left) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Composite?() + ==> $Is(read($h, $o, _module.Composite.left), Tclass._module.Composite?())); + +// Composite.left: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.left) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Composite?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Composite.left), Tclass._module.Composite?(), $h)); + +axiom FDim(_module.Composite.right) == 0 + && FieldOfDecl(class._module.Composite?, field$right) == _module.Composite.right + && !$IsGhostField(_module.Composite.right); + +const _module.Composite.right: Field ref; + +// Composite.right: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.right) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Composite?() + ==> $Is(read($h, $o, _module.Composite.right), Tclass._module.Composite?())); + +// Composite.right: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.right) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Composite?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Composite.right), Tclass._module.Composite?(), $h)); + +axiom FDim(_module.Composite.parent) == 0 + && FieldOfDecl(class._module.Composite?, field$parent) == _module.Composite.parent + && !$IsGhostField(_module.Composite.parent); + +const _module.Composite.parent: Field ref; + +// Composite.parent: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.parent) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Composite?() + ==> $Is(read($h, $o, _module.Composite.parent), Tclass._module.Composite?())); + +// Composite.parent: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.parent) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Composite?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Composite.parent), Tclass._module.Composite?(), $h)); + +axiom FDim(_module.Composite.val) == 0 + && FieldOfDecl(class._module.Composite?, field$val) == _module.Composite.val + && !$IsGhostField(_module.Composite.val); + +const _module.Composite.val: Field int; + +// Composite.val: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.val) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Composite?() + ==> $Is(read($h, $o, _module.Composite.val), TInt)); + +// Composite.val: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.val) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Composite?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Composite.val), TInt, $h)); + +axiom FDim(_module.Composite.sum) == 0 + && FieldOfDecl(class._module.Composite?, field$sum) == _module.Composite.sum + && !$IsGhostField(_module.Composite.sum); + +const _module.Composite.sum: Field int; + +// Composite.sum: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.sum) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Composite?() + ==> $Is(read($h, $o, _module.Composite.sum), TInt)); + +// Composite.sum: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Composite.sum) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Composite?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Composite.sum), TInt, $h)); + +// function declaration for _module.Composite.Valid +function _module.Composite.Valid($heap: Heap, this: ref, S#0: Set Box) : bool; + +function _module.Composite.Valid#canCall($heap: Heap, this: ref, S#0: Set Box) : bool; + +function Tclass._module.Composite() : Ty; + +const unique Tagclass._module.Composite: TyTag; + +// Tclass._module.Composite Tag +axiom Tag(Tclass._module.Composite()) == Tagclass._module.Composite + && TagFamily(Tclass._module.Composite()) == tytagFamily$Composite; + +// Box/unbox axiom for Tclass._module.Composite +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Composite()) } + $IsBox(bx, Tclass._module.Composite()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Composite())); + +// frame axiom for _module.Composite.Valid +axiom (forall $h0: Heap, $h1: Heap, this: ref, S#0: Set Box :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Composite.Valid($h1, this, S#0) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Composite()) + && (_module.Composite.Valid#canCall($h0, this, S#0) + || $Is(S#0, TSet(Tclass._module.Composite()))) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null + && ( + $o == this + || $o == read($h0, this, _module.Composite.parent) + || $o == read($h0, this, _module.Composite.left) + || $o == read($h0, this, _module.Composite.right)) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Composite.Valid($h0, this, S#0) + == _module.Composite.Valid($h1, this, S#0)); + +// consequence axiom for _module.Composite.Valid +axiom 1 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref, S#0: Set Box :: + { _module.Composite.Valid($Heap, this, S#0) } + _module.Composite.Valid#canCall($Heap, this, S#0) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap) + && $Is(S#0, TSet(Tclass._module.Composite()))) + ==> true); + +function _module.Composite.Valid#requires(Heap, ref, Set Box) : bool; + +// #requires axiom for _module.Composite.Valid +axiom (forall $Heap: Heap, this: ref, S#0: Set Box :: + { _module.Composite.Valid#requires($Heap, this, S#0), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap) + && $Is(S#0, TSet(Tclass._module.Composite())) + ==> _module.Composite.Valid#requires($Heap, this, S#0) == true); + +// definition axiom for _module.Composite.Valid (revealed) +axiom 1 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref, S#0: Set Box :: + { _module.Composite.Valid($Heap, this, S#0), $IsGoodHeap($Heap) } + _module.Composite.Valid#canCall($Heap, this, S#0) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap) + && $Is(S#0, TSet(Tclass._module.Composite()))) + ==> _module.Composite.Valid($Heap, this, S#0) + == ( + S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.parent))] + && (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this)) + && (read($Heap, this, _module.Composite.left) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.left))] + && read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)) + && (read($Heap, this, _module.Composite.right) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.right))] + && read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)) + && read($Heap, this, _module.Composite.sum) + == read($Heap, this, _module.Composite.val) + + (if read($Heap, this, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, this, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.sum)))); + +procedure {:verboseName "Composite.Valid (well-formedness)"} CheckWellformed$$_module.Composite.Valid(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + S#0: Set Box where $Is(S#0, TSet(Tclass._module.Composite()))); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Composite.Valid (well-formedness)"} CheckWellformed$$_module.Composite.Valid(this: ref, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var newtype$check#0: ref; + var newtype$check#1: ref; + var newtype$check#2: ref; + var newtype$check#3: ref; + var newtype$check#4: ref; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + var b$reqreads#5: bool; + var b$reqreads#6: bool; + var b$reqreads#7: bool; + var b$reqreads#8: bool; + var b$reqreads#9: bool; + var b$reqreads#10: bool; + var b$reqreads#11: bool; + var b$reqreads#12: bool; + var b$reqreads#13: bool; + var b$reqreads#14: bool; + var b$reqreads#15: bool; + var b$reqreads#16: bool; + var b$reqreads#17: bool; + var b$reqreads#18: bool; + var b$reqreads#19: bool; + var b$reqreads#20: bool; + var b$reqreads#21: bool; + var b$reqreads#22: bool; + var b$reqreads#23: bool; + var b$reqreads#24: bool; + var b$reqreads#25: bool; + var b$reqreads#26: bool; + var b$reqreads#27: bool; + var b$reqreads#28: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + b$reqreads#5 := true; + b$reqreads#6 := true; + b$reqreads#7 := true; + b$reqreads#8 := true; + b$reqreads#9 := true; + b$reqreads#10 := true; + b$reqreads#11 := true; + b$reqreads#12 := true; + b$reqreads#13 := true; + b$reqreads#14 := true; + b$reqreads#15 := true; + b$reqreads#16 := true; + b$reqreads#17 := true; + b$reqreads#18 := true; + b$reqreads#19 := true; + b$reqreads#20 := true; + b$reqreads#21 := true; + b$reqreads#22 := true; + b$reqreads#23 := true; + b$reqreads#24 := true; + b$reqreads#25 := true; + b$reqreads#26 := true; + b$reqreads#27 := true; + b$reqreads#28 := true; + + // AddWellformednessCheck for function Valid + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this + || $o == read($Heap, this, _module.Composite.parent) + || $o == read($Heap, this, _module.Composite.left) + || $o == read($Heap, this, _module.Composite.right)); + b$reqreads#0 := $_Frame[this, _module.Composite.parent]; + b$reqreads#1 := $_Frame[this, _module.Composite.left]; + b$reqreads#2 := $_Frame[this, _module.Composite.right]; + assert b$reqreads#0; + assert b$reqreads#1; + assert b$reqreads#2; + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this + || $o == read($Heap, this, _module.Composite.parent) + || $o == read($Heap, this, _module.Composite.left) + || $o == read($Heap, this, _module.Composite.right)); + if (S#0[$Box(this)]) + { + b$reqreads#3 := $_Frame[this, _module.Composite.parent]; + newtype$check#0 := null; + if (read($Heap, this, _module.Composite.parent) != null) + { + b$reqreads#4 := $_Frame[this, _module.Composite.parent]; + if (S#0[$Box(read($Heap, this, _module.Composite.parent))]) + { + b$reqreads#5 := $_Frame[this, _module.Composite.parent]; + assert read($Heap, this, _module.Composite.parent) != null; + b$reqreads#6 := $_Frame[read($Heap, this, _module.Composite.parent), _module.Composite.left]; + if (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + != this) + { + b$reqreads#7 := $_Frame[this, _module.Composite.parent]; + assert read($Heap, this, _module.Composite.parent) != null; + b$reqreads#8 := $_Frame[read($Heap, this, _module.Composite.parent), _module.Composite.right]; + } + } + } + } + + if (S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.parent))] + && (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this))) + { + b$reqreads#9 := $_Frame[this, _module.Composite.left]; + newtype$check#1 := null; + if (read($Heap, this, _module.Composite.left) != null) + { + b$reqreads#10 := $_Frame[this, _module.Composite.left]; + if (S#0[$Box(read($Heap, this, _module.Composite.left))]) + { + b$reqreads#11 := $_Frame[this, _module.Composite.left]; + assert read($Heap, this, _module.Composite.left) != null; + b$reqreads#12 := $_Frame[read($Heap, this, _module.Composite.left), _module.Composite.parent]; + } + + if (S#0[$Box(read($Heap, this, _module.Composite.left))] + && read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this) + { + b$reqreads#13 := $_Frame[this, _module.Composite.left]; + b$reqreads#14 := $_Frame[this, _module.Composite.right]; + } + } + } + + if (S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.parent))] + && (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this)) + && (read($Heap, this, _module.Composite.left) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.left))] + && read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right))) + { + b$reqreads#15 := $_Frame[this, _module.Composite.right]; + newtype$check#2 := null; + if (read($Heap, this, _module.Composite.right) != null) + { + b$reqreads#16 := $_Frame[this, _module.Composite.right]; + if (S#0[$Box(read($Heap, this, _module.Composite.right))]) + { + b$reqreads#17 := $_Frame[this, _module.Composite.right]; + assert read($Heap, this, _module.Composite.right) != null; + b$reqreads#18 := $_Frame[read($Heap, this, _module.Composite.right), _module.Composite.parent]; + } + + if (S#0[$Box(read($Heap, this, _module.Composite.right))] + && read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this) + { + b$reqreads#19 := $_Frame[this, _module.Composite.left]; + b$reqreads#20 := $_Frame[this, _module.Composite.right]; + } + } + } + + if (S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.parent))] + && (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this)) + && (read($Heap, this, _module.Composite.left) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.left))] + && read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)) + && (read($Heap, this, _module.Composite.right) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.right))] + && read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right))) + { + b$reqreads#21 := $_Frame[this, _module.Composite.sum]; + b$reqreads#22 := $_Frame[this, _module.Composite.val]; + b$reqreads#23 := $_Frame[this, _module.Composite.left]; + newtype$check#3 := null; + if (read($Heap, this, _module.Composite.left) == null) + { + } + else + { + b$reqreads#24 := $_Frame[this, _module.Composite.left]; + assert read($Heap, this, _module.Composite.left) != null; + b$reqreads#25 := $_Frame[read($Heap, this, _module.Composite.left), _module.Composite.sum]; + } + + b$reqreads#26 := $_Frame[this, _module.Composite.right]; + newtype$check#4 := null; + if (read($Heap, this, _module.Composite.right) == null) + { + } + else + { + b$reqreads#27 := $_Frame[this, _module.Composite.right]; + assert read($Heap, this, _module.Composite.right) != null; + b$reqreads#28 := $_Frame[read($Heap, this, _module.Composite.right), _module.Composite.sum]; + } + } + + assume _module.Composite.Valid($Heap, this, S#0) + == ( + S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.parent))] + && (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this)) + && (read($Heap, this, _module.Composite.left) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.left))] + && read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)) + && (read($Heap, this, _module.Composite.right) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.right))] + && read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)) + && read($Heap, this, _module.Composite.sum) + == read($Heap, this, _module.Composite.val) + + (if read($Heap, this, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, this, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.sum))); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.Composite.Valid($Heap, this, S#0), TBool); + assert b$reqreads#3; + assert b$reqreads#4; + assert b$reqreads#5; + assert b$reqreads#6; + assert b$reqreads#7; + assert b$reqreads#8; + assert b$reqreads#9; + assert b$reqreads#10; + assert b$reqreads#11; + assert b$reqreads#12; + assert b$reqreads#13; + assert b$reqreads#14; + assert b$reqreads#15; + assert b$reqreads#16; + assert b$reqreads#17; + assert b$reqreads#18; + assert b$reqreads#19; + assert b$reqreads#20; + assert b$reqreads#21; + assert b$reqreads#22; + assert b$reqreads#23; + assert b$reqreads#24; + assert b$reqreads#25; + assert b$reqreads#26; + assert b$reqreads#27; + assert b$reqreads#28; + } +} + + + +// function declaration for _module.Composite.Acyclic +function _module.Composite.Acyclic($ly: LayerType, $heap: Heap, this: ref, S#0: Set Box) : bool; + +function _module.Composite.Acyclic#canCall($heap: Heap, this: ref, S#0: Set Box) : bool; + +// layer synonym axiom +axiom (forall $ly: LayerType, $Heap: Heap, this: ref, S#0: Set Box :: + { _module.Composite.Acyclic($LS($ly), $Heap, this, S#0) } + _module.Composite.Acyclic($LS($ly), $Heap, this, S#0) + == _module.Composite.Acyclic($ly, $Heap, this, S#0)); + +// fuel synonym axiom +axiom (forall $ly: LayerType, $Heap: Heap, this: ref, S#0: Set Box :: + { _module.Composite.Acyclic(AsFuelBottom($ly), $Heap, this, S#0) } + _module.Composite.Acyclic($ly, $Heap, this, S#0) + == _module.Composite.Acyclic($LZ, $Heap, this, S#0)); + +// frame axiom for _module.Composite.Acyclic +axiom (forall $ly: LayerType, $h0: Heap, $h1: Heap, this: ref, S#0: Set Box :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Composite.Acyclic($ly, $h1, this, S#0) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Composite()) + && (_module.Composite.Acyclic#canCall($h0, this, S#0) + || $Is(S#0, TSet(Tclass._module.Composite()))) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && S#0[$Box($o)] ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Composite.Acyclic($ly, $h0, this, S#0) + == _module.Composite.Acyclic($ly, $h1, this, S#0)); + +// consequence axiom for _module.Composite.Acyclic +axiom 1 <= $FunctionContextHeight + ==> (forall $ly: LayerType, $Heap: Heap, this: ref, S#0: Set Box :: + { _module.Composite.Acyclic($ly, $Heap, this, S#0) } + _module.Composite.Acyclic#canCall($Heap, this, S#0) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap) + && $Is(S#0, TSet(Tclass._module.Composite()))) + ==> true); + +function _module.Composite.Acyclic#requires(LayerType, Heap, ref, Set Box) : bool; + +// #requires axiom for _module.Composite.Acyclic +axiom (forall $ly: LayerType, $Heap: Heap, this: ref, S#0: Set Box :: + { _module.Composite.Acyclic#requires($ly, $Heap, this, S#0), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap) + && $Is(S#0, TSet(Tclass._module.Composite())) + ==> _module.Composite.Acyclic#requires($ly, $Heap, this, S#0) == true); + +// definition axiom for _module.Composite.Acyclic (revealed) +axiom 1 <= $FunctionContextHeight + ==> (forall $ly: LayerType, $Heap: Heap, this: ref, S#0: Set Box :: + { _module.Composite.Acyclic($LS($ly), $Heap, this, S#0), $IsGoodHeap($Heap) } + _module.Composite.Acyclic#canCall($Heap, this, S#0) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap) + && $Is(S#0, TSet(Tclass._module.Composite()))) + ==> (S#0[$Box(this)] + ==> + read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic#canCall($Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))) + && _module.Composite.Acyclic($LS($ly), $Heap, this, S#0) + == (S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($ly, + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))))); + +procedure {:verboseName "Composite.Acyclic (well-formedness)"} CheckWellformed$$_module.Composite.Acyclic(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + S#0: Set Box where $Is(S#0, TSet(Tclass._module.Composite()))); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Composite.Acyclic (well-formedness)"} CheckWellformed$$_module.Composite.Acyclic(this: ref, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var newtype$check#0: ref; + var ##S#0: Set Box; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + + // AddWellformednessCheck for function Acyclic + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + if (S#0[$Box(this)]) + { + b$reqreads#0 := $_Frame[this, _module.Composite.parent]; + newtype$check#0 := null; + if (read($Heap, this, _module.Composite.parent) != null) + { + b$reqreads#1 := $_Frame[this, _module.Composite.parent]; + assert read($Heap, this, _module.Composite.parent) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Composite.parent), Tclass._module.Composite?(), $Heap); + ##S#0 := Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))); + // assume allocatedness for argument to function + assume $IsAlloc(##S#0, TSet(Tclass._module.Composite()), $Heap); + b$reqreads#2 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && ##S#0[$Box($o)] ==> $_Frame[$o, $f]); + assert (Set#Subset(##S#0, S#0) && !Set#Subset(S#0, ##S#0)) + || (Set#Equal(##S#0, S#0) && Set#Subset(##S#0, S#0) && !Set#Subset(S#0, ##S#0)); + assume _module.Composite.Acyclic#canCall($Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this)))); + } + } + + assume _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) + == (S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LZ), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this)))))); + assume S#0[$Box(this)] + ==> + read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic#canCall($Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this)))); + // CheckWellformedWithResult: any expression + assume $Is(_module.Composite.Acyclic($LS($LZ), $Heap, this, S#0), TBool); + assert b$reqreads#0; + assert b$reqreads#1; + assert b$reqreads#2; + } +} + + + +procedure {:verboseName "Composite.Init (well-formedness)"} CheckWellFormed$$_module.Composite.Init(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + x#0: int); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Composite.Init (call)"} Call$$_module.Composite.Init(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + x#0: int); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + && (_module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this)))); + free ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + && + _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + && + Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(read($Heap, this, _module.Composite.parent))] + && (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this)) + && (read($Heap, this, _module.Composite.left) != null + ==> Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(read($Heap, this, _module.Composite.left))] + && read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)) + && (read($Heap, this, _module.Composite.right) != null + ==> Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(read($Heap, this, _module.Composite.right))] + && read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)) + && read($Heap, this, _module.Composite.sum) + == read($Heap, this, _module.Composite.val) + + (if read($Heap, this, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, this, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.sum)); + free ensures _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + && + _module.Composite.Acyclic($LS($LZ), $Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + && + Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LZ), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(Set#UnionOne(Set#Empty(): Set Box, $Box(this)), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + ensures read($Heap, this, _module.Composite.val) == x#0; + ensures read($Heap, this, _module.Composite.parent) == null; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || $o == this); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Composite.Init (correctness)"} Impl$$_module.Composite.Init(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + x#0: int) + returns ($_reverifyPost: bool); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + && (_module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this)))); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(this)]; + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.parent) != null + ==> Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(read($Heap, this, _module.Composite.parent))]); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.parent) != null + ==> read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.left) != null + ==> Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(read($Heap, this, _module.Composite.left))]); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.left) != null + ==> read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.left) != null + ==> read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.right) != null + ==> Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(read($Heap, this, _module.Composite.right))]); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.right) != null + ==> read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.right) != null + ==> read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right)); + ensures _module.Composite.Valid#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Valid($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || read($Heap, this, _module.Composite.sum) + == read($Heap, this, _module.Composite.val) + + (if read($Heap, this, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, this, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.sum)); + ensures _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(this)]; + ensures _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LS($LZ)), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(Set#UnionOne(Set#Empty(): Set Box, $Box(this)), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + ensures read($Heap, this, _module.Composite.val) == x#0; + ensures read($Heap, this, _module.Composite.parent) == null; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || $o == this); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Composite.Init (correctness)"} Impl$$_module.Composite.Init(this: ref, x#0: int) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $rhs#0: ref; + var newtype$check#1: ref; + var $rhs#1: ref; + var newtype$check#2: ref; + var $rhs#2: ref; + var newtype$check#3: ref; + var $rhs#3: int; + var $rhs#4: int; + + // AddMethodImpl: Init, Impl$$_module.Composite.Init + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> $o == this); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(32,12) + assume true; + assert $_Frame[this, _module.Composite.parent]; + newtype$check#1 := null; + assume true; + $rhs#0 := null; + $Heap := update($Heap, this, _module.Composite.parent, $rhs#0); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(33,10) + assume true; + assert $_Frame[this, _module.Composite.left]; + newtype$check#2 := null; + assume true; + $rhs#1 := null; + $Heap := update($Heap, this, _module.Composite.left, $rhs#1); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(34,11) + assume true; + assert $_Frame[this, _module.Composite.right]; + newtype$check#3 := null; + assume true; + $rhs#2 := null; + $Heap := update($Heap, this, _module.Composite.right, $rhs#2); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(35,9) + assume true; + assert $_Frame[this, _module.Composite.val]; + assume true; + $rhs#3 := x#0; + $Heap := update($Heap, this, _module.Composite.val, $rhs#3); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(36,9) + assume true; + assert $_Frame[this, _module.Composite.sum]; + assume true; + $rhs#4 := read($Heap, this, _module.Composite.val); + $Heap := update($Heap, this, _module.Composite.sum, $rhs#4); + assume $IsGoodHeap($Heap); +} + + + +procedure {:verboseName "Composite.Update (well-formedness)"} CheckWellFormed$$_module.Composite.Update(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + x#0: int, + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Composite.Update (well-formedness)"} CheckWellFormed$$_module.Composite.Update(this: ref, x#0: int, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##S#0: Set Box; + var c#0: ref; + var ##S#1: Set Box; + var c#2: ref; + var ##S#2: Set Box; + var c#4: ref; + var c#6: ref; + + // AddMethodImpl: Update, CheckWellFormed$$_module.Composite.Update + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + assume S#0[$Box(this)]; + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Composite?(), $Heap); + ##S#0 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#0, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Acyclic#canCall($Heap, this, S#0); + assume _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0); + havoc c#0; + assume $Is(c#0, Tclass._module.Composite()) + && $IsAlloc(c#0, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#0)]; + assert c#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#0, Tclass._module.Composite?(), $Heap); + ##S#1 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#1, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#0, S#0); + assume _module.Composite.Valid($Heap, c#0, S#0); + } + else + { + assume S#0[$Box(c#0)] ==> _module.Composite.Valid($Heap, c#0, S#0); + } + + assume (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + havoc c#2; + assume $Is(c#2, Tclass._module.Composite()) + && $IsAlloc(c#2, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#2)]; + assert c#2 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#2, Tclass._module.Composite?(), $Heap); + ##S#2 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#2, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#2, S#0); + assume _module.Composite.Valid($Heap, c#2, S#0); + } + else + { + assume S#0[$Box(c#2)] ==> _module.Composite.Valid($Heap, c#2, S#0); + } + + assume (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); + havoc c#4; + assume $Is(c#4, Tclass._module.Composite()) + && $IsAlloc(c#4, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#4)]; + assert c#4 != null; + assert c#4 != null; + assert $IsAlloc(c#4, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#4, _module.Composite.left) + == read(old($Heap), c#4, _module.Composite.left); + assert c#4 != null; + assert c#4 != null; + assert $IsAlloc(c#4, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#4, _module.Composite.right) + == read(old($Heap), c#4, _module.Composite.right); + assert c#4 != null; + assert c#4 != null; + assert $IsAlloc(c#4, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#4, _module.Composite.parent) + == read(old($Heap), c#4, _module.Composite.parent); + } + else + { + assume S#0[$Box(c#4)] + ==> read($Heap, c#4, _module.Composite.left) + == read(old($Heap), c#4, _module.Composite.left) + && read($Heap, c#4, _module.Composite.right) + == read(old($Heap), c#4, _module.Composite.right) + && read($Heap, c#4, _module.Composite.parent) + == read(old($Heap), c#4, _module.Composite.parent); + } + + assume (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.parent) } + { read($Heap, c#5, _module.Composite.parent) } + { read(old($Heap), c#5, _module.Composite.right) } + { read($Heap, c#5, _module.Composite.right) } + { read(old($Heap), c#5, _module.Composite.left) } + { read($Heap, c#5, _module.Composite.left) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.left) + == read(old($Heap), c#5, _module.Composite.left)) + && (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.right) + == read(old($Heap), c#5, _module.Composite.right)) + && (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.parent) + == read(old($Heap), c#5, _module.Composite.parent))); + havoc c#6; + assume $Is(c#6, Tclass._module.Composite()) + && $IsAlloc(c#6, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#6)]; + assume c#6 != this; + assert c#6 != null; + assert c#6 != null; + assert $IsAlloc(c#6, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#6, _module.Composite.val) + == read(old($Heap), c#6, _module.Composite.val); + } + else + { + assume S#0[$Box(c#6)] && c#6 != this + ==> read($Heap, c#6, _module.Composite.val) + == read(old($Heap), c#6, _module.Composite.val); + } + + assume (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.val) } + { read($Heap, c#7, _module.Composite.val) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> + S#0[$Box(c#7)] && c#7 != this + ==> read($Heap, c#7, _module.Composite.val) + == read(old($Heap), c#7, _module.Composite.val)); + assume read($Heap, this, _module.Composite.val) == x#0; +} + + + +procedure {:verboseName "Composite.Update (call)"} Call$$_module.Composite.Update(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + x#0: int, + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)); + // user-defined preconditions + requires S#0[$Box(this)]; + requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) || S#0[$Box(this)]; + requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) + || (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LS($LZ)), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + requires (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid#canCall($Heap, c#3, S#0)); + ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); + free ensures true; + ensures (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.parent) } + { read($Heap, c#5, _module.Composite.parent) } + { read(old($Heap), c#5, _module.Composite.right) } + { read($Heap, c#5, _module.Composite.right) } + { read(old($Heap), c#5, _module.Composite.left) } + { read($Heap, c#5, _module.Composite.left) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.left) + == read(old($Heap), c#5, _module.Composite.left)) + && (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.right) + == read(old($Heap), c#5, _module.Composite.right)) + && (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.parent) + == read(old($Heap), c#5, _module.Composite.parent))); + free ensures true; + ensures (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.val) } + { read($Heap, c#7, _module.Composite.val) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> + S#0[$Box(c#7)] && c#7 != this + ==> read($Heap, c#7, _module.Composite.val) + == read(old($Heap), c#7, _module.Composite.val)); + free ensures true; + ensures read($Heap, this, _module.Composite.val) == x#0; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Composite.Update (correctness)"} Impl$$_module.Composite.Update(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + x#0: int, + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)) + returns ($_reverifyPost: bool); + free requires 3 == $FunctionContextHeight; + // user-defined preconditions + requires S#0[$Box(this)]; + free requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + && + _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) + && + S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LZ), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + requires (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid#canCall($Heap, c#3, S#0)); + ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); + free ensures true; + ensures (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.parent) } + { read($Heap, c#5, _module.Composite.parent) } + { read(old($Heap), c#5, _module.Composite.right) } + { read($Heap, c#5, _module.Composite.right) } + { read(old($Heap), c#5, _module.Composite.left) } + { read($Heap, c#5, _module.Composite.left) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.left) + == read(old($Heap), c#5, _module.Composite.left)) + && (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.right) + == read(old($Heap), c#5, _module.Composite.right)) + && (S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.parent) + == read(old($Heap), c#5, _module.Composite.parent))); + free ensures true; + ensures (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.val) } + { read($Heap, c#7, _module.Composite.val) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> + S#0[$Box(c#7)] && c#7 != this + ==> read($Heap, c#7, _module.Composite.val) + == read(old($Heap), c#7, _module.Composite.val)); + free ensures true; + ensures read($Heap, this, _module.Composite.val) == x#0; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Composite.Update (correctness)"} Impl$$_module.Composite.Update(this: ref, x#0: int, S#0: Set Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var delta#0: int; + var $rhs#0: int; + var delta##0: int; + var U##0: Set Box; + var S##0: Set Box; + + // AddMethodImpl: Update, Impl$$_module.Composite.Update + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(48,15) + assume true; + assume true; + delta#0 := x#0 - read($Heap, this, _module.Composite.val); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(49,9) + assume true; + assert $_Frame[this, _module.Composite.val]; + assume true; + $rhs#0 := x#0; + $Heap := update($Heap, this, _module.Composite.val, $rhs#0); + assume $IsGoodHeap($Heap); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(50,11) + // TrCallStmt: Before ProcessCallStmt + assume true; + assume true; + // ProcessCallStmt: CheckSubrange + delta##0 := delta#0; + assume true; + // ProcessCallStmt: CheckSubrange + U##0 := S#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##0 := S#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && + U##0[$Box($o)] + && $f == _module.Composite.sum + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Adjust(this, delta##0, U##0, S##0); + // TrCallStmt: After ProcessCallStmt +} + + + +procedure {:verboseName "Composite.Add (well-formedness)"} CheckWellFormed$$_module.Composite.Add(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap), + child#0: ref + where $Is(child#0, Tclass._module.Composite()) + && $IsAlloc(child#0, Tclass._module.Composite(), $Heap), + U#0: Set Box + where $Is(U#0, TSet(Tclass._module.Composite())) + && $IsAlloc(U#0, TSet(Tclass._module.Composite()), $Heap)); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Composite.Add (well-formedness)"} CheckWellFormed$$_module.Composite.Add(this: ref, S#0: Set Box, child#0: ref, U#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##S#0: Set Box; + var c#0: ref; + var ##S#1: Set Box; + var c#2: ref; + var ##S#2: Set Box; + var newtype$check#0: ref; + var newtype$check#1: ref; + var newtype$check#2: ref; + var c#4: ref; + var newtype$check#3: ref; + var newtype$check#4: ref; + var c#6: ref; + var c#8: ref; + var ##S#3: Set Box; + + // AddMethodImpl: Add, CheckWellFormed$$_module.Composite.Add + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)] || $o == child#0); + assume S#0[$Box(this)]; + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Composite?(), $Heap); + ##S#0 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#0, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Acyclic#canCall($Heap, this, S#0); + assume _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0); + havoc c#0; + assume $Is(c#0, Tclass._module.Composite()) + && $IsAlloc(c#0, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#0)]; + assert c#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#0, Tclass._module.Composite?(), $Heap); + ##S#1 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#1, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#0, S#0); + assume _module.Composite.Valid($Heap, c#0, S#0); + } + else + { + assume S#0[$Box(c#0)] ==> _module.Composite.Valid($Heap, c#0, S#0); + } + + assume (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + assume U#0[$Box(child#0)]; + havoc c#2; + assume $Is(c#2, Tclass._module.Composite()) + && $IsAlloc(c#2, Tclass._module.Composite(), $Heap); + if (*) + { + assume U#0[$Box(c#2)]; + assert c#2 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#2, Tclass._module.Composite?(), $Heap); + ##S#2 := U#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#2, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#2, U#0); + assume _module.Composite.Valid($Heap, c#2, U#0); + } + else + { + assume U#0[$Box(c#2)] ==> _module.Composite.Valid($Heap, c#2, U#0); + } + + assume (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, U#0) } { U#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + U#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, U#0)); + assume Set#Disjoint(S#0, U#0); + if (*) + { + newtype$check#0 := null; + assume read($Heap, this, _module.Composite.left) == null; + } + else + { + assume read($Heap, this, _module.Composite.left) != null; + newtype$check#1 := null; + assume read($Heap, this, _module.Composite.right) == null; + } + + assert child#0 != null; + newtype$check#2 := null; + assume read($Heap, child#0, _module.Composite.parent) == null; + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)] || $o == child#0); + assume $HeapSucc(old($Heap), $Heap); + assert child#0 != null; + assert child#0 != null; + assert $IsAlloc(child#0, Tclass._module.Composite(), old($Heap)); + assume read($Heap, child#0, _module.Composite.left) + == read(old($Heap), child#0, _module.Composite.left); + assert child#0 != null; + assert child#0 != null; + assert $IsAlloc(child#0, Tclass._module.Composite(), old($Heap)); + assume read($Heap, child#0, _module.Composite.right) + == read(old($Heap), child#0, _module.Composite.right); + assert child#0 != null; + assert child#0 != null; + assert $IsAlloc(child#0, Tclass._module.Composite(), old($Heap)); + assume read($Heap, child#0, _module.Composite.val) + == read(old($Heap), child#0, _module.Composite.val); + havoc c#4; + assume $Is(c#4, Tclass._module.Composite()) + && $IsAlloc(c#4, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#4)]; + assume c#4 != this; + assert c#4 != null; + assert c#4 != null; + assert $IsAlloc(c#4, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#4, _module.Composite.left) + == read(old($Heap), c#4, _module.Composite.left); + assert c#4 != null; + assert c#4 != null; + assert $IsAlloc(c#4, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#4, _module.Composite.right) + == read(old($Heap), c#4, _module.Composite.right); + } + else + { + assume S#0[$Box(c#4)] && c#4 != this + ==> read($Heap, c#4, _module.Composite.left) + == read(old($Heap), c#4, _module.Composite.left) + && read($Heap, c#4, _module.Composite.right) + == read(old($Heap), c#4, _module.Composite.right); + } + + assume (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.right) } + { read($Heap, c#5, _module.Composite.right) } + { read(old($Heap), c#5, _module.Composite.left) } + { read($Heap, c#5, _module.Composite.left) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> (S#0[$Box(c#5)] && c#5 != this + ==> read($Heap, c#5, _module.Composite.left) + == read(old($Heap), c#5, _module.Composite.left)) + && (S#0[$Box(c#5)] && c#5 != this + ==> read($Heap, c#5, _module.Composite.right) + == read(old($Heap), c#5, _module.Composite.right))); + if (*) + { + assert $IsAlloc(this, Tclass._module.Composite(), old($Heap)); + newtype$check#3 := null; + assume read(old($Heap), this, _module.Composite.left) != null; + assert $IsAlloc(this, Tclass._module.Composite(), old($Heap)); + assume read($Heap, this, _module.Composite.left) + == read(old($Heap), this, _module.Composite.left); + } + else + { + assume read(old($Heap), this, _module.Composite.left) != null + ==> read($Heap, this, _module.Composite.left) + == read(old($Heap), this, _module.Composite.left); + } + + if (*) + { + assert $IsAlloc(this, Tclass._module.Composite(), old($Heap)); + newtype$check#4 := null; + assume read(old($Heap), this, _module.Composite.right) != null; + assert $IsAlloc(this, Tclass._module.Composite(), old($Heap)); + assume read($Heap, this, _module.Composite.right) + == read(old($Heap), this, _module.Composite.right); + } + else + { + assume read(old($Heap), this, _module.Composite.right) != null + ==> read($Heap, this, _module.Composite.right) + == read(old($Heap), this, _module.Composite.right); + } + + havoc c#6; + assume $Is(c#6, Tclass._module.Composite()) + && $IsAlloc(c#6, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#6)]; + assert c#6 != null; + assert c#6 != null; + assert $IsAlloc(c#6, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#6, _module.Composite.parent) + == read(old($Heap), c#6, _module.Composite.parent); + assert c#6 != null; + assert c#6 != null; + assert $IsAlloc(c#6, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#6, _module.Composite.val) + == read(old($Heap), c#6, _module.Composite.val); + } + else + { + assume S#0[$Box(c#6)] + ==> read($Heap, c#6, _module.Composite.parent) + == read(old($Heap), c#6, _module.Composite.parent) + && read($Heap, c#6, _module.Composite.val) + == read(old($Heap), c#6, _module.Composite.val); + } + + assume (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.val) } + { read($Heap, c#7, _module.Composite.val) } + { read(old($Heap), c#7, _module.Composite.parent) } + { read($Heap, c#7, _module.Composite.parent) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.parent) + == read(old($Heap), c#7, _module.Composite.parent)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.val) + == read(old($Heap), c#7, _module.Composite.val))); + assert child#0 != null; + assume read($Heap, child#0, _module.Composite.parent) == this; + havoc c#8; + assume $Is(c#8, Tclass._module.Composite()) + && $IsAlloc(c#8, Tclass._module.Composite(), $Heap); + if (*) + { + assume Set#Union(S#0, U#0)[$Box(c#8)]; + assert c#8 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#8, Tclass._module.Composite?(), $Heap); + ##S#3 := Set#Union(S#0, U#0); + // assume allocatedness for argument to function + assume $IsAlloc(##S#3, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#8, Set#Union(S#0, U#0)); + assume _module.Composite.Valid($Heap, c#8, Set#Union(S#0, U#0)); + } + else + { + assume Set#Union(S#0, U#0)[$Box(c#8)] + ==> _module.Composite.Valid($Heap, c#8, Set#Union(S#0, U#0)); + } + + assume (forall c#9: ref :: + {:autotriggers false} + $Is(c#9, Tclass._module.Composite()) + ==> + Set#Union(S#0, U#0)[$Box(c#9)] + ==> _module.Composite.Valid($Heap, c#9, Set#Union(S#0, U#0))); +} + + + +procedure {:verboseName "Composite.Add (call)"} Call$$_module.Composite.Add(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap), + child#0: ref + where $Is(child#0, Tclass._module.Composite()) + && $IsAlloc(child#0, Tclass._module.Composite(), $Heap), + U#0: Set Box + where $Is(U#0, TSet(Tclass._module.Composite())) + && $IsAlloc(U#0, TSet(Tclass._module.Composite()), $Heap)); + // user-defined preconditions + requires S#0[$Box(this)]; + requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) || S#0[$Box(this)]; + requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) + || (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LS($LZ)), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + requires (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + requires U#0[$Box(child#0)]; + requires (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, U#0) } { U#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + U#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, U#0)); + requires Set#Disjoint(S#0, U#0); + requires read($Heap, this, _module.Composite.left) == null + || read($Heap, this, _module.Composite.right) == null; + requires read($Heap, child#0, _module.Composite.parent) == null; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, child#0, _module.Composite.left) + == read(old($Heap), child#0, _module.Composite.left); + ensures read($Heap, child#0, _module.Composite.right) + == read(old($Heap), child#0, _module.Composite.right); + ensures read($Heap, child#0, _module.Composite.val) + == read(old($Heap), child#0, _module.Composite.val); + free ensures true; + ensures (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.right) } + { read($Heap, c#5, _module.Composite.right) } + { read(old($Heap), c#5, _module.Composite.left) } + { read($Heap, c#5, _module.Composite.left) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> (S#0[$Box(c#5)] && c#5 != this + ==> read($Heap, c#5, _module.Composite.left) + == read(old($Heap), c#5, _module.Composite.left)) + && (S#0[$Box(c#5)] && c#5 != this + ==> read($Heap, c#5, _module.Composite.right) + == read(old($Heap), c#5, _module.Composite.right))); + free ensures true; + ensures read(old($Heap), this, _module.Composite.left) != null + ==> read($Heap, this, _module.Composite.left) + == read(old($Heap), this, _module.Composite.left); + free ensures true; + ensures read(old($Heap), this, _module.Composite.right) != null + ==> read($Heap, this, _module.Composite.right) + == read(old($Heap), this, _module.Composite.right); + free ensures true; + ensures (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.val) } + { read($Heap, c#7, _module.Composite.val) } + { read(old($Heap), c#7, _module.Composite.parent) } + { read($Heap, c#7, _module.Composite.parent) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.parent) + == read(old($Heap), c#7, _module.Composite.parent)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.val) + == read(old($Heap), c#7, _module.Composite.val))); + free ensures true; + ensures read($Heap, child#0, _module.Composite.parent) == this; + free ensures (forall c#9: ref :: + $Is(c#9, Tclass._module.Composite()) + ==> + Set#Union(S#0, U#0)[$Box(c#9)] + ==> _module.Composite.Valid#canCall($Heap, c#9, Set#Union(S#0, U#0))); + ensures (forall c#9: ref :: + {:autotriggers false} + $Is(c#9, Tclass._module.Composite()) + ==> + Set#Union(S#0, U#0)[$Box(c#9)] + ==> _module.Composite.Valid($Heap, c#9, Set#Union(S#0, U#0))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)] || $o == child#0); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Composite.Add (correctness)"} Impl$$_module.Composite.Add(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap), + child#0: ref + where $Is(child#0, Tclass._module.Composite()) + && $IsAlloc(child#0, Tclass._module.Composite(), $Heap), + U#0: Set Box + where $Is(U#0, TSet(Tclass._module.Composite())) + && $IsAlloc(U#0, TSet(Tclass._module.Composite()), $Heap)) + returns ($_reverifyPost: bool); + free requires 3 == $FunctionContextHeight; + // user-defined preconditions + requires S#0[$Box(this)]; + free requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + && + _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) + && + S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LZ), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + requires (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + requires U#0[$Box(child#0)]; + requires (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, U#0) } { U#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + U#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, U#0)); + requires Set#Disjoint(S#0, U#0); + requires read($Heap, this, _module.Composite.left) == null + || read($Heap, this, _module.Composite.right) == null; + requires read($Heap, child#0, _module.Composite.parent) == null; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, child#0, _module.Composite.left) + == read(old($Heap), child#0, _module.Composite.left); + ensures read($Heap, child#0, _module.Composite.right) + == read(old($Heap), child#0, _module.Composite.right); + ensures read($Heap, child#0, _module.Composite.val) + == read(old($Heap), child#0, _module.Composite.val); + free ensures true; + ensures (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.right) } + { read($Heap, c#5, _module.Composite.right) } + { read(old($Heap), c#5, _module.Composite.left) } + { read($Heap, c#5, _module.Composite.left) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> (S#0[$Box(c#5)] && c#5 != this + ==> read($Heap, c#5, _module.Composite.left) + == read(old($Heap), c#5, _module.Composite.left)) + && (S#0[$Box(c#5)] && c#5 != this + ==> read($Heap, c#5, _module.Composite.right) + == read(old($Heap), c#5, _module.Composite.right))); + free ensures true; + ensures read(old($Heap), this, _module.Composite.left) != null + ==> read($Heap, this, _module.Composite.left) + == read(old($Heap), this, _module.Composite.left); + free ensures true; + ensures read(old($Heap), this, _module.Composite.right) != null + ==> read($Heap, this, _module.Composite.right) + == read(old($Heap), this, _module.Composite.right); + free ensures true; + ensures (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.val) } + { read($Heap, c#7, _module.Composite.val) } + { read(old($Heap), c#7, _module.Composite.parent) } + { read($Heap, c#7, _module.Composite.parent) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.parent) + == read(old($Heap), c#7, _module.Composite.parent)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.val) + == read(old($Heap), c#7, _module.Composite.val))); + free ensures true; + ensures read($Heap, child#0, _module.Composite.parent) == this; + free ensures (forall c#9: ref :: + $Is(c#9, Tclass._module.Composite()) + ==> + Set#Union(S#0, U#0)[$Box(c#9)] + ==> _module.Composite.Valid#canCall($Heap, c#9, Set#Union(S#0, U#0))); + ensures (forall c#9: ref :: + {:autotriggers false} + $Is(c#9, Tclass._module.Composite()) + ==> + Set#Union(S#0, U#0)[$Box(c#9)] + ==> _module.Composite.Valid($Heap, c#9, Set#Union(S#0, U#0))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)] || $o == child#0); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Composite.Add (correctness)"} Impl$$_module.Composite.Add(this: ref, S#0: Set Box, child#0: ref, U#0: Set Box) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var newtype$check#5: ref; + var $rhs#0_0: ref; + var $rhs#1_0: ref; + var $rhs#0: ref; + var delta##0: int; + var U##0: Set Box; + var S##0: Set Box; + + // AddMethodImpl: Add, Impl$$_module.Composite.Add + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)] || $o == child#0); + $_reverifyPost := false; + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(73,5) + newtype$check#5 := null; + assume true; + if (read($Heap, this, _module.Composite.left) == null) + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(74,12) + assume true; + assert $_Frame[this, _module.Composite.left]; + assume true; + $rhs#0_0 := child#0; + $Heap := update($Heap, this, _module.Composite.left, $rhs#0_0); + assume $IsGoodHeap($Heap); + } + else + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(76,13) + assume true; + assert $_Frame[this, _module.Composite.right]; + assume true; + $rhs#1_0 := child#0; + $Heap := update($Heap, this, _module.Composite.right, $rhs#1_0); + assume $IsGoodHeap($Heap); + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(78,18) + assert child#0 != null; + assume true; + assert $_Frame[child#0, _module.Composite.parent]; + assume true; + $rhs#0 := this; + $Heap := update($Heap, child#0, _module.Composite.parent, $rhs#0); + assume $IsGoodHeap($Heap); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(79,11) + // TrCallStmt: Before ProcessCallStmt + assume true; + assert child#0 != null; + assume true; + // ProcessCallStmt: CheckSubrange + delta##0 := read($Heap, child#0, _module.Composite.sum); + assume true; + // ProcessCallStmt: CheckSubrange + U##0 := S#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##0 := Set#Union(S#0, U#0); + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && + U##0[$Box($o)] + && $f == _module.Composite.sum + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Adjust(this, delta##0, U##0, S##0); + // TrCallStmt: After ProcessCallStmt +} + + + +procedure {:verboseName "Composite.Dislodge (well-formedness)"} CheckWellFormed$$_module.Composite.Dislodge(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Composite.Dislodge (well-formedness)"} CheckWellFormed$$_module.Composite.Dislodge(this: ref, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##S#0: Set Box; + var c#0: ref; + var ##S#1: Set Box; + var c#2: ref; + var ##S#2: Set Box; + var c#4: ref; + var c#6: ref; + var newtype$check#0: ref; + var c#8: ref; + var newtype$check#1: ref; + var c#10: ref; + var newtype$check#2: ref; + var ##S#3: Set Box; + + // AddMethodImpl: Dislodge, CheckWellFormed$$_module.Composite.Dislodge + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + assume S#0[$Box(this)]; + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Composite?(), $Heap); + ##S#0 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#0, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Acyclic#canCall($Heap, this, S#0); + assume _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0); + havoc c#0; + assume $Is(c#0, Tclass._module.Composite()) + && $IsAlloc(c#0, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#0)]; + assert c#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#0, Tclass._module.Composite?(), $Heap); + ##S#1 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#1, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#0, S#0); + assume _module.Composite.Valid($Heap, c#0, S#0); + } + else + { + assume S#0[$Box(c#0)] ==> _module.Composite.Valid($Heap, c#0, S#0); + } + + assume (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + havoc c#2; + assume $Is(c#2, Tclass._module.Composite()) + && $IsAlloc(c#2, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#2)]; + assert c#2 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#2, Tclass._module.Composite?(), $Heap); + ##S#2 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#2, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#2, S#0); + assume _module.Composite.Valid($Heap, c#2, S#0); + } + else + { + assume S#0[$Box(c#2)] ==> _module.Composite.Valid($Heap, c#2, S#0); + } + + assume (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); + havoc c#4; + assume $Is(c#4, Tclass._module.Composite()) + && $IsAlloc(c#4, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#4)]; + assert c#4 != null; + assert c#4 != null; + assert $IsAlloc(c#4, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#4, _module.Composite.val) + == read(old($Heap), c#4, _module.Composite.val); + } + else + { + assume S#0[$Box(c#4)] + ==> read($Heap, c#4, _module.Composite.val) + == read(old($Heap), c#4, _module.Composite.val); + } + + assume (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.val) } + { read($Heap, c#5, _module.Composite.val) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> + S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.val) + == read(old($Heap), c#5, _module.Composite.val)); + havoc c#6; + assume $Is(c#6, Tclass._module.Composite()) + && $IsAlloc(c#6, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#6)]; + assume c#6 != this; + assert c#6 != null; + assert c#6 != null; + assert $IsAlloc(c#6, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#6, _module.Composite.parent) + == read(old($Heap), c#6, _module.Composite.parent); + } + else + { + assume S#0[$Box(c#6)] && c#6 != this + ==> read($Heap, c#6, _module.Composite.parent) + == read(old($Heap), c#6, _module.Composite.parent); + } + + assume (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.parent) } + { read($Heap, c#7, _module.Composite.parent) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> + S#0[$Box(c#7)] && c#7 != this + ==> read($Heap, c#7, _module.Composite.parent) + == read(old($Heap), c#7, _module.Composite.parent)); + newtype$check#0 := null; + assume read($Heap, this, _module.Composite.parent) == null; + havoc c#8; + assume $Is(c#8, Tclass._module.Composite()) + && $IsAlloc(c#8, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#8)]; + if (*) + { + assert c#8 != null; + assert c#8 != null; + assert $IsAlloc(c#8, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#8, _module.Composite.left) + == read(old($Heap), c#8, _module.Composite.left); + } + else + { + assume read($Heap, c#8, _module.Composite.left) + != read(old($Heap), c#8, _module.Composite.left); + assert c#8 != null; + assert $IsAlloc(c#8, Tclass._module.Composite(), old($Heap)); + assume read(old($Heap), c#8, _module.Composite.left) == this; + assert c#8 != null; + newtype$check#1 := null; + assume read($Heap, c#8, _module.Composite.left) == null; + } + } + else + { + assume S#0[$Box(c#8)] + ==> read($Heap, c#8, _module.Composite.left) + == read(old($Heap), c#8, _module.Composite.left) + || (read(old($Heap), c#8, _module.Composite.left) == this + && read($Heap, c#8, _module.Composite.left) == null); + } + + assume (forall c#9: ref :: + { read(old($Heap), c#9, _module.Composite.left) } + { read($Heap, c#9, _module.Composite.left) } + { S#0[$Box(c#9)] } + $Is(c#9, Tclass._module.Composite()) + ==> + S#0[$Box(c#9)] + ==> read($Heap, c#9, _module.Composite.left) + == read(old($Heap), c#9, _module.Composite.left) + || (read(old($Heap), c#9, _module.Composite.left) == this + && read($Heap, c#9, _module.Composite.left) == null)); + havoc c#10; + assume $Is(c#10, Tclass._module.Composite()) + && $IsAlloc(c#10, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#10)]; + if (*) + { + assert c#10 != null; + assert c#10 != null; + assert $IsAlloc(c#10, Tclass._module.Composite(), old($Heap)); + assume read($Heap, c#10, _module.Composite.right) + == read(old($Heap), c#10, _module.Composite.right); + } + else + { + assume read($Heap, c#10, _module.Composite.right) + != read(old($Heap), c#10, _module.Composite.right); + assert c#10 != null; + assert $IsAlloc(c#10, Tclass._module.Composite(), old($Heap)); + assume read(old($Heap), c#10, _module.Composite.right) == this; + assert c#10 != null; + newtype$check#2 := null; + assume read($Heap, c#10, _module.Composite.right) == null; + } + } + else + { + assume S#0[$Box(c#10)] + ==> read($Heap, c#10, _module.Composite.right) + == read(old($Heap), c#10, _module.Composite.right) + || (read(old($Heap), c#10, _module.Composite.right) == this + && read($Heap, c#10, _module.Composite.right) == null); + } + + assume (forall c#11: ref :: + { read(old($Heap), c#11, _module.Composite.right) } + { read($Heap, c#11, _module.Composite.right) } + { S#0[$Box(c#11)] } + $Is(c#11, Tclass._module.Composite()) + ==> + S#0[$Box(c#11)] + ==> read($Heap, c#11, _module.Composite.right) + == read(old($Heap), c#11, _module.Composite.right) + || (read(old($Heap), c#11, _module.Composite.right) == this + && read($Heap, c#11, _module.Composite.right) == null)); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Composite?(), $Heap); + ##S#3 := Set#UnionOne(Set#Empty(): Set Box, $Box(this)); + // assume allocatedness for argument to function + assume $IsAlloc(##S#3, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))); + assume _module.Composite.Acyclic($LS($LZ), $Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))); +} + + + +procedure {:verboseName "Composite.Dislodge (call)"} Call$$_module.Composite.Dislodge(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)); + // user-defined preconditions + requires S#0[$Box(this)]; + requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) || S#0[$Box(this)]; + requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) + || (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LS($LZ)), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + requires (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid#canCall($Heap, c#3, S#0)); + ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); + free ensures true; + ensures (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.val) } + { read($Heap, c#5, _module.Composite.val) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> + S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.val) + == read(old($Heap), c#5, _module.Composite.val)); + free ensures true; + ensures (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.parent) } + { read($Heap, c#7, _module.Composite.parent) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> + S#0[$Box(c#7)] && c#7 != this + ==> read($Heap, c#7, _module.Composite.parent) + == read(old($Heap), c#7, _module.Composite.parent)); + free ensures true; + ensures read($Heap, this, _module.Composite.parent) == null; + free ensures true; + ensures (forall c#9: ref :: + { read(old($Heap), c#9, _module.Composite.left) } + { read($Heap, c#9, _module.Composite.left) } + { S#0[$Box(c#9)] } + $Is(c#9, Tclass._module.Composite()) + ==> + S#0[$Box(c#9)] + ==> read($Heap, c#9, _module.Composite.left) + == read(old($Heap), c#9, _module.Composite.left) + || (read(old($Heap), c#9, _module.Composite.left) == this + && read($Heap, c#9, _module.Composite.left) == null)); + free ensures true; + ensures (forall c#11: ref :: + { read(old($Heap), c#11, _module.Composite.right) } + { read($Heap, c#11, _module.Composite.right) } + { S#0[$Box(c#11)] } + $Is(c#11, Tclass._module.Composite()) + ==> + S#0[$Box(c#11)] + ==> read($Heap, c#11, _module.Composite.right) + == read(old($Heap), c#11, _module.Composite.right) + || (read(old($Heap), c#11, _module.Composite.right) == this + && read($Heap, c#11, _module.Composite.right) == null)); + free ensures _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))); + free ensures _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + && + _module.Composite.Acyclic($LS($LZ), $Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + && + Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LZ), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(Set#UnionOne(Set#Empty(): Set Box, $Box(this)), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Composite.Dislodge (correctness)"} Impl$$_module.Composite.Dislodge(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)) + returns ($_reverifyPost: bool); + free requires 3 == $FunctionContextHeight; + // user-defined preconditions + requires S#0[$Box(this)]; + free requires _module.Composite.Acyclic#canCall($Heap, this, S#0) + && + _module.Composite.Acyclic($LS($LZ), $Heap, this, S#0) + && + S#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LZ), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + requires (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] + ==> _module.Composite.Valid($Heap, c#1, S#0)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid#canCall($Heap, c#3, S#0)); + ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); + free ensures true; + ensures (forall c#5: ref :: + { read(old($Heap), c#5, _module.Composite.val) } + { read($Heap, c#5, _module.Composite.val) } + { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> + S#0[$Box(c#5)] + ==> read($Heap, c#5, _module.Composite.val) + == read(old($Heap), c#5, _module.Composite.val)); + free ensures true; + ensures (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.parent) } + { read($Heap, c#7, _module.Composite.parent) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> + S#0[$Box(c#7)] && c#7 != this + ==> read($Heap, c#7, _module.Composite.parent) + == read(old($Heap), c#7, _module.Composite.parent)); + free ensures true; + ensures read($Heap, this, _module.Composite.parent) == null; + free ensures true; + ensures (forall c#9: ref :: + { read(old($Heap), c#9, _module.Composite.left) } + { read($Heap, c#9, _module.Composite.left) } + { S#0[$Box(c#9)] } + $Is(c#9, Tclass._module.Composite()) + ==> + S#0[$Box(c#9)] + ==> read($Heap, c#9, _module.Composite.left) + == read(old($Heap), c#9, _module.Composite.left) + || (read(old($Heap), c#9, _module.Composite.left) == this + && read($Heap, c#9, _module.Composite.left) == null)); + free ensures true; + ensures (forall c#11: ref :: + { read(old($Heap), c#11, _module.Composite.right) } + { read($Heap, c#11, _module.Composite.right) } + { S#0[$Box(c#11)] } + $Is(c#11, Tclass._module.Composite()) + ==> + S#0[$Box(c#11)] + ==> read($Heap, c#11, _module.Composite.right) + == read(old($Heap), c#11, _module.Composite.right) + || (read(old($Heap), c#11, _module.Composite.right) == this + && read($Heap, c#11, _module.Composite.right) == null)); + free ensures _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))); + ensures _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || Set#UnionOne(Set#Empty(): Set Box, $Box(this))[$Box(this)]; + ensures _module.Composite.Acyclic#canCall($Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, Set#UnionOne(Set#Empty(): Set Box, $Box(this))) + || (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LS($LZ)), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(Set#UnionOne(Set#Empty(): Set Box, $Box(this)), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Composite.Dislodge (correctness)"} Impl$$_module.Composite.Dislodge(this: ref, S#0: Set Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var p#0: ref + where $Is(p#0, Tclass._module.Composite?()) + && $IsAlloc(p#0, Tclass._module.Composite?(), $Heap); + var $rhs#0: ref; + var newtype$check#3: ref; + var newtype$check#4: ref; + var $rhs#0_0_0: ref; + var newtype$check#0_0_0: ref; + var $rhs#0_1_0: ref; + var newtype$check#0_1_0: ref; + var delta#0_0: int; + var delta##0_0: int; + var U##0_0: Set Box; + var S##0_0: Set Box; + + // AddMethodImpl: Dislodge, Impl$$_module.Composite.Dislodge + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(94,11) + assume true; + assume true; + p#0 := read($Heap, this, _module.Composite.parent); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(95,12) + assume true; + assert $_Frame[this, _module.Composite.parent]; + newtype$check#3 := null; + assume true; + $rhs#0 := null; + $Heap := update($Heap, this, _module.Composite.parent, $rhs#0); + assume $IsGoodHeap($Heap); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(96,5) + newtype$check#4 := null; + assume true; + if (p#0 != null) + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(97,7) + assert p#0 != null; + assume true; + if (read($Heap, p#0, _module.Composite.left) == this) + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(98,16) + assert p#0 != null; + assume true; + assert $_Frame[p#0, _module.Composite.left]; + newtype$check#0_0_0 := null; + assume true; + $rhs#0_0_0 := null; + $Heap := update($Heap, p#0, _module.Composite.left, $rhs#0_0_0); + assume $IsGoodHeap($Heap); + } + else + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(100,17) + assert p#0 != null; + assume true; + assert $_Frame[p#0, _module.Composite.right]; + newtype$check#0_1_0 := null; + assume true; + $rhs#0_1_0 := null; + $Heap := update($Heap, p#0, _module.Composite.right, $rhs#0_1_0); + assume $IsGoodHeap($Heap); + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(102,17) + assume true; + assume true; + delta#0_0 := 0 - read($Heap, this, _module.Composite.sum); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(103,15) + // TrCallStmt: Before ProcessCallStmt + assume true; + assert p#0 != null; + assume true; + // ProcessCallStmt: CheckSubrange + delta##0_0 := delta#0_0; + assume true; + // ProcessCallStmt: CheckSubrange + U##0_0 := Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))); + assume true; + // ProcessCallStmt: CheckSubrange + S##0_0 := S#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && + U##0_0[$Box($o)] + && $f == _module.Composite.sum + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Adjust(p#0, delta##0_0, U##0_0, S##0_0); + // TrCallStmt: After ProcessCallStmt + } + else + { + } +} + + + +procedure {:verboseName "Composite.Adjust (well-formedness)"} CheckWellFormed$$_module.Composite.Adjust(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + delta#0: int, + U#0: Set Box + where $Is(U#0, TSet(Tclass._module.Composite())) + && $IsAlloc(U#0, TSet(Tclass._module.Composite()), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Composite.Adjust (well-formedness)"} CheckWellFormed$$_module.Composite.Adjust(this: ref, delta#0: int, U#0: Set Box, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##S#0: Set Box; + var c#0: ref; + var ##S#1: Set Box; + var newtype$check#0: ref; + var newtype$check#1: ref; + var newtype$check#2: ref; + var newtype$check#3: ref; + var newtype$check#4: ref; + var c#2: ref; + var ##S#2: Set Box; + + // AddMethodImpl: Adjust, CheckWellFormed$$_module.Composite.Adjust + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> U#0[$Box($o)] && $f == _module.Composite.sum); + assume Set#Subset(U#0, S#0); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Composite?(), $Heap); + ##S#0 := U#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#0, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Acyclic#canCall($Heap, this, U#0); + assume _module.Composite.Acyclic($LS($LZ), $Heap, this, U#0); + havoc c#0; + assume $Is(c#0, Tclass._module.Composite()) + && $IsAlloc(c#0, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#0)]; + assume c#0 != this; + assert c#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#0, Tclass._module.Composite?(), $Heap); + ##S#1 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#1, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#0, S#0); + assume _module.Composite.Valid($Heap, c#0, S#0); + } + else + { + assume S#0[$Box(c#0)] && c#0 != this ==> _module.Composite.Valid($Heap, c#0, S#0); + } + + assume (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] && c#1 != this + ==> _module.Composite.Valid($Heap, c#1, S#0)); + if (*) + { + newtype$check#0 := null; + assume read($Heap, this, _module.Composite.parent) != null; + assume S#0[$Box(read($Heap, this, _module.Composite.parent))]; + assert read($Heap, this, _module.Composite.parent) != null; + if (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + != this) + { + assert read($Heap, this, _module.Composite.parent) != null; + } + + assume read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this; + } + else + { + assume read($Heap, this, _module.Composite.parent) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.parent))] + && (read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this); + } + + if (*) + { + newtype$check#1 := null; + assume read($Heap, this, _module.Composite.left) != null; + assume S#0[$Box(read($Heap, this, _module.Composite.left))]; + assert read($Heap, this, _module.Composite.left) != null; + assume read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this; + assume read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right); + } + else + { + assume read($Heap, this, _module.Composite.left) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.left))] + && read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right); + } + + if (*) + { + newtype$check#2 := null; + assume read($Heap, this, _module.Composite.right) != null; + assume S#0[$Box(read($Heap, this, _module.Composite.right))]; + assert read($Heap, this, _module.Composite.right) != null; + assume read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this; + assume read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right); + } + else + { + assume read($Heap, this, _module.Composite.right) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.right))] + && read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this + && read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right); + } + + newtype$check#3 := null; + if (read($Heap, this, _module.Composite.left) == null) + { + } + else + { + assert read($Heap, this, _module.Composite.left) != null; + } + + newtype$check#4 := null; + if (read($Heap, this, _module.Composite.right) == null) + { + } + else + { + assert read($Heap, this, _module.Composite.right) != null; + } + + assume read($Heap, this, _module.Composite.sum) + delta#0 + == read($Heap, this, _module.Composite.val) + + (if read($Heap, this, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, this, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.sum)); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || U#0[$Box($o)]); + assume (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f) + || (U#0[$Box($o)] && $f == _module.Composite.sum)); + assume $HeapSucc(old($Heap), $Heap); + havoc c#2; + assume $Is(c#2, Tclass._module.Composite()) + && $IsAlloc(c#2, Tclass._module.Composite(), $Heap); + if (*) + { + assume S#0[$Box(c#2)]; + assert c#2 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#2, Tclass._module.Composite?(), $Heap); + ##S#2 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#2, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#2, S#0); + assume _module.Composite.Valid($Heap, c#2, S#0); + } + else + { + assume S#0[$Box(c#2)] ==> _module.Composite.Valid($Heap, c#2, S#0); + } + + assume (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); +} + + + +procedure {:verboseName "Composite.Adjust (call)"} Call$$_module.Composite.Adjust(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + delta#0: int, + U#0: Set Box + where $Is(U#0, TSet(Tclass._module.Composite())) + && $IsAlloc(U#0, TSet(Tclass._module.Composite()), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)); + // user-defined preconditions + requires Set#Subset(U#0, S#0); + requires _module.Composite.Acyclic#canCall($Heap, this, U#0) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, U#0) || U#0[$Box(this)]; + requires _module.Composite.Acyclic#canCall($Heap, this, U#0) + ==> _module.Composite.Acyclic($LS($LZ), $Heap, this, U#0) + || (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LS($LZ)), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(U#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + requires (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] && c#1 != this + ==> _module.Composite.Valid($Heap, c#1, S#0)); + requires read($Heap, this, _module.Composite.parent) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.parent))]; + requires read($Heap, this, _module.Composite.parent) != null + ==> read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this; + requires read($Heap, this, _module.Composite.left) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.left))]; + requires read($Heap, this, _module.Composite.left) != null + ==> read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this; + requires read($Heap, this, _module.Composite.left) != null + ==> read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right); + requires read($Heap, this, _module.Composite.right) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.right))]; + requires read($Heap, this, _module.Composite.right) != null + ==> read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this; + requires read($Heap, this, _module.Composite.right) != null + ==> read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right); + requires read($Heap, this, _module.Composite.sum) + delta#0 + == read($Heap, this, _module.Composite.val) + + (if read($Heap, this, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, this, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.sum)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid#canCall($Heap, c#3, S#0)); + ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || U#0[$Box($o)]); + // frame condition: field granularity + free ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f) + || (U#0[$Box($o)] && $f == _module.Composite.sum)); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Composite.Adjust (correctness)"} Impl$$_module.Composite.Adjust(this: ref + where this != null + && + $Is(this, Tclass._module.Composite()) + && $IsAlloc(this, Tclass._module.Composite(), $Heap), + delta#0: int, + U#0: Set Box + where $Is(U#0, TSet(Tclass._module.Composite())) + && $IsAlloc(U#0, TSet(Tclass._module.Composite()), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap)) + returns ($_reverifyPost: bool); + free requires 2 == $FunctionContextHeight; + // user-defined preconditions + requires Set#Subset(U#0, S#0); + free requires _module.Composite.Acyclic#canCall($Heap, this, U#0) + && + _module.Composite.Acyclic($LS($LZ), $Heap, this, U#0) + && + U#0[$Box(this)] + && (read($Heap, this, _module.Composite.parent) != null + ==> _module.Composite.Acyclic($LS($LZ), + $Heap, + read($Heap, this, _module.Composite.parent), + Set#Difference(U#0, Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + requires (forall c#1: ref :: + { _module.Composite.Valid($Heap, c#1, S#0) } { S#0[$Box(c#1)] } + $Is(c#1, Tclass._module.Composite()) + ==> + S#0[$Box(c#1)] && c#1 != this + ==> _module.Composite.Valid($Heap, c#1, S#0)); + requires read($Heap, this, _module.Composite.parent) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.parent))]; + requires read($Heap, this, _module.Composite.parent) != null + ==> read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.left) + == this + || read($Heap, read($Heap, this, _module.Composite.parent), _module.Composite.right) + == this; + requires read($Heap, this, _module.Composite.left) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.left))]; + requires read($Heap, this, _module.Composite.left) != null + ==> read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.parent) + == this; + requires read($Heap, this, _module.Composite.left) != null + ==> read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right); + requires read($Heap, this, _module.Composite.right) != null + ==> S#0[$Box(read($Heap, this, _module.Composite.right))]; + requires read($Heap, this, _module.Composite.right) != null + ==> read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.parent) + == this; + requires read($Heap, this, _module.Composite.right) != null + ==> read($Heap, this, _module.Composite.left) + != read($Heap, this, _module.Composite.right); + requires read($Heap, this, _module.Composite.sum) + delta#0 + == read($Heap, this, _module.Composite.val) + + (if read($Heap, this, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, this, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, this, _module.Composite.right), _module.Composite.sum)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid#canCall($Heap, c#3, S#0)); + ensures (forall c#3: ref :: + { _module.Composite.Valid($Heap, c#3, S#0) } { S#0[$Box(c#3)] } + $Is(c#3, Tclass._module.Composite()) + ==> + S#0[$Box(c#3)] + ==> _module.Composite.Valid($Heap, c#3, S#0)); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || U#0[$Box($o)]); + // frame condition: field granularity + free ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f) + || (U#0[$Box($o)] && $f == _module.Composite.sum)); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Composite.Adjust (correctness)"} Impl$$_module.Composite.Adjust(this: ref, delta#0: int, U#0: Set Box, S#0: Set Box) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var p#0: ref + where $Is(p#0, Tclass._module.Composite?()) + && $IsAlloc(p#0, Tclass._module.Composite?(), $Heap); + var T#0: Set Box + where $Is(T#0, TSet(Tclass._module.Composite())) + && $IsAlloc(T#0, TSet(Tclass._module.Composite()), $Heap); + var $PreLoopHeap$loop#0: Heap; + var $decr_init$loop#00: Set Box; + var $w$loop#0: bool; + var newtype$check#5: ref; + var ##S#3: Set Box; + var c#4: ref; + var ##S#4: Set Box; + var newtype$check#6: ref; + var newtype$check#7: ref; + var newtype$check#8: ref; + var c#6: ref; + var newtype$check#9: ref; + var $decr$loop#00: Set Box; + var $rhs#0_0: int; + + // AddMethodImpl: Adjust, Impl$$_module.Composite.Adjust + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> U#0[$Box($o)] && $f == _module.Composite.sum); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(122,23) + assume true; + assume true; + p#0 := this; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(123,17) + assume true; + assume true; + T#0 := U#0; + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(124,5) + // Assume Fuel Constant + $PreLoopHeap$loop#0 := $Heap; + $decr_init$loop#00 := T#0; + havoc $w$loop#0; + while (true) + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 ==> Set#Subset(T#0, U#0); + free invariant $w$loop#0 ==> p#0 != null ==> _module.Composite.Acyclic#canCall($Heap, p#0, T#0); + invariant $w$loop#0 + ==> p#0 == null || _module.Composite.Acyclic($LS($LS($LZ)), $Heap, p#0, T#0); + free invariant $w$loop#0 + ==> (forall c#5: ref :: + { _module.Composite.Valid($Heap, c#5, S#0) } { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> + S#0[$Box(c#5)] + ==> + c#5 != p#0 + ==> _module.Composite.Valid#canCall($Heap, c#5, S#0)); + invariant $w$loop#0 + ==> (forall c#5: ref :: + { _module.Composite.Valid($Heap, c#5, S#0) } { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> + S#0[$Box(c#5)] && c#5 != p#0 + ==> _module.Composite.Valid($Heap, c#5, S#0)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> + p#0 != null + ==> read($Heap, p#0, _module.Composite.sum) + delta#0 + == read($Heap, p#0, _module.Composite.val) + + (if read($Heap, p#0, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, p#0, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, p#0, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, p#0, _module.Composite.right), _module.Composite.sum)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.val) } + { read($Heap, c#7, _module.Composite.val) } + { read(old($Heap), c#7, _module.Composite.parent) } + { read($Heap, c#7, _module.Composite.parent) } + { read(old($Heap), c#7, _module.Composite.right) } + { read($Heap, c#7, _module.Composite.right) } + { read(old($Heap), c#7, _module.Composite.left) } + { read($Heap, c#7, _module.Composite.left) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.left) + == read(old($Heap), c#7, _module.Composite.left)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.right) + == read(old($Heap), c#7, _module.Composite.right)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.parent) + == read(old($Heap), c#7, _module.Composite.parent)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.val) + == read(old($Heap), c#7, _module.Composite.val))); + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#0[$o] || U#0[$Box($o)]); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0, $o, $f) + || (U#0[$Box($o)] && $f == _module.Composite.sum)); + free invariant $HeapSucc($PreLoopHeap$loop#0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0, $o, $f) || $_Frame[$o, $f]); + free invariant Set#Subset(T#0, $decr_init$loop#00) + && (Set#Equal(T#0, $decr_init$loop#00) ==> true); + { + if (!$w$loop#0) + { + assume true; + assume Set#Subset(T#0, U#0); + newtype$check#5 := null; + if (p#0 != null) + { + assert {:subsumption 0} p#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(p#0, Tclass._module.Composite?(), $Heap); + ##S#3 := T#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#3, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Acyclic#canCall($Heap, p#0, T#0); + } + + assume p#0 != null ==> _module.Composite.Acyclic#canCall($Heap, p#0, T#0); + assume p#0 == null || _module.Composite.Acyclic($LS($LZ), $Heap, p#0, T#0); + // Begin Comprehension WF check + havoc c#4; + if ($Is(c#4, Tclass._module.Composite()) + && $IsAlloc(c#4, Tclass._module.Composite(), $Heap)) + { + if (S#0[$Box(c#4)]) + { + } + + if (S#0[$Box(c#4)] && c#4 != p#0) + { + assert {:subsumption 0} c#4 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(c#4, Tclass._module.Composite?(), $Heap); + ##S#4 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#4, TSet(Tclass._module.Composite()), $Heap); + assume _module.Composite.Valid#canCall($Heap, c#4, S#0); + } + } + + // End Comprehension WF check + assume (forall c#5: ref :: + { _module.Composite.Valid($Heap, c#5, S#0) } { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> + S#0[$Box(c#5)] + ==> + c#5 != p#0 + ==> _module.Composite.Valid#canCall($Heap, c#5, S#0)); + assume (forall c#5: ref :: + { _module.Composite.Valid($Heap, c#5, S#0) } { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> + S#0[$Box(c#5)] && c#5 != p#0 + ==> _module.Composite.Valid($Heap, c#5, S#0)); + newtype$check#6 := null; + if (p#0 != null) + { + assert {:subsumption 0} p#0 != null; + assert {:subsumption 0} p#0 != null; + assert {:subsumption 0} p#0 != null; + newtype$check#7 := null; + if (read($Heap, p#0, _module.Composite.left) == null) + { + } + else + { + assert {:subsumption 0} p#0 != null; + assert {:subsumption 0} read($Heap, p#0, _module.Composite.left) != null; + } + + assert {:subsumption 0} p#0 != null; + newtype$check#8 := null; + if (read($Heap, p#0, _module.Composite.right) == null) + { + } + else + { + assert {:subsumption 0} p#0 != null; + assert {:subsumption 0} read($Heap, p#0, _module.Composite.right) != null; + } + } + + assume true; + assume p#0 != null + ==> read($Heap, p#0, _module.Composite.sum) + delta#0 + == read($Heap, p#0, _module.Composite.val) + + (if read($Heap, p#0, _module.Composite.left) == null + then 0 + else read($Heap, read($Heap, p#0, _module.Composite.left), _module.Composite.sum)) + + (if read($Heap, p#0, _module.Composite.right) == null + then 0 + else read($Heap, read($Heap, p#0, _module.Composite.right), _module.Composite.sum)); + // Begin Comprehension WF check + havoc c#6; + if ($Is(c#6, Tclass._module.Composite()) + && $IsAlloc(c#6, Tclass._module.Composite(), $Heap)) + { + if (S#0[$Box(c#6)]) + { + assert {:subsumption 0} c#6 != null; + assert {:subsumption 0} c#6 != null; + assert $IsAlloc(c#6, Tclass._module.Composite(), old($Heap)); + if (read($Heap, c#6, _module.Composite.left) + == read(old($Heap), c#6, _module.Composite.left)) + { + assert {:subsumption 0} c#6 != null; + assert {:subsumption 0} c#6 != null; + assert $IsAlloc(c#6, Tclass._module.Composite(), old($Heap)); + } + + if (read($Heap, c#6, _module.Composite.left) + == read(old($Heap), c#6, _module.Composite.left) + && read($Heap, c#6, _module.Composite.right) + == read(old($Heap), c#6, _module.Composite.right)) + { + assert {:subsumption 0} c#6 != null; + assert {:subsumption 0} c#6 != null; + assert $IsAlloc(c#6, Tclass._module.Composite(), old($Heap)); + } + + if (read($Heap, c#6, _module.Composite.left) + == read(old($Heap), c#6, _module.Composite.left) + && read($Heap, c#6, _module.Composite.right) + == read(old($Heap), c#6, _module.Composite.right) + && read($Heap, c#6, _module.Composite.parent) + == read(old($Heap), c#6, _module.Composite.parent)) + { + assert {:subsumption 0} c#6 != null; + assert {:subsumption 0} c#6 != null; + assert $IsAlloc(c#6, Tclass._module.Composite(), old($Heap)); + } + } + } + + // End Comprehension WF check + assume true; + assume (forall c#7: ref :: + { read(old($Heap), c#7, _module.Composite.val) } + { read($Heap, c#7, _module.Composite.val) } + { read(old($Heap), c#7, _module.Composite.parent) } + { read($Heap, c#7, _module.Composite.parent) } + { read(old($Heap), c#7, _module.Composite.right) } + { read($Heap, c#7, _module.Composite.right) } + { read(old($Heap), c#7, _module.Composite.left) } + { read($Heap, c#7, _module.Composite.left) } + { S#0[$Box(c#7)] } + $Is(c#7, Tclass._module.Composite()) + ==> (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.left) + == read(old($Heap), c#7, _module.Composite.left)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.right) + == read(old($Heap), c#7, _module.Composite.right)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.parent) + == read(old($Heap), c#7, _module.Composite.parent)) + && (S#0[$Box(c#7)] + ==> read($Heap, c#7, _module.Composite.val) + == read(old($Heap), c#7, _module.Composite.val))); + assume true; + assume false; + } + + newtype$check#9 := null; + assume true; + if (p#0 == null) + { + break; + } + + $decr$loop#00 := T#0; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(132,13) + assert p#0 != null; + assume true; + assert $_Frame[p#0, _module.Composite.sum]; + assert p#0 != null; + assume true; + $rhs#0_0 := read($Heap, p#0, _module.Composite.sum) + delta#0; + $Heap := update($Heap, p#0, _module.Composite.sum, $rhs#0_0); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(133,9) + assume true; + assume true; + T#0 := Set#Difference(T#0, Set#UnionOne(Set#Empty(): Set Box, $Box(p#0))); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(134,9) + assume true; + assert p#0 != null; + assume true; + p#0 := read($Heap, p#0, _module.Composite.parent); + // ----- loop termination check ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(124,5) + assert Set#Subset(T#0, $decr$loop#00) && !Set#Subset($decr$loop#00, T#0); + assume Set#Subset(T#0, U#0) + ==> (p#0 != null ==> _module.Composite.Acyclic#canCall($Heap, p#0, T#0)) + && (p#0 == null || _module.Composite.Acyclic($LS($LZ), $Heap, p#0, T#0) + ==> (forall c#5: ref :: + { _module.Composite.Valid($Heap, c#5, S#0) } { S#0[$Box(c#5)] } + $Is(c#5, Tclass._module.Composite()) + ==> + S#0[$Box(c#5)] + ==> + c#5 != p#0 + ==> _module.Composite.Valid#canCall($Heap, c#5, S#0))); + } +} + + + +// _module.Composite: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._module.Composite()) } + $Is(c#0, Tclass._module.Composite()) + <==> $Is(c#0, Tclass._module.Composite?()) && c#0 != null); + +// _module.Composite: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._module.Composite(), $h) } + $IsAlloc(c#0, Tclass._module.Composite(), $h) + <==> $IsAlloc(c#0, Tclass._module.Composite?(), $h)); + +const unique class._module.__default: ClassName; + +function Tclass._module.__default() : Ty; + +const unique Tagclass._module.__default: TyTag; + +// Tclass._module.__default Tag +axiom Tag(Tclass._module.__default()) == Tagclass._module.__default + && TagFamily(Tclass._module.__default()) == tytagFamily$_default; + +// Box/unbox axiom for Tclass._module.__default +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.__default()) } + $IsBox(bx, Tclass._module.__default()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.__default())); + +// _default: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.__default()) } + $Is($o, Tclass._module.__default()) + <==> $o == null || dtype($o) == Tclass._module.__default()); + +// _default: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.__default(), $h) } + $IsAlloc($o, Tclass._module.__default(), $h) + <==> $o == null || read($h, $o, alloc)); + +procedure {:verboseName "Main (well-formedness)"} CheckWellFormed$$_module.__default.Main(); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Main (call)"} Call$$_module.__default.Main(); + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Main (correctness)"} Impl$$_module.__default.Main() returns ($_reverifyPost: bool); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Main (correctness)"} Impl$$_module.__default.Main() returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var defass#c0#0: bool; + var c0#0: ref + where defass#c0#0 + ==> $Is(c0#0, Tclass._module.Composite()) + && $IsAlloc(c0#0, Tclass._module.Composite(), $Heap); + var $nw: ref; + var x##0: int; + var defass#c1#0: bool; + var c1#0: ref + where defass#c1#0 + ==> $Is(c1#0, Tclass._module.Composite()) + && $IsAlloc(c1#0, Tclass._module.Composite(), $Heap); + var x##1: int; + var S##0: Set Box; + var child##0: ref; + var U##0: Set Box; + var defass#c2#0: bool; + var c2#0: ref + where defass#c2#0 + ==> $Is(c2#0, Tclass._module.Composite()) + && $IsAlloc(c2#0, Tclass._module.Composite(), $Heap); + var x##2: int; + var defass#c3#0: bool; + var c3#0: ref + where defass#c3#0 + ==> $Is(c3#0, Tclass._module.Composite()) + && $IsAlloc(c3#0, Tclass._module.Composite(), $Heap); + var x##3: int; + var S##1: Set Box; + var child##1: ref; + var U##1: Set Box; + var S##2: Set Box; + var child##2: ref; + var U##2: Set Box; + var S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Composite())) + && $IsAlloc(S#0, TSet(Tclass._module.Composite()), $Heap); + var x##4: int; + var S##3: Set Box; + var x##5: int; + var S##4: Set Box; + var S##5: Set Box; + var x##6: int; + var S##6: Set Box; + var x##7: int; + var S##7: Set Box; + + // AddMethodImpl: Main, Impl$$_module.__default.Main + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(141,10) + assume true; + havoc $nw; + assume $nw != null && dtype($nw) == Tclass._module.Composite?(); + assume !read($Heap, $nw, alloc); + $Heap := update($Heap, $nw, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(141,27) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + x##0 := LitInt(57); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == $nw ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Init($nw, x##0); + // TrCallStmt: After ProcessCallStmt + c0#0 := $nw; + defass#c0#0 := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(143,10) + assume true; + havoc $nw; + assume $nw != null && dtype($nw) == Tclass._module.Composite?(); + assume !read($Heap, $nw, alloc); + $Heap := update($Heap, $nw, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(143,27) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + x##1 := LitInt(12); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == $nw ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Init($nw, x##1); + // TrCallStmt: After ProcessCallStmt + c1#0 := $nw; + defass#c1#0 := true; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(144,9) + // TrCallStmt: Before ProcessCallStmt + assert defass#c0#0; + assume true; + assert c0#0 != null; + assert defass#c0#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##0 := Set#UnionOne(Set#Empty(): Set Box, $Box(c0#0)); + assert defass#c1#0; + assume true; + // ProcessCallStmt: CheckSubrange + child##0 := c1#0; + assert defass#c1#0; + assume true; + // ProcessCallStmt: CheckSubrange + U##0 := Set#UnionOne(Set#Empty(): Set Box, $Box(c1#0)); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && (S##0[$Box($o)] || $o == child##0) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Add(c0#0, S##0, child##0, U##0); + // TrCallStmt: After ProcessCallStmt + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(146,10) + assume true; + havoc $nw; + assume $nw != null && dtype($nw) == Tclass._module.Composite?(); + assume !read($Heap, $nw, alloc); + $Heap := update($Heap, $nw, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(146,27) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + x##2 := LitInt(48); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == $nw ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Init($nw, x##2); + // TrCallStmt: After ProcessCallStmt + c2#0 := $nw; + defass#c2#0 := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(148,10) + assume true; + havoc $nw; + assume $nw != null && dtype($nw) == Tclass._module.Composite?(); + assume !read($Heap, $nw, alloc); + $Heap := update($Heap, $nw, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(148,27) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + x##3 := LitInt(48); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == $nw ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Init($nw, x##3); + // TrCallStmt: After ProcessCallStmt + c3#0 := $nw; + defass#c3#0 := true; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(149,9) + // TrCallStmt: Before ProcessCallStmt + assert defass#c2#0; + assume true; + assert c2#0 != null; + assert defass#c2#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##1 := Set#UnionOne(Set#Empty(): Set Box, $Box(c2#0)); + assert defass#c3#0; + assume true; + // ProcessCallStmt: CheckSubrange + child##1 := c3#0; + assert defass#c3#0; + assume true; + // ProcessCallStmt: CheckSubrange + U##1 := Set#UnionOne(Set#Empty(): Set Box, $Box(c3#0)); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && (S##1[$Box($o)] || $o == child##1) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Add(c2#0, S##1, child##1, U##1); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(150,9) + // TrCallStmt: Before ProcessCallStmt + assert defass#c0#0; + assume true; + assert c0#0 != null; + assert defass#c0#0; + assert defass#c1#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##2 := Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(c0#0)), $Box(c1#0)); + assert defass#c2#0; + assume true; + // ProcessCallStmt: CheckSubrange + child##2 := c2#0; + assert defass#c2#0; + assert defass#c3#0; + assume true; + // ProcessCallStmt: CheckSubrange + U##2 := Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(c2#0)), $Box(c3#0)); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && (S##2[$Box($o)] || $o == child##2) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Add(c0#0, S##2, child##2, U##2); + // TrCallStmt: After ProcessCallStmt + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(152,15) + assume true; + assert defass#c0#0; + assert defass#c1#0; + assert defass#c2#0; + assert defass#c3#0; + assume true; + S#0 := Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(c0#0)), $Box(c1#0)), + $Box(c2#0)), + $Box(c3#0)); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(153,12) + // TrCallStmt: Before ProcessCallStmt + assert defass#c1#0; + assume true; + assert c1#0 != null; + assume true; + // ProcessCallStmt: CheckSubrange + x##4 := LitInt(100); + assume true; + // ProcessCallStmt: CheckSubrange + S##3 := S#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##3[$Box($o)] ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Update(c1#0, x##4, S##3); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(154,12) + // TrCallStmt: Before ProcessCallStmt + assert defass#c2#0; + assume true; + assert c2#0 != null; + assume true; + // ProcessCallStmt: CheckSubrange + x##5 := LitInt(102); + assume true; + // ProcessCallStmt: CheckSubrange + S##4 := S#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##4[$Box($o)] ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Update(c2#0, x##5, S##4); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(156,14) + // TrCallStmt: Before ProcessCallStmt + assert defass#c2#0; + assume true; + assert c2#0 != null; + assume true; + // ProcessCallStmt: CheckSubrange + S##5 := S#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##5[$Box($o)] ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Dislodge(c2#0, S##5); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(157,12) + // TrCallStmt: Before ProcessCallStmt + assert defass#c2#0; + assume true; + assert c2#0 != null; + assume true; + // ProcessCallStmt: CheckSubrange + x##6 := LitInt(496); + assume true; + // ProcessCallStmt: CheckSubrange + S##6 := S#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##6[$Box($o)] ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Update(c2#0, x##6, S##6); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(158,12) + // TrCallStmt: Before ProcessCallStmt + assert defass#c0#0; + assume true; + assert c0#0 != null; + assume true; + // ProcessCallStmt: CheckSubrange + x##7 := LitInt(0); + assume true; + // ProcessCallStmt: CheckSubrange + S##7 := S#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##7[$Box($o)] ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Update(c0#0, x##7, S##7); + // TrCallStmt: After ProcessCallStmt +} + + + +procedure {:verboseName "Harness (well-formedness)"} CheckWellFormed$$_module.__default.Harness(); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Harness (call)"} Call$$_module.__default.Harness(); + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Harness (correctness)"} Impl$$_module.__default.Harness() returns ($_reverifyPost: bool); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Harness (correctness)"} Impl$$_module.__default.Harness() returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var defass#a#0: bool; + var a#0: ref + where defass#a#0 + ==> $Is(a#0, Tclass._module.Composite()) + && $IsAlloc(a#0, Tclass._module.Composite(), $Heap); + var $nw: ref; + var x##0: int; + var defass#b#0: bool; + var b#0: ref + where defass#b#0 + ==> $Is(b#0, Tclass._module.Composite()) + && $IsAlloc(b#0, Tclass._module.Composite(), $Heap); + var x##1: int; + var S##0: Set Box; + var child##0: ref; + var U##0: Set Box; + var x##2: int; + var S##1: Set Box; + var defass#c#0: bool; + var c#0: ref + where defass#c#0 + ==> $Is(c#0, Tclass._module.Composite()) + && $IsAlloc(c#0, Tclass._module.Composite(), $Heap); + var x##3: int; + var S##2: Set Box; + var child##1: ref; + var U##1: Set Box; + var S##3: Set Box; + + // AddMethodImpl: Harness, Impl$$_module.__default.Harness + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(162,9) + assume true; + havoc $nw; + assume $nw != null && dtype($nw) == Tclass._module.Composite?(); + assume !read($Heap, $nw, alloc); + $Heap := update($Heap, $nw, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(162,26) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + x##0 := LitInt(5); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == $nw ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Init($nw, x##0); + // TrCallStmt: After ProcessCallStmt + a#0 := $nw; + defass#a#0 := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(163,9) + assume true; + havoc $nw; + assume $nw != null && dtype($nw) == Tclass._module.Composite?(); + assume !read($Heap, $nw, alloc); + $Heap := update($Heap, $nw, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(163,26) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + x##1 := LitInt(7); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == $nw ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Init($nw, x##1); + // TrCallStmt: After ProcessCallStmt + b#0 := $nw; + defass#b#0 := true; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(164,8) + // TrCallStmt: Before ProcessCallStmt + assert defass#a#0; + assume true; + assert a#0 != null; + assert defass#a#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##0 := Set#UnionOne(Set#Empty(): Set Box, $Box(a#0)); + assert defass#b#0; + assume true; + // ProcessCallStmt: CheckSubrange + child##0 := b#0; + assert defass#b#0; + assume true; + // ProcessCallStmt: CheckSubrange + U##0 := Set#UnionOne(Set#Empty(): Set Box, $Box(b#0)); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && (S##0[$Box($o)] || $o == child##0) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Add(a#0, S##0, child##0, U##0); + // TrCallStmt: After ProcessCallStmt + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(165,3) + assert defass#a#0; + assert {:subsumption 0} a#0 != null; + assume true; + assert read($Heap, a#0, _module.Composite.sum) == LitInt(12); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(167,11) + // TrCallStmt: Before ProcessCallStmt + assert defass#b#0; + assume true; + assert b#0 != null; + assume true; + // ProcessCallStmt: CheckSubrange + x##2 := LitInt(17); + assert defass#a#0; + assert defass#b#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##1 := Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(a#0)), $Box(b#0)); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##1[$Box($o)] ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Update(b#0, x##2, S##1); + // TrCallStmt: After ProcessCallStmt + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(168,3) + assert defass#a#0; + assert {:subsumption 0} a#0 != null; + assume true; + assert read($Heap, a#0, _module.Composite.sum) == LitInt(22); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(170,9) + assume true; + havoc $nw; + assume $nw != null && dtype($nw) == Tclass._module.Composite?(); + assume !read($Heap, $nw, alloc); + $Heap := update($Heap, $nw, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(170,26) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + x##3 := LitInt(10); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == $nw ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Init($nw, x##3); + // TrCallStmt: After ProcessCallStmt + c#0 := $nw; + defass#c#0 := true; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(171,8) + // TrCallStmt: Before ProcessCallStmt + assert defass#b#0; + assume true; + assert b#0 != null; + assert defass#a#0; + assert defass#b#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##2 := Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(a#0)), $Box(b#0)); + assert defass#c#0; + assume true; + // ProcessCallStmt: CheckSubrange + child##1 := c#0; + assert defass#c#0; + assume true; + // ProcessCallStmt: CheckSubrange + U##1 := Set#UnionOne(Set#Empty(): Set Box, $Box(c#0)); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && (S##2[$Box($o)] || $o == child##1) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Add(b#0, S##2, child##1, U##1); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(172,13) + // TrCallStmt: Before ProcessCallStmt + assert defass#b#0; + assume true; + assert b#0 != null; + assert defass#a#0; + assert defass#b#0; + assert defass#c#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##3 := Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(a#0)), $Box(b#0)), + $Box(c#0)); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##3[$Box($o)] ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Composite.Dislodge(b#0, S##3); + // TrCallStmt: After ProcessCallStmt + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Composite.dfy(173,3) + assert defass#b#0; + assert {:subsumption 0} b#0 != null; + assume true; + assert read($Heap, b#0, _module.Composite.sum) == LitInt(27); +} + + + +const unique tytagFamily$nat: TyTagFamily; + +const unique tytagFamily$object: TyTagFamily; + +const unique tytagFamily$array: TyTagFamily; + +const unique tytagFamily$_#Func1: TyTagFamily; + +const unique tytagFamily$_#PartialFunc1: TyTagFamily; + +const unique tytagFamily$_#TotalFunc1: TyTagFamily; + +const unique tytagFamily$_#Func0: TyTagFamily; + +const unique tytagFamily$_#PartialFunc0: TyTagFamily; + +const unique tytagFamily$_#TotalFunc0: TyTagFamily; + +const unique tytagFamily$_tuple#2: TyTagFamily; + +const unique tytagFamily$_tuple#0: TyTagFamily; + +const unique tytagFamily$Composite: TyTagFamily; + +const unique tytagFamily$_default: TyTagFamily; + +const unique field$left: NameFamily; + +const unique field$right: NameFamily; + +const unique field$parent: NameFamily; + +const unique field$val: NameFamily; + +const unique field$sum: NameFamily; diff --git a/Test/monomorphize/dafny/FlyingRobots.dfy.bpl b/Test/monomorphize/dafny/FlyingRobots.dfy.bpl new file mode 100644 index 000000000..b2cf91a34 --- /dev/null +++ b/Test/monomorphize/dafny/FlyingRobots.dfy.bpl @@ -0,0 +1,9478 @@ +// Dafny 3.7.3.40719 +// Command Line Options: /compile:0 /print:FlyingRobots.dfy.bpl +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +type Ty; + +type TyTag; + +type TyTagFamily; + +type char; + +type ref; + +type Box; + +type ClassName; + +type HandleType; + +type DatatypeType; + +type DtCtorId; + +type LayerType; + +type Field _; + +type NameFamily; + +type TickType; + +type Seq _; + +type Map _ _; + +type IMap _ _; + +const $$Language$Dafny: bool; + +axiom $$Language$Dafny; + +type Bv0 = int; + +const unique TBool: Ty; + +axiom Tag(TBool) == TagBool; + +const unique TChar: Ty; + +axiom Tag(TChar) == TagChar; + +const unique TInt: Ty; + +axiom Tag(TInt) == TagInt; + +const unique TReal: Ty; + +axiom Tag(TReal) == TagReal; + +const unique TORDINAL: Ty; + +axiom Tag(TORDINAL) == TagORDINAL; + +axiom (forall w: int :: { TBitvector(w) } Inv0_TBitvector(TBitvector(w)) == w); + +function TBitvector(int) : Ty; + +axiom (forall t: Ty :: { TSet(t) } Inv0_TSet(TSet(t)) == t); + +axiom (forall t: Ty :: { TSet(t) } Tag(TSet(t)) == TagSet); + +function TSet(Ty) : Ty; + +axiom (forall t: Ty :: { TISet(t) } Inv0_TISet(TISet(t)) == t); + +axiom (forall t: Ty :: { TISet(t) } Tag(TISet(t)) == TagISet); + +function TISet(Ty) : Ty; + +axiom (forall t: Ty :: { TMultiSet(t) } Inv0_TMultiSet(TMultiSet(t)) == t); + +axiom (forall t: Ty :: { TMultiSet(t) } Tag(TMultiSet(t)) == TagMultiSet); + +function TMultiSet(Ty) : Ty; + +axiom (forall t: Ty :: { TSeq(t) } Inv0_TSeq(TSeq(t)) == t); + +axiom (forall t: Ty :: { TSeq(t) } Tag(TSeq(t)) == TagSeq); + +function TSeq(Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv0_TMap(TMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv1_TMap(TMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Tag(TMap(t, u)) == TagMap); + +function TMap(Ty, Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv0_TIMap(TIMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv1_TIMap(TIMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Tag(TIMap(t, u)) == TagIMap); + +function TIMap(Ty, Ty) : Ty; + +function Inv0_TBitvector(Ty) : int; + +function Inv0_TSet(Ty) : Ty; + +function Inv0_TISet(Ty) : Ty; + +function Inv0_TSeq(Ty) : Ty; + +function Inv0_TMultiSet(Ty) : Ty; + +function Inv0_TMap(Ty) : Ty; + +function Inv1_TMap(Ty) : Ty; + +function Inv0_TIMap(Ty) : Ty; + +function Inv1_TIMap(Ty) : Ty; + +function Tag(Ty) : TyTag; + +const unique TagBool: TyTag; + +const unique TagChar: TyTag; + +const unique TagInt: TyTag; + +const unique TagReal: TyTag; + +const unique TagORDINAL: TyTag; + +const unique TagSet: TyTag; + +const unique TagISet: TyTag; + +const unique TagMultiSet: TyTag; + +const unique TagSeq: TyTag; + +const unique TagMap: TyTag; + +const unique TagIMap: TyTag; + +const unique TagClass: TyTag; + +function TagFamily(Ty) : TyTagFamily; + +axiom (forall x: T :: { $Box(Lit(x)) } $Box(Lit(x)) == Lit($Box(x))); + +function {:identity} Lit(x: T) : T; + +axiom (forall x: T :: {:identity} { Lit(x): T } Lit(x): T == x); + +axiom (forall x: int :: { $Box(LitInt(x)) } $Box(LitInt(x)) == Lit($Box(x))); + +function {:identity} LitInt(x: int) : int; + +axiom (forall x: int :: {:identity} { LitInt(x): int } LitInt(x): int == x); + +axiom (forall x: real :: { $Box(LitReal(x)) } $Box(LitReal(x)) == Lit($Box(x))); + +function {:identity} LitReal(x: real) : real; + +axiom (forall x: real :: {:identity} { LitReal(x): real } LitReal(x): real == x); + +axiom (forall n: int :: + { char#FromInt(n) } + 0 <= n && n < 65536 ==> char#ToInt(char#FromInt(n)) == n); + +function char#FromInt(int) : char; + +axiom (forall ch: char :: + { char#ToInt(ch) } + char#FromInt(char#ToInt(ch)) == ch + && 0 <= char#ToInt(ch) + && char#ToInt(ch) < 65536); + +function char#ToInt(char) : int; + +axiom (forall a: char, b: char :: + { char#Plus(a, b) } + char#Plus(a, b) == char#FromInt(char#ToInt(a) + char#ToInt(b))); + +function char#Plus(char, char) : char; + +axiom (forall a: char, b: char :: + { char#Minus(a, b) } + char#Minus(a, b) == char#FromInt(char#ToInt(a) - char#ToInt(b))); + +function char#Minus(char, char) : char; + +const null: ref; + +const $ArbitraryBoxValue: Box; + +axiom (forall x: T :: { $Box(x) } $Unbox($Box(x)) == x); + +function $Box(T) : Box; + +function $Unbox(Box) : T; + +function $IsBox(T, Ty) : bool; + +function $IsAllocBox(T, Ty, Heap) : bool; + +axiom (forall bx: Box :: + { $IsBox(bx, TInt) } + $IsBox(bx, TInt) ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, TInt)); + +axiom (forall bx: Box :: + { $IsBox(bx, TReal) } + $IsBox(bx, TReal) + ==> $Box($Unbox(bx): real) == bx && $Is($Unbox(bx): real, TReal)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBool) } + $IsBox(bx, TBool) + ==> $Box($Unbox(bx): bool) == bx && $Is($Unbox(bx): bool, TBool)); + +axiom (forall bx: Box :: + { $IsBox(bx, TChar) } + $IsBox(bx, TChar) + ==> $Box($Unbox(bx): char) == bx && $Is($Unbox(bx): char, TChar)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBitvector(0)) } + $IsBox(bx, TBitvector(0)) + ==> $Box($Unbox(bx): Bv0) == bx && $Is($Unbox(bx): Set Box, TBitvector(0))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSet(t)) } + $IsBox(bx, TSet(t)) + ==> $Box($Unbox(bx): Set Box) == bx && $Is($Unbox(bx): Set Box, TSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TISet(t)) } + $IsBox(bx, TISet(t)) + ==> $Box($Unbox(bx): ISet Box) == bx && $Is($Unbox(bx): ISet Box, TISet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TMultiSet(t)) } + $IsBox(bx, TMultiSet(t)) + ==> $Box($Unbox(bx): MultiSet Box) == bx + && $Is($Unbox(bx): MultiSet Box, TMultiSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSeq(t)) } + $IsBox(bx, TSeq(t)) + ==> $Box($Unbox(bx): Seq Box) == bx && $Is($Unbox(bx): Seq Box, TSeq(t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TMap(s, t)) } + $IsBox(bx, TMap(s, t)) + ==> $Box($Unbox(bx): Map Box Box) == bx && $Is($Unbox(bx): Map Box Box, TMap(s, t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TIMap(s, t)) } + $IsBox(bx, TIMap(s, t)) + ==> $Box($Unbox(bx): IMap Box Box) == bx + && $Is($Unbox(bx): IMap Box Box, TIMap(s, t))); + +axiom (forall v: T, t: Ty :: + { $IsBox($Box(v), t) } + $IsBox($Box(v), t) <==> $Is(v, t)); + +axiom (forall v: T, t: Ty, h: Heap :: + { $IsAllocBox($Box(v), t, h) } + $IsAllocBox($Box(v), t, h) <==> $IsAlloc(v, t, h)); + +axiom (forall v: int :: { $Is(v, TInt) } $Is(v, TInt)); + +axiom (forall v: real :: { $Is(v, TReal) } $Is(v, TReal)); + +axiom (forall v: bool :: { $Is(v, TBool) } $Is(v, TBool)); + +axiom (forall v: char :: { $Is(v, TChar) } $Is(v, TChar)); + +axiom (forall v: ORDINAL :: { $Is(v, TORDINAL) } $Is(v, TORDINAL)); + +axiom (forall v: Bv0 :: { $Is(v, TBitvector(0)) } $Is(v, TBitvector(0))); + +axiom (forall v: Set Box, t0: Ty :: + { $Is(v, TSet(t0)) } + $Is(v, TSet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: ISet Box, t0: Ty :: + { $Is(v, TISet(t0)) } + $Is(v, TISet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) ==> $IsGoodMultiSet(v)); + +axiom (forall v: Seq Box, t0: Ty :: + { $Is(v, TSeq(t0)) } + $Is(v, TSeq(t0)) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsBox(Seq#Index(v, i), t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] ==> $IsBox(Map#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + ==> $Is(Map#Domain(v), TSet(t0)) + && $Is(Map#Values(v), TSet(t1)) + && $Is(Map#Items(v), TSet(Tclass._System.Tuple2(t0, t1)))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] ==> $IsBox(IMap#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + ==> $Is(IMap#Domain(v), TISet(t0)) + && $Is(IMap#Values(v), TISet(t1)) + && $Is(IMap#Items(v), TISet(Tclass._System.Tuple2(t0, t1)))); + +function $Is(T, Ty) : bool; + +axiom (forall h: Heap, v: int :: { $IsAlloc(v, TInt, h) } $IsAlloc(v, TInt, h)); + +axiom (forall h: Heap, v: real :: { $IsAlloc(v, TReal, h) } $IsAlloc(v, TReal, h)); + +axiom (forall h: Heap, v: bool :: { $IsAlloc(v, TBool, h) } $IsAlloc(v, TBool, h)); + +axiom (forall h: Heap, v: char :: { $IsAlloc(v, TChar, h) } $IsAlloc(v, TChar, h)); + +axiom (forall h: Heap, v: ORDINAL :: + { $IsAlloc(v, TORDINAL, h) } + $IsAlloc(v, TORDINAL, h)); + +axiom (forall v: Bv0, h: Heap :: + { $IsAlloc(v, TBitvector(0), h) } + $IsAlloc(v, TBitvector(0), h)); + +axiom (forall v: Set Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSet(t0), h) } + $IsAlloc(v, TSet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: ISet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TISet(t0), h) } + $IsAlloc(v, TISet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: MultiSet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TMultiSet(t0), h) } + $IsAlloc(v, TMultiSet(t0), h) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: Seq Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSeq(t0), h) } + $IsAlloc(v, TSeq(t0), h) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsAllocBox(Seq#Index(v, i), t0, h))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TMap(t0, t1), h) } + $IsAlloc(v, TMap(t0, t1), h) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] + ==> $IsAllocBox(Map#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TIMap(t0, t1), h) } + $IsAlloc(v, TIMap(t0, t1), h) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] + ==> $IsAllocBox(IMap#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +function $IsAlloc(T, Ty, Heap) : bool; + +axiom (forall ty: Ty :: + { $AlwaysAllocated(ty) } + $AlwaysAllocated(ty) + ==> (forall h: Heap, v: Box :: + { $IsAllocBox(v, ty, h) } + $IsBox(v, ty) ==> $IsAllocBox(v, ty, h))); + +function $AlwaysAllocated(Ty) : bool; + +function $OlderTag(Heap) : bool; + +const unique class._System.int: ClassName; + +const unique class._System.bool: ClassName; + +const unique class._System.set: ClassName; + +const unique class._System.seq: ClassName; + +const unique class._System.multiset: ClassName; + +function Tclass._System.object?() : Ty; + +function Tclass._System.Tuple2(Ty, Ty) : Ty; + +function dtype(ref) : Ty; + +function TypeTuple(a: ClassName, b: ClassName) : ClassName; + +function TypeTupleCar(ClassName) : ClassName; + +function TypeTupleCdr(ClassName) : ClassName; + +axiom (forall a: ClassName, b: ClassName :: + { TypeTuple(a, b) } + TypeTupleCar(TypeTuple(a, b)) == a && TypeTupleCdr(TypeTuple(a, b)) == b); + +function SetRef_to_SetBox(s: [ref]bool) : Set Box; + +axiom (forall s: [ref]bool, bx: Box :: + { SetRef_to_SetBox(s)[bx] } + SetRef_to_SetBox(s)[bx] == s[$Unbox(bx): ref]); + +axiom (forall s: [ref]bool :: + { SetRef_to_SetBox(s) } + $Is(SetRef_to_SetBox(s), TSet(Tclass._System.object?()))); + +function Apply1(Ty, Ty, Heap, HandleType, Box) : Box; + +function DatatypeCtorId(DatatypeType) : DtCtorId; + +function DtRank(DatatypeType) : int; + +function BoxRank(Box) : int; + +axiom (forall d: DatatypeType :: { BoxRank($Box(d)) } BoxRank($Box(d)) == DtRank(d)); + +type ORDINAL = Box; + +function ORD#IsNat(ORDINAL) : bool; + +function ORD#Offset(ORDINAL) : int; + +axiom (forall o: ORDINAL :: { ORD#Offset(o) } 0 <= ORD#Offset(o)); + +function {:inline} ORD#IsLimit(o: ORDINAL) : bool +{ + ORD#Offset(o) == 0 +} + +function {:inline} ORD#IsSucc(o: ORDINAL) : bool +{ + 0 < ORD#Offset(o) +} + +function ORD#FromNat(int) : ORDINAL; + +axiom (forall n: int :: + { ORD#FromNat(n) } + 0 <= n ==> ORD#IsNat(ORD#FromNat(n)) && ORD#Offset(ORD#FromNat(n)) == n); + +axiom (forall o: ORDINAL :: + { ORD#Offset(o) } { ORD#IsNat(o) } + ORD#IsNat(o) ==> o == ORD#FromNat(ORD#Offset(o))); + +function ORD#Less(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p) } + (ORD#Less(o, p) ==> o != p) + && (ORD#IsNat(o) && !ORD#IsNat(p) ==> ORD#Less(o, p)) + && (ORD#IsNat(o) && ORD#IsNat(p) + ==> ORD#Less(o, p) == (ORD#Offset(o) < ORD#Offset(p))) + && (ORD#Less(o, p) && ORD#IsNat(p) ==> ORD#IsNat(o))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, o) } + ORD#Less(o, p) || o == p || ORD#Less(p, o)); + +axiom (forall o: ORDINAL, p: ORDINAL, r: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, r) } { ORD#Less(o, p), ORD#Less(o, r) } + ORD#Less(o, p) && ORD#Less(p, r) ==> ORD#Less(o, r)); + +function ORD#LessThanLimit(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#LessThanLimit(o, p) } + ORD#LessThanLimit(o, p) == ORD#Less(o, p)); + +function ORD#Plus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (ORD#IsNat(ORD#Plus(o, p)) ==> ORD#IsNat(o) && ORD#IsNat(p)) + && (ORD#IsNat(p) + ==> ORD#IsNat(ORD#Plus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Plus(o, p)) == ORD#Offset(o) + ORD#Offset(p))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#Plus(o, p) || ORD#Less(o, ORD#Plus(o, p))) + && (p == ORD#Plus(o, p) || ORD#Less(p, ORD#Plus(o, p)))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#FromNat(0) ==> ORD#Plus(o, p) == p) + && (p == ORD#FromNat(0) ==> ORD#Plus(o, p) == o)); + +function ORD#Minus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> ORD#IsNat(ORD#Minus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Minus(o, p)) == ORD#Offset(o) - ORD#Offset(p)); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> (p == ORD#FromNat(0) && ORD#Minus(o, p) == o) + || (p != ORD#FromNat(0) && ORD#Less(ORD#Minus(o, p), o))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n + ==> ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && m + n <= ORD#Offset(o) + ==> ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(n - m)))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(n - m)))); + +const $ModuleContextHeight: int; + +const $FunctionContextHeight: int; + +const $LZ: LayerType; + +function $LS(LayerType) : LayerType; + +function AsFuelBottom(LayerType) : LayerType; + +function AtLayer([LayerType]A, LayerType) : A; + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, ly) } + AtLayer(f, ly) == f[ly]); + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, $LS(ly)) } + AtLayer(f, $LS(ly)) == AtLayer(f, ly)); + +axiom FDim(alloc) == 0; + +function FDim(Field T) : int; + +function IndexField(int) : Field Box; + +axiom (forall i: int :: { IndexField(i) } FDim(IndexField(i)) == 1); + +function IndexField_Inverse(Field T) : int; + +axiom (forall i: int :: { IndexField(i) } IndexField_Inverse(IndexField(i)) == i); + +function MultiIndexField(Field Box, int) : Field Box; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + FDim(MultiIndexField(f, i)) == FDim(f) + 1); + +function MultiIndexField_Inverse0(Field T) : Field T; + +function MultiIndexField_Inverse1(Field T) : int; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + MultiIndexField_Inverse0(MultiIndexField(f, i)) == f + && MultiIndexField_Inverse1(MultiIndexField(f, i)) == i); + +function DeclType(Field T) : ClassName; + +axiom DeclName(alloc) == allocName; + +function DeclName(Field T) : NameFamily; + +function FieldOfDecl(ClassName, NameFamily) : Field alpha; + +axiom (forall cl: ClassName, nm: NameFamily :: + { FieldOfDecl(cl, nm): Field T } + DeclType(FieldOfDecl(cl, nm): Field T) == cl + && DeclName(FieldOfDecl(cl, nm): Field T) == nm); + +axiom $IsGhostField(alloc); + +axiom (forall h: Heap, k: Heap :: + { $HeapSuccGhost(h, k) } + $HeapSuccGhost(h, k) + ==> $HeapSucc(h, k) + && (forall o: ref, f: Field alpha :: + { read(k, o, f) } + !$IsGhostField(f) ==> read(h, o, f) == read(k, o, f))); + +function $IsGhostField(Field T) : bool; + +axiom (forall h: Heap, k: Heap, v: T, t: Ty :: + { $HeapSucc(h, k), $IsAlloc(v, t, h) } + $HeapSucc(h, k) ==> $IsAlloc(v, t, h) ==> $IsAlloc(v, t, k)); + +axiom (forall h: Heap, k: Heap, bx: Box, t: Ty :: + { $HeapSucc(h, k), $IsAllocBox(bx, t, h) } + $HeapSucc(h, k) ==> $IsAllocBox(bx, t, h) ==> $IsAllocBox(bx, t, k)); + +const unique alloc: Field bool; + +const unique allocName: NameFamily; + +axiom (forall o: ref :: 0 <= _System.array.Length(o)); + +function _System.array.Length(a: ref) : int; + +function Int(x: real) : int; + +axiom (forall x: real :: { Int(x): int } Int(x): int == int(x)); + +function Real(x: int) : real; + +axiom (forall x: int :: { Real(x): real } Real(x): real == real(x)); + +axiom (forall i: int :: { Int(Real(i)) } Int(Real(i)) == i); + +function {:inline} _System.real.Floor(x: real) : int +{ + Int(x) +} + +type Heap = [ref][Field alpha]alpha; + +function {:inline} read(H: Heap, r: ref, f: Field alpha) : alpha +{ + H[r][f] +} + +function {:inline} update(H: Heap, r: ref, f: Field alpha, v: alpha) : Heap +{ + H[r := H[r][f := v]] +} + +function $IsGoodHeap(Heap) : bool; + +function $IsHeapAnchor(Heap) : bool; + +var $Heap: Heap where $IsGoodHeap($Heap) && $IsHeapAnchor($Heap); + +const $OneHeap: Heap; + +axiom $IsGoodHeap($OneHeap); + +function $HeapSucc(Heap, Heap) : bool; + +axiom (forall h: Heap, r: ref, f: Field alpha, x: alpha :: + { update(h, r, f, x) } + $IsGoodHeap(update(h, r, f, x)) ==> $HeapSucc(h, update(h, r, f, x))); + +axiom (forall a: Heap, b: Heap, c: Heap :: + { $HeapSucc(a, b), $HeapSucc(b, c) } + a != c ==> $HeapSucc(a, b) && $HeapSucc(b, c) ==> $HeapSucc(a, c)); + +axiom (forall h: Heap, k: Heap :: + { $HeapSucc(h, k) } + $HeapSucc(h, k) + ==> (forall o: ref :: { read(k, o, alloc) } read(h, o, alloc) ==> read(k, o, alloc))); + +function $HeapSuccGhost(Heap, Heap) : bool; + +var $Tick: TickType; + +procedure $YieldHavoc(this: ref, rds: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + $o == this || rds[$Box($o)] || nw[$Box($o)] + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc0(this: ref, rds: Set Box, modi: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + rds[$Box($o)] && !modi[$Box($o)] && $o != this + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc1(this: ref, modi: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f) + || $o == this + || modi[$Box($o)] + || nw[$Box($o)]); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterCollectNewObjects(prevHeap: Heap, newHeap: Heap, this: ref, NW: Field (Set Box)) + returns (s: Set Box); + ensures (forall bx: Box :: + { s[bx] } + s[bx] + <==> read(newHeap, this, NW)[bx] + || ( + $Unbox(bx) != null + && !read(prevHeap, $Unbox(bx): ref, alloc) + && read(newHeap, $Unbox(bx): ref, alloc))); + + + +type Set T = [T]bool; + +function Set#Card(Set T) : int; + +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty() : Set T; + +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); + +axiom (forall s: Set T :: + { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) + && (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T) : Set T; + +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); + +axiom (forall r: T, o: T :: + { Set#Singleton(r)[o] } + Set#Singleton(r)[o] <==> r == o); + +axiom (forall r: T :: + { Set#Card(Set#Singleton(r)) } + Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T) : Set T; + +axiom (forall a: Set T, x: T, o: T :: + { Set#UnionOne(a, x)[o] } + Set#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } Set#UnionOne(a, x)[x]); + +axiom (forall a: Set T, x: T, y: T :: + { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Union(a, b)[o] } + Set#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, b) } + Set#Disjoint(a, b) + ==> Set#Difference(Set#Union(a, b), a) == b + && Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Intersection(a, b)[o] } + Set#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Union(a, b)) } { Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) + == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Difference(a, b)[o] } + Set#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) + && Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Subset(a, b) } + Set#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function Set#Equal(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Equal(a, b) } + Set#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: Set T, b: Set T :: { Set#Equal(a, b) } Set#Equal(a, b) ==> a == b); + +function Set#Disjoint(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Disjoint(a, b) } + Set#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +type ISet T = [T]bool; + +function ISet#Empty() : Set T; + +axiom (forall o: T :: { ISet#Empty()[o] } !ISet#Empty()[o]); + +function ISet#UnionOne(ISet T, T) : ISet T; + +axiom (forall a: ISet T, x: T, o: T :: + { ISet#UnionOne(a, x)[o] } + ISet#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: ISet T, x: T :: { ISet#UnionOne(a, x) } ISet#UnionOne(a, x)[x]); + +axiom (forall a: ISet T, x: T, y: T :: + { ISet#UnionOne(a, x), a[y] } + a[y] ==> ISet#UnionOne(a, x)[y]); + +function ISet#Union(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Union(a, b)[o] } + ISet#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Union(a, b), a[y] } + a[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { ISet#Union(a, b), b[y] } + b[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(a, b) } + ISet#Disjoint(a, b) + ==> ISet#Difference(ISet#Union(a, b), a) == b + && ISet#Difference(ISet#Union(a, b), b) == a); + +function ISet#Intersection(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Intersection(a, b)[o] } + ISet#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(ISet#Union(a, b), b) } + ISet#Union(ISet#Union(a, b), b) == ISet#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { ISet#Union(a, ISet#Union(a, b)) } + ISet#Union(a, ISet#Union(a, b)) == ISet#Union(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(ISet#Intersection(a, b), b) } + ISet#Intersection(ISet#Intersection(a, b), b) == ISet#Intersection(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(a, ISet#Intersection(a, b)) } + ISet#Intersection(a, ISet#Intersection(a, b)) == ISet#Intersection(a, b)); + +function ISet#Difference(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Difference(a, b)[o] } + ISet#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Difference(a, b), b[y] } + b[y] ==> !ISet#Difference(a, b)[y]); + +function ISet#Subset(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Subset(a, b) } + ISet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function ISet#Equal(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) ==> a == b); + +function ISet#Disjoint(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Disjoint(a, b) } + ISet#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +function Math#min(a: int, b: int) : int; + +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); + +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); + +axiom (forall a: int, b: int :: + { Math#min(a, b) } + Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int) : int; + +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); + +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T = [T]int; + +function $IsGoodMultiSet(ms: MultiSet T) : bool; + +axiom (forall ms: MultiSet T :: + { $IsGoodMultiSet(ms) } + $IsGoodMultiSet(ms) + <==> (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +function MultiSet#Card(MultiSet T) : int; + +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); + +axiom (forall s: MultiSet T, x: T, n: int :: + { MultiSet#Card(s[x := n]) } + 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); + +function MultiSet#Empty() : MultiSet T; + +axiom (forall o: T :: { MultiSet#Empty()[o] } MultiSet#Empty()[o] == 0); + +axiom (forall s: MultiSet T :: + { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) + && (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < s[x]))); + +function MultiSet#Singleton(T) : MultiSet T; + +axiom (forall r: T, o: T :: + { MultiSet#Singleton(r)[o] } + (MultiSet#Singleton(r)[o] == 1 <==> r == o) + && (MultiSet#Singleton(r)[o] == 0 <==> r != o)); + +axiom (forall r: T :: + { MultiSet#Singleton(r) } + MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); + +function MultiSet#UnionOne(MultiSet T, T) : MultiSet T; + +axiom (forall a: MultiSet T, x: T, o: T :: + { MultiSet#UnionOne(a, x)[o] } + 0 < MultiSet#UnionOne(a, x)[o] <==> o == x || 0 < a[o]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#UnionOne(a, x) } + MultiSet#UnionOne(a, x)[x] == a[x] + 1); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + 0 < a[y] ==> 0 < MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + x != y ==> a[y] == MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#Card(MultiSet#UnionOne(a, x)) } + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); + +function MultiSet#Union(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Union(a, b)[o] } + MultiSet#Union(a, b)[o] == a[o] + b[o]); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Union(a, b)) } + MultiSet#Card(MultiSet#Union(a, b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Intersection(a, b)[o] } + MultiSet#Intersection(a, b)[o] == Math#min(a[o], b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) + == MultiSet#Intersection(a, b)); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) + == MultiSet#Intersection(a, b)); + +function MultiSet#Difference(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Difference(a, b)[o] } + MultiSet#Difference(a, b)[o] == Math#clip(a[o] - b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T, y: T :: + { MultiSet#Difference(a, b), b[y], a[y] } + a[y] <= b[y] ==> MultiSet#Difference(a, b)[y] == 0); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) + && MultiSet#Card(MultiSet#Difference(a, b)) + == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +function MultiSet#Subset(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Subset(a, b) } + MultiSet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <= b[o])); + +function MultiSet#Equal(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] == b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Disjoint(a, b) } + MultiSet#Disjoint(a, b) + <==> (forall o: T :: { a[o] } { b[o] } a[o] == 0 || b[o] == 0)); + +function MultiSet#FromSet(Set T) : MultiSet T; + +axiom (forall s: Set T, a: T :: + { MultiSet#FromSet(s)[a] } + (MultiSet#FromSet(s)[a] == 0 <==> !s[a]) + && (MultiSet#FromSet(s)[a] == 1 <==> s[a])); + +axiom (forall s: Set T :: + { MultiSet#Card(MultiSet#FromSet(s)) } + MultiSet#Card(MultiSet#FromSet(s)) == Set#Card(s)); + +axiom (forall :: + MultiSet#FromSeq(Seq#Empty(): Seq T) == MultiSet#Empty(): MultiSet T); + +function MultiSet#FromSeq(Seq T) : MultiSet T; + +axiom (forall s: Seq T :: + { MultiSet#FromSeq(s) } + $IsGoodMultiSet(MultiSet#FromSeq(s))); + +axiom (forall s: Seq T :: + { MultiSet#Card(MultiSet#FromSeq(s)) } + MultiSet#Card(MultiSet#FromSeq(s)) == Seq#Length(s)); + +axiom (forall s: Seq T, v: T :: + { MultiSet#FromSeq(Seq#Build(s, v)) } + MultiSet#FromSeq(Seq#Build(s, v)) == MultiSet#UnionOne(MultiSet#FromSeq(s), v)); + +axiom (forall a: Seq T, b: Seq T :: + { MultiSet#FromSeq(Seq#Append(a, b)) } + MultiSet#FromSeq(Seq#Append(a, b)) + == MultiSet#Union(MultiSet#FromSeq(a), MultiSet#FromSeq(b))); + +axiom (forall s: Seq T, i: int, v: T, x: T :: + { MultiSet#FromSeq(Seq#Update(s, i, v))[x] } + 0 <= i && i < Seq#Length(s) + ==> MultiSet#FromSeq(Seq#Update(s, i, v))[x] + == MultiSet#Union(MultiSet#Difference(MultiSet#FromSeq(s), MultiSet#Singleton(Seq#Index(s, i))), + MultiSet#Singleton(v))[x]); + +axiom (forall s: Seq T, x: T :: + { MultiSet#FromSeq(s)[x] } + (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && x == Seq#Index(s, i)) + <==> 0 < MultiSet#FromSeq(s)[x]); + +function Seq#Length(Seq T) : int; + +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty() : Seq T; + +axiom (forall :: { Seq#Empty(): Seq T } Seq#Length(Seq#Empty(): Seq T) == 0); + +axiom (forall s: Seq T :: + { Seq#Length(s) } + Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T) : Seq T; + +axiom (forall t: T :: + { Seq#Length(Seq#Singleton(t)) } + Seq#Length(Seq#Singleton(t)) == 1); + +function Seq#Build(s: Seq T, val: T) : Seq T; + +function Seq#Build_inv0(s: Seq T) : Seq T; + +function Seq#Build_inv1(s: Seq T) : T; + +axiom (forall s: Seq T, val: T :: + { Seq#Build(s, val) } + Seq#Build_inv0(Seq#Build(s, val)) == s + && Seq#Build_inv1(Seq#Build(s, val)) == val); + +axiom (forall s: Seq T, v: T :: + { Seq#Build(s, v) } + Seq#Length(Seq#Build(s, v)) == 1 + Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Index(Seq#Build(s, v), i) } + (i == Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == v) + && (i != Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == Seq#Index(s, i))); + +axiom (forall s: Seq Box, bx: Box, t: Ty :: + { $Is(Seq#Build(s, bx), TSeq(t)) } + $Is(s, TSeq(t)) && $IsBox(bx, t) ==> $Is(Seq#Build(s, bx), TSeq(t))); + +function Seq#Create(ty: Ty, heap: Heap, len: int, init: HandleType) : Seq Box; + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType :: + { Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) } + $IsGoodHeap(heap) && 0 <= len + ==> Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) == len); + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType, i: int :: + { Seq#Index(Seq#Create(ty, heap, len, init), i) } + $IsGoodHeap(heap) && 0 <= i && i < len + ==> Seq#Index(Seq#Create(ty, heap, len, init), i) + == Apply1(TInt, TSeq(ty), heap, init, $Box(i))); + +function Seq#Append(Seq T, Seq T) : Seq T; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Length(Seq#Append(s0, s1)) } + Seq#Length(Seq#Append(s0, s1)) == Seq#Length(s0) + Seq#Length(s1)); + +function Seq#Index(Seq T, int) : T; + +axiom (forall t: T :: + { Seq#Index(Seq#Singleton(t), 0) } + Seq#Index(Seq#Singleton(t), 0) == t); + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#Index(Seq#Append(s0, s1), n) } + (n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s0, n)) + && (Seq#Length(s0) <= n + ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s1, n - Seq#Length(s0)))); + +function Seq#Update(Seq T, int, T) : Seq T; + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Length(Seq#Update(s, i, v)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s, i, v)) == Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Index(Seq#Update(s, i, v), n) } + 0 <= n && n < Seq#Length(s) + ==> (i == n ==> Seq#Index(Seq#Update(s, i, v), n) == v) + && (i != n ==> Seq#Index(Seq#Update(s, i, v), n) == Seq#Index(s, n))); + +function Seq#Contains(Seq T, T) : bool; + +axiom (forall s: Seq T, x: T :: + { Seq#Contains(s, x) } + Seq#Contains(s, x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) + <==> Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, v: T, x: T :: + { Seq#Contains(Seq#Build(s, v), x) } + Seq#Contains(Seq#Build(s, v), x) <==> v == x || Seq#Contains(s, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +function Seq#Equal(Seq T, Seq T) : bool; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Equal(s0, s1) } + Seq#Equal(s0, s1) + <==> Seq#Length(s0) == Seq#Length(s1) + && (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a, b) } Seq#Equal(a, b) ==> a == b); + +function Seq#SameUntil(Seq T, Seq T, int) : bool; + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#SameUntil(s0, s1, n) } + Seq#SameUntil(s0, s1, n) + <==> (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < n ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +function Seq#Take(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Take(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s, n)) == n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Take(s, n), j) } { Seq#Index(s, j), Seq#Take(s, n) } + 0 <= j && j < n && j < Seq#Length(s) + ==> Seq#Index(Seq#Take(s, n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Drop(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s, n)) == Seq#Length(s) - n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Drop(s, n), j) } + 0 <= n && 0 <= j && j < Seq#Length(s) - n + ==> Seq#Index(Seq#Drop(s, n), j) == Seq#Index(s, j + n)); + +axiom (forall s: Seq T, n: int, k: int :: + {:weight 25} { Seq#Index(s, k), Seq#Drop(s, n) } + 0 <= n && n <= k && k < Seq#Length(s) + ==> Seq#Index(Seq#Drop(s, n), k - n) == Seq#Index(s, k)); + +axiom (forall s: Seq T, t: Seq T, n: int :: + { Seq#Take(Seq#Append(s, t), n) } { Seq#Drop(Seq#Append(s, t), n) } + n == Seq#Length(s) + ==> Seq#Take(Seq#Append(s, t), n) == s && Seq#Drop(Seq#Append(s, t), n) == t); + +function Seq#FromArray(h: Heap, a: ref) : Seq Box; + +axiom (forall h: Heap, a: ref :: + { Seq#Length(Seq#FromArray(h, a)) } + Seq#Length(Seq#FromArray(h, a)) == _System.array.Length(a)); + +axiom (forall h: Heap, a: ref :: + { Seq#FromArray(h, a) } + (forall i: int :: + { read(h, a, IndexField(i)) } { Seq#Index(Seq#FromArray(h, a): Seq Box, i) } + 0 <= i && i < Seq#Length(Seq#FromArray(h, a)) + ==> Seq#Index(Seq#FromArray(h, a), i) == read(h, a, IndexField(i)))); + +axiom (forall h0: Heap, h1: Heap, a: ref :: + { Seq#FromArray(h1, a), $HeapSucc(h0, h1) } + $IsGoodHeap(h0) && $IsGoodHeap(h1) && $HeapSucc(h0, h1) && h0[a] == h1[a] + ==> Seq#FromArray(h0, a) == Seq#FromArray(h1, a)); + +axiom (forall h: Heap, i: int, v: Box, a: ref :: + { Seq#FromArray(update(h, a, IndexField(i), v), a) } + 0 <= i && i < _System.array.Length(a) + ==> Seq#FromArray(update(h, a, IndexField(i), v), a) + == Seq#Update(Seq#FromArray(h, a), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= n && n <= i && i < Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i - n, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + +axiom (forall h: Heap, a: ref, n0: int, n1: int :: + { Seq#Take(Seq#FromArray(h, a), n0), Seq#Take(Seq#FromArray(h, a), n1) } + n0 + 1 == n1 && 0 <= n0 && n1 <= _System.array.Length(a) + ==> Seq#Take(Seq#FromArray(h, a), n1) + == Seq#Build(Seq#Take(Seq#FromArray(h, a), n0), read(h, a, IndexField(n0): Field Box))); + +axiom (forall s: Seq T, v: T, n: int :: + { Seq#Drop(Seq#Build(s, v), n) } + 0 <= n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Build(s, v), n) == Seq#Build(Seq#Drop(s, n), v)); + +function Seq#Rank(Seq T) : int; + +axiom (forall s: Seq Box, i: int :: + { DtRank($Unbox(Seq#Index(s, i)): DatatypeType) } + 0 <= i && i < Seq#Length(s) + ==> DtRank($Unbox(Seq#Index(s, i)): DatatypeType) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Drop(s, i)) } + 0 < i && i <= Seq#Length(s) ==> Seq#Rank(Seq#Drop(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Take(s, i)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Rank(Seq#Take(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int, j: int :: + { Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) } + 0 <= i && i < j && j <= Seq#Length(s) + ==> Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) < Seq#Rank(s)); + +axiom (forall s: Seq T, n: int :: + { Seq#Drop(s, n) } + n == 0 ==> Seq#Drop(s, n) == s); + +axiom (forall s: Seq T, n: int :: + { Seq#Take(s, n) } + n == 0 ==> Seq#Take(s, n) == Seq#Empty()); + +axiom (forall s: Seq T, m: int, n: int :: + { Seq#Drop(Seq#Drop(s, m), n) } + 0 <= m && 0 <= n && m + n <= Seq#Length(s) + ==> Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, m + n)); + +function Map#Domain(Map U V) : Set U; + +function Map#Elements(Map U V) : [U]V; + +function Map#Card(Map U V) : int; + +axiom (forall m: Map U V :: { Map#Card(m) } 0 <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Map#Card(m) } + Map#Card(m) == 0 <==> m == Map#Empty()); + +axiom (forall m: Map U V :: + { Map#Domain(m) } + m == Map#Empty() || (exists k: U :: Map#Domain(m)[k])); + +axiom (forall m: Map U V :: + { Map#Values(m) } + m == Map#Empty() || (exists v: V :: Map#Values(m)[v])); + +axiom (forall m: Map U V :: + { Map#Items(m) } + m == Map#Empty() + || (exists k: Box, v: Box :: Map#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: Map U V :: + { Set#Card(Map#Domain(m)) } + Set#Card(Map#Domain(m)) == Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Values(m)) } + Set#Card(Map#Values(m)) <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Items(m)) } + Set#Card(Map#Items(m)) == Map#Card(m)); + +function Map#Values(Map U V) : Set V; + +axiom (forall m: Map U V, v: V :: + { Map#Values(m)[v] } + Map#Values(m)[v] + == (exists u: U :: + { Map#Domain(m)[u] } { Map#Elements(m)[u] } + Map#Domain(m)[u] && v == Map#Elements(m)[u])); + +function Map#Items(Map U V) : Set Box; + +function #_System._tuple#2._#Make2(Box, Box) : DatatypeType; + +function _System.Tuple2._0(DatatypeType) : Box; + +function _System.Tuple2._1(DatatypeType) : Box; + +axiom (forall m: Map Box Box, item: Box :: + { Map#Items(m)[item] } + Map#Items(m)[item] + <==> Map#Domain(m)[_System.Tuple2._0($Unbox(item))] + && Map#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function Map#Empty() : Map U V; + +axiom (forall u: U :: + { Map#Domain(Map#Empty(): Map U V)[u] } + !Map#Domain(Map#Empty(): Map U V)[u]); + +function Map#Glue([U]bool, [U]V, Ty) : Map U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Domain(Map#Glue(a, b, t)) } + Map#Domain(Map#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Elements(Map#Glue(a, b, t)) } + Map#Elements(Map#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { Map#Glue(a, b, TMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TMap(t0, t1)), TMap(t0, t1))); + +function Map#Build(Map U V, U, V) : Map U V; + +axiom (forall m: Map U V, u: U, u': U, v: V :: + { Map#Domain(Map#Build(m, u, v))[u'] } { Map#Elements(Map#Build(m, u, v))[u'] } + (u' == u + ==> Map#Domain(Map#Build(m, u, v))[u'] && Map#Elements(Map#Build(m, u, v))[u'] == v) + && (u' != u + ==> Map#Domain(Map#Build(m, u, v))[u'] == Map#Domain(m)[u'] + && Map#Elements(Map#Build(m, u, v))[u'] == Map#Elements(m)[u'])); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m)); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + !Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m) + 1); + +function Map#Merge(Map U V, Map U V) : Map U V; + +axiom (forall m: Map U V, n: Map U V :: + { Map#Domain(Map#Merge(m, n)) } + Map#Domain(Map#Merge(m, n)) == Set#Union(Map#Domain(m), Map#Domain(n))); + +axiom (forall m: Map U V, n: Map U V, u: U :: + { Map#Elements(Map#Merge(m, n))[u] } + Map#Domain(Map#Merge(m, n))[u] + ==> (!Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(m)[u]) + && (Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(n)[u])); + +function Map#Subtract(Map U V, Set U) : Map U V; + +axiom (forall m: Map U V, s: Set U :: + { Map#Domain(Map#Subtract(m, s)) } + Map#Domain(Map#Subtract(m, s)) == Set#Difference(Map#Domain(m), s)); + +axiom (forall m: Map U V, s: Set U, u: U :: + { Map#Elements(Map#Subtract(m, s))[u] } + Map#Domain(Map#Subtract(m, s))[u] + ==> Map#Elements(Map#Subtract(m, s))[u] == Map#Elements(m)[u]); + +function Map#Equal(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') + <==> (forall u: U :: Map#Domain(m)[u] == Map#Domain(m')[u]) + && (forall u: U :: Map#Domain(m)[u] ==> Map#Elements(m)[u] == Map#Elements(m')[u])); + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') ==> m == m'); + +function Map#Disjoint(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Disjoint(m, m') } + Map#Disjoint(m, m') + <==> (forall o: U :: + { Map#Domain(m)[o] } { Map#Domain(m')[o] } + !Map#Domain(m)[o] || !Map#Domain(m')[o])); + +function IMap#Domain(IMap U V) : Set U; + +function IMap#Elements(IMap U V) : [U]V; + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() || (exists k: U :: IMap#Domain(m)[k])); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() || (exists v: V :: IMap#Values(m)[v])); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() + || (exists k: Box, v: Box :: IMap#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() <==> IMap#Domain(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() <==> IMap#Values(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() <==> IMap#Items(m) == ISet#Empty()); + +function IMap#Values(IMap U V) : Set V; + +axiom (forall m: IMap U V, v: V :: + { IMap#Values(m)[v] } + IMap#Values(m)[v] + == (exists u: U :: + { IMap#Domain(m)[u] } { IMap#Elements(m)[u] } + IMap#Domain(m)[u] && v == IMap#Elements(m)[u])); + +function IMap#Items(IMap U V) : Set Box; + +axiom (forall m: IMap Box Box, item: Box :: + { IMap#Items(m)[item] } + IMap#Items(m)[item] + <==> IMap#Domain(m)[_System.Tuple2._0($Unbox(item))] + && IMap#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function IMap#Empty() : IMap U V; + +axiom (forall u: U :: + { IMap#Domain(IMap#Empty(): IMap U V)[u] } + !IMap#Domain(IMap#Empty(): IMap U V)[u]); + +function IMap#Glue([U]bool, [U]V, Ty) : IMap U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Domain(IMap#Glue(a, b, t)) } + IMap#Domain(IMap#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Elements(IMap#Glue(a, b, t)) } + IMap#Elements(IMap#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { IMap#Glue(a, b, TIMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TIMap(t0, t1)), TIMap(t0, t1))); + +function IMap#Build(IMap U V, U, V) : IMap U V; + +axiom (forall m: IMap U V, u: U, u': U, v: V :: + { IMap#Domain(IMap#Build(m, u, v))[u'] } + { IMap#Elements(IMap#Build(m, u, v))[u'] } + (u' == u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == v) + && (u' != u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] == IMap#Domain(m)[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == IMap#Elements(m)[u'])); + +function IMap#Equal(IMap U V, IMap U V) : bool; + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') + <==> (forall u: U :: IMap#Domain(m)[u] == IMap#Domain(m')[u]) + && (forall u: U :: + IMap#Domain(m)[u] ==> IMap#Elements(m)[u] == IMap#Elements(m')[u])); + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') ==> m == m'); + +function IMap#Merge(IMap U V, IMap U V) : IMap U V; + +axiom (forall m: IMap U V, n: IMap U V :: + { IMap#Domain(IMap#Merge(m, n)) } + IMap#Domain(IMap#Merge(m, n)) == Set#Union(IMap#Domain(m), IMap#Domain(n))); + +axiom (forall m: IMap U V, n: IMap U V, u: U :: + { IMap#Elements(IMap#Merge(m, n))[u] } + IMap#Domain(IMap#Merge(m, n))[u] + ==> (!IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(m)[u]) + && (IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(n)[u])); + +function IMap#Subtract(IMap U V, Set U) : IMap U V; + +axiom (forall m: IMap U V, s: Set U :: + { IMap#Domain(IMap#Subtract(m, s)) } + IMap#Domain(IMap#Subtract(m, s)) == Set#Difference(IMap#Domain(m), s)); + +axiom (forall m: IMap U V, s: Set U, u: U :: + { IMap#Elements(IMap#Subtract(m, s))[u] } + IMap#Domain(IMap#Subtract(m, s))[u] + ==> IMap#Elements(IMap#Subtract(m, s))[u] == IMap#Elements(m)[u]); + +function INTERNAL_add_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_add_boogie(x, y): int } + INTERNAL_add_boogie(x, y): int == x + y); + +function INTERNAL_sub_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_sub_boogie(x, y): int } + INTERNAL_sub_boogie(x, y): int == x - y); + +function INTERNAL_mul_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mul_boogie(x, y): int } + INTERNAL_mul_boogie(x, y): int == x * y); + +function INTERNAL_div_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_div_boogie(x, y): int } + INTERNAL_div_boogie(x, y): int == x div y); + +function INTERNAL_mod_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mod_boogie(x, y): int } + INTERNAL_mod_boogie(x, y): int == x mod y); + +function {:never_pattern true} INTERNAL_lt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_lt_boogie(x, y): bool } + INTERNAL_lt_boogie(x, y): bool == (x < y)); + +function {:never_pattern true} INTERNAL_le_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_le_boogie(x, y): bool } + INTERNAL_le_boogie(x, y): bool == (x <= y)); + +function {:never_pattern true} INTERNAL_gt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_gt_boogie(x, y): bool } + INTERNAL_gt_boogie(x, y): bool == (x > y)); + +function {:never_pattern true} INTERNAL_ge_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_ge_boogie(x, y): bool } + INTERNAL_ge_boogie(x, y): bool == (x >= y)); + +function Mul(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mul(x, y): int } Mul(x, y): int == x * y); + +function Div(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Div(x, y): int } Div(x, y): int == x div y); + +function Mod(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mod(x, y): int } Mod(x, y): int == x mod y); + +function Add(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Add(x, y): int } Add(x, y): int == x + y); + +function Sub(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Sub(x, y): int } Sub(x, y): int == x - y); + +function Tclass._System.nat() : Ty; + +const unique Tagclass._System.nat: TyTag; + +// Tclass._System.nat Tag +axiom Tag(Tclass._System.nat()) == Tagclass._System.nat + && TagFamily(Tclass._System.nat()) == tytagFamily$nat; + +// Box/unbox axiom for Tclass._System.nat +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.nat()) } + $IsBox(bx, Tclass._System.nat()) + ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, Tclass._System.nat())); + +// _System.nat: subset type $Is +axiom (forall x#0: int :: + { $Is(x#0, Tclass._System.nat()) } + $Is(x#0, Tclass._System.nat()) <==> LitInt(0) <= x#0); + +// _System.nat: subset type $IsAlloc +axiom (forall x#0: int, $h: Heap :: + { $IsAlloc(x#0, Tclass._System.nat(), $h) } + $IsAlloc(x#0, Tclass._System.nat(), $h)); + +const unique class._System.object?: ClassName; + +const unique Tagclass._System.object?: TyTag; + +// Tclass._System.object? Tag +axiom Tag(Tclass._System.object?()) == Tagclass._System.object? + && TagFamily(Tclass._System.object?()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object?()) } + $IsBox(bx, Tclass._System.object?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object?())); + +// object: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._System.object?()) } + $Is($o, Tclass._System.object?())); + +// object: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.object?(), $h) } + $IsAlloc($o, Tclass._System.object?(), $h) + <==> $o == null || read($h, $o, alloc)); + +function implements$_System.object(ty: Ty) : bool; + +function Tclass._System.object() : Ty; + +const unique Tagclass._System.object: TyTag; + +// Tclass._System.object Tag +axiom Tag(Tclass._System.object()) == Tagclass._System.object + && TagFamily(Tclass._System.object()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object()) } + $IsBox(bx, Tclass._System.object()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object())); + +// _System.object: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._System.object()) } + $Is(c#0, Tclass._System.object()) + <==> $Is(c#0, Tclass._System.object?()) && c#0 != null); + +// _System.object: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.object(), $h) } + $IsAlloc(c#0, Tclass._System.object(), $h) + <==> $IsAlloc(c#0, Tclass._System.object?(), $h)); + +const unique class._System.array?: ClassName; + +function Tclass._System.array?(Ty) : Ty; + +const unique Tagclass._System.array?: TyTag; + +// Tclass._System.array? Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tag(Tclass._System.array?(_System.array$arg)) == Tagclass._System.array? + && TagFamily(Tclass._System.array?(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array?_0(Ty) : Ty; + +// Tclass._System.array? injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tclass._System.array?_0(Tclass._System.array?(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array? +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array?(_System.array$arg)) } + $IsBox(bx, Tclass._System.array?(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array?(_System.array$arg))); + +// array.: Type axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + ==> $IsBox(read($h, $o, IndexField($i0)), _System.array$arg)); + +// array.: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + && read($h, $o, alloc) + ==> $IsAllocBox(read($h, $o, IndexField($i0)), _System.array$arg, $h)); + +// array: Class $Is +axiom (forall _System.array$arg: Ty, $o: ref :: + { $Is($o, Tclass._System.array?(_System.array$arg)) } + $Is($o, Tclass._System.array?(_System.array$arg)) + <==> $o == null || dtype($o) == Tclass._System.array?(_System.array$arg)); + +// array: Class $IsAlloc +axiom (forall _System.array$arg: Ty, $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) } + $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) + <==> $o == null || read($h, $o, alloc)); + +// array.Length: Type axiom +axiom (forall _System.array$arg: Ty, $o: ref :: + { _System.array.Length($o), Tclass._System.array?(_System.array$arg) } + $o != null && dtype($o) == Tclass._System.array?(_System.array$arg) + ==> $Is(_System.array.Length($o), TInt)); + +// array.Length: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref :: + { _System.array.Length($o), read($h, $o, alloc), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && read($h, $o, alloc) + ==> $IsAlloc(_System.array.Length($o), TInt, $h)); + +function Tclass._System.array(Ty) : Ty; + +const unique Tagclass._System.array: TyTag; + +// Tclass._System.array Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tag(Tclass._System.array(_System.array$arg)) == Tagclass._System.array + && TagFamily(Tclass._System.array(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array_0(Ty) : Ty; + +// Tclass._System.array injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tclass._System.array_0(Tclass._System.array(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array(_System.array$arg)) } + $IsBox(bx, Tclass._System.array(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array(_System.array$arg))); + +// _System.array: non-null type $Is +axiom (forall _System.array$arg: Ty, c#0: ref :: + { $Is(c#0, Tclass._System.array(_System.array$arg)) } + $Is(c#0, Tclass._System.array(_System.array$arg)) + <==> $Is(c#0, Tclass._System.array?(_System.array$arg)) && c#0 != null); + +// _System.array: non-null type $IsAlloc +axiom (forall _System.array$arg: Ty, c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) } + $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) + <==> $IsAlloc(c#0, Tclass._System.array?(_System.array$arg), $h)); + +function Tclass._System.___hFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc1: TyTag; + +// Tclass._System.___hFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tag(Tclass._System.___hFunc1(#$T0, #$R)) == Tagclass._System.___hFunc1 + && TagFamily(Tclass._System.___hFunc1(#$T0, #$R)) == tytagFamily$_#Func1); + +function Tclass._System.___hFunc1_0(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_0(Tclass._System.___hFunc1(#$T0, #$R)) == #$T0); + +function Tclass._System.___hFunc1_1(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_1(Tclass._System.___hFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc1(#$T0, #$R))); + +function Handle1([Heap,Box]Box, [Heap,Box]bool, [Heap,Box]Set Box) : HandleType; + +function Requires1(Ty, Ty, Heap, HandleType, Box) : bool; + +function Reads1(Ty, Ty, Heap, HandleType, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) } + Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) == h[heap, bx0]); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Requires1(t0, t1, heap, Handle1(h, r, rd), bx0) } + r[heap, bx0] ==> Requires1(t0, t1, heap, Handle1(h, r, rd), bx0)); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box, + bx: Box :: + { Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] } + Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] == rd[heap, bx0][bx]); + +function {:inline} Requires1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +function {:inline} Reads1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// empty-reads property for Reads1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Reads1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Reads1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) && $IsBox(bx0, t0) && $Is(f, Tclass._System.___hFunc1(t0, t1)) + ==> (Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + <==> Set#Equal(Reads1(t0, t1, heap, f, bx0), Set#Empty(): Set Box))); + +// empty-reads property for Requires1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Requires1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Requires1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + ==> Requires1(t0, t1, $OneHeap, f, bx0) == Requires1(t0, t1, heap, f, bx0)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + <==> (forall h: Heap, bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsGoodHeap(h) && $IsBox(bx0, t0) && Requires1(t0, t1, h, f, bx0) + ==> $IsBox(Apply1(t0, t1, h, f, bx0), t1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, u0: Ty, u1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)), $Is(f, Tclass._System.___hFunc1(u0, u1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, t1) } { $IsBox(bx, u1) } + $IsBox(bx, t1) ==> $IsBox(bx, u1)) + ==> $Is(f, Tclass._System.___hFunc1(u0, u1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + <==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } { Reads1(t0, t1, h, f, bx0) } + $IsBox(bx0, t0) && $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> (forall r: ref :: + { Reads1(t0, t1, h, f, bx0)[$Box(r)] } + r != null && Reads1(t0, t1, h, f, bx0)[$Box(r)] ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + ==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> $IsAllocBox(Apply1(t0, t1, h, f, bx0), t1, h))); + +function Tclass._System.___hPartialFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc1: TyTag; + +// Tclass._System.___hPartialFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tag(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == Tagclass._System.___hPartialFunc1 + && TagFamily(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == tytagFamily$_#PartialFunc1); + +function Tclass._System.___hPartialFunc1_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_0(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc1_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_1(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc1(#$T0, #$R))); + +// _System._#PartialFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) + ==> Set#Equal(Reads1(#$T0, #$R, $OneHeap, f#0, x0#0), Set#Empty(): Set Box))); + +// _System._#PartialFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hTotalFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc1: TyTag; + +// Tclass._System.___hTotalFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tag(Tclass._System.___hTotalFunc1(#$T0, #$R)) == Tagclass._System.___hTotalFunc1 + && TagFamily(Tclass._System.___hTotalFunc1(#$T0, #$R)) == tytagFamily$_#TotalFunc1); + +function Tclass._System.___hTotalFunc1_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_0(Tclass._System.___hTotalFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc1_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_1(Tclass._System.___hTotalFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc1(#$T0, #$R))); + +// _System._#TotalFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) ==> Requires1(#$T0, #$R, $OneHeap, f#0, x0#0))); + +// _System._#TotalFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hFunc0(Ty) : Ty; + +const unique Tagclass._System.___hFunc0: TyTag; + +// Tclass._System.___hFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tag(Tclass._System.___hFunc0(#$R)) == Tagclass._System.___hFunc0 + && TagFamily(Tclass._System.___hFunc0(#$R)) == tytagFamily$_#Func0); + +function Tclass._System.___hFunc0_0(Ty) : Ty; + +// Tclass._System.___hFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tclass._System.___hFunc0_0(Tclass._System.___hFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc0(#$R))); + +function Handle0([Heap]Box, [Heap]bool, [Heap]Set Box) : HandleType; + +function Apply0(Ty, Heap, HandleType) : Box; + +function Requires0(Ty, Heap, HandleType) : bool; + +function Reads0(Ty, Heap, HandleType) : Set Box; + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Apply0(t0, heap, Handle0(h, r, rd)) } + Apply0(t0, heap, Handle0(h, r, rd)) == h[heap]); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Requires0(t0, heap, Handle0(h, r, rd)) } + r[heap] ==> Requires0(t0, heap, Handle0(h, r, rd))); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box, bx: Box :: + { Reads0(t0, heap, Handle0(h, r, rd))[bx] } + Reads0(t0, heap, Handle0(h, r, rd))[bx] == rd[heap][bx]); + +function {:inline} Requires0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +function {:inline} Reads0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// empty-reads property for Reads0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Reads0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Reads0(t0, heap, f) } + $IsGoodHeap(heap) && $Is(f, Tclass._System.___hFunc0(t0)) + ==> (Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + <==> Set#Equal(Reads0(t0, heap, f), Set#Empty(): Set Box))); + +// empty-reads property for Requires0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Requires0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Requires0(t0, heap, f) } + $IsGoodHeap(heap) + && $Is(f, Tclass._System.___hFunc0(t0)) + && Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + ==> Requires0(t0, $OneHeap, f) == Requires0(t0, heap, f)); + +axiom (forall f: HandleType, t0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + <==> (forall h: Heap :: + { Apply0(t0, h, f) } + $IsGoodHeap(h) && Requires0(t0, h, f) ==> $IsBox(Apply0(t0, h, f), t0))); + +axiom (forall f: HandleType, t0: Ty, u0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)), $Is(f, Tclass._System.___hFunc0(u0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + && (forall bx: Box :: + { $IsBox(bx, t0) } { $IsBox(bx, u0) } + $IsBox(bx, t0) ==> $IsBox(bx, u0)) + ==> $Is(f, Tclass._System.___hFunc0(u0))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc0(t0), h) + <==> Requires0(t0, h, f) + ==> (forall r: ref :: + { Reads0(t0, h, f)[$Box(r)] } + r != null && Reads0(t0, h, f)[$Box(r)] ==> read(h, r, alloc)))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc0(t0), h) + ==> + Requires0(t0, h, f) + ==> $IsAllocBox(Apply0(t0, h, f), t0, h)); + +function Tclass._System.___hPartialFunc0(Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc0: TyTag; + +// Tclass._System.___hPartialFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tag(Tclass._System.___hPartialFunc0(#$R)) == Tagclass._System.___hPartialFunc0 + && TagFamily(Tclass._System.___hPartialFunc0(#$R)) == tytagFamily$_#PartialFunc0); + +function Tclass._System.___hPartialFunc0_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tclass._System.___hPartialFunc0_0(Tclass._System.___hPartialFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc0(#$R))); + +// _System._#PartialFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) } + $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hFunc0(#$R)) + && Set#Equal(Reads0(#$R, $OneHeap, f#0), Set#Empty(): Set Box)); + +// _System._#PartialFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc0(#$R), $h)); + +function Tclass._System.___hTotalFunc0(Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc0: TyTag; + +// Tclass._System.___hTotalFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tag(Tclass._System.___hTotalFunc0(#$R)) == Tagclass._System.___hTotalFunc0 + && TagFamily(Tclass._System.___hTotalFunc0(#$R)) == tytagFamily$_#TotalFunc0); + +function Tclass._System.___hTotalFunc0_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tclass._System.___hTotalFunc0_0(Tclass._System.___hTotalFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc0(#$R))); + +// _System._#TotalFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) } + $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) && Requires0(#$R, $OneHeap, f#0)); + +// _System._#TotalFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h)); + +// Constructor function declaration +function #_System._tuple#3._#Make3(Box, Box, Box) : DatatypeType; + +// Constructor identifier +axiom (forall a#0#0#0: Box, a#0#1#0: Box, a#0#2#0: Box :: + { #_System._tuple#3._#Make3(a#0#0#0, a#0#1#0, a#0#2#0) } + DatatypeCtorId(#_System._tuple#3._#Make3(a#0#0#0, a#0#1#0, a#0#2#0)) + == ##_System._tuple#3._#Make3); + +const unique ##_System._tuple#3._#Make3: DtCtorId; + +function _System.Tuple3.___hMake3_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple3.___hMake3_q(d) } + _System.Tuple3.___hMake3_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#3._#Make3); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple3.___hMake3_q(d) } + _System.Tuple3.___hMake3_q(d) + ==> (exists a#1#0#0: Box, a#1#1#0: Box, a#1#2#0: Box :: + d == #_System._tuple#3._#Make3(a#1#0#0, a#1#1#0, a#1#2#0))); + +function Tclass._System.Tuple3(Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.Tuple3: TyTag; + +// Tclass._System.Tuple3 Tag +axiom (forall _System._tuple#3$T0: Ty, _System._tuple#3$T1: Ty, _System._tuple#3$T2: Ty :: + { Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2) } + Tag(Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) + == Tagclass._System.Tuple3 + && TagFamily(Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) + == tytagFamily$_tuple#3); + +function Tclass._System.Tuple3_0(Ty) : Ty; + +// Tclass._System.Tuple3 injectivity 0 +axiom (forall _System._tuple#3$T0: Ty, _System._tuple#3$T1: Ty, _System._tuple#3$T2: Ty :: + { Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2) } + Tclass._System.Tuple3_0(Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) + == _System._tuple#3$T0); + +function Tclass._System.Tuple3_1(Ty) : Ty; + +// Tclass._System.Tuple3 injectivity 1 +axiom (forall _System._tuple#3$T0: Ty, _System._tuple#3$T1: Ty, _System._tuple#3$T2: Ty :: + { Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2) } + Tclass._System.Tuple3_1(Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) + == _System._tuple#3$T1); + +function Tclass._System.Tuple3_2(Ty) : Ty; + +// Tclass._System.Tuple3 injectivity 2 +axiom (forall _System._tuple#3$T0: Ty, _System._tuple#3$T1: Ty, _System._tuple#3$T2: Ty :: + { Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2) } + Tclass._System.Tuple3_2(Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) + == _System._tuple#3$T2); + +// Box/unbox axiom for Tclass._System.Tuple3 +axiom (forall _System._tuple#3$T0: Ty, + _System._tuple#3$T1: Ty, + _System._tuple#3$T2: Ty, + bx: Box :: + { $IsBox(bx, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) } + $IsBox(bx, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2))); + +// Constructor $Is +axiom (forall _System._tuple#3$T0: Ty, + _System._tuple#3$T1: Ty, + _System._tuple#3$T2: Ty, + a#2#0#0: Box, + a#2#1#0: Box, + a#2#2#0: Box :: + { $Is(#_System._tuple#3._#Make3(a#2#0#0, a#2#1#0, a#2#2#0), + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) } + $Is(#_System._tuple#3._#Make3(a#2#0#0, a#2#1#0, a#2#2#0), + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) + <==> $IsBox(a#2#0#0, _System._tuple#3$T0) + && $IsBox(a#2#1#0, _System._tuple#3$T1) + && $IsBox(a#2#2#0, _System._tuple#3$T2)); + +// Constructor $IsAlloc +axiom (forall _System._tuple#3$T0: Ty, + _System._tuple#3$T1: Ty, + _System._tuple#3$T2: Ty, + a#2#0#0: Box, + a#2#1#0: Box, + a#2#2#0: Box, + $h: Heap :: + { $IsAlloc(#_System._tuple#3._#Make3(a#2#0#0, a#2#1#0, a#2#2#0), + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2), + $h) } + $IsGoodHeap($h) + ==> ($IsAlloc(#_System._tuple#3._#Make3(a#2#0#0, a#2#1#0, a#2#2#0), + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2), + $h) + <==> $IsAllocBox(a#2#0#0, _System._tuple#3$T0, $h) + && $IsAllocBox(a#2#1#0, _System._tuple#3$T1, $h) + && $IsAllocBox(a#2#2#0, _System._tuple#3$T2, $h))); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#3$T0: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple3._0(d), _System._tuple#3$T0, $h) } + $IsGoodHeap($h) + && + _System.Tuple3.___hMake3_q(d) + && (exists _System._tuple#3$T1: Ty, _System._tuple#3$T2: Ty :: + { $IsAlloc(d, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2), + $h) } + $IsAlloc(d, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2), + $h)) + ==> $IsAllocBox(_System.Tuple3._0(d), _System._tuple#3$T0, $h)); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#3$T1: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple3._1(d), _System._tuple#3$T1, $h) } + $IsGoodHeap($h) + && + _System.Tuple3.___hMake3_q(d) + && (exists _System._tuple#3$T0: Ty, _System._tuple#3$T2: Ty :: + { $IsAlloc(d, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2), + $h) } + $IsAlloc(d, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2), + $h)) + ==> $IsAllocBox(_System.Tuple3._1(d), _System._tuple#3$T1, $h)); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#3$T2: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple3._2(d), _System._tuple#3$T2, $h) } + $IsGoodHeap($h) + && + _System.Tuple3.___hMake3_q(d) + && (exists _System._tuple#3$T0: Ty, _System._tuple#3$T1: Ty :: + { $IsAlloc(d, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2), + $h) } + $IsAlloc(d, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2), + $h)) + ==> $IsAllocBox(_System.Tuple3._2(d), _System._tuple#3$T2, $h)); + +// Constructor literal +axiom (forall a#3#0#0: Box, a#3#1#0: Box, a#3#2#0: Box :: + { #_System._tuple#3._#Make3(Lit(a#3#0#0), Lit(a#3#1#0), Lit(a#3#2#0)) } + #_System._tuple#3._#Make3(Lit(a#3#0#0), Lit(a#3#1#0), Lit(a#3#2#0)) + == Lit(#_System._tuple#3._#Make3(a#3#0#0, a#3#1#0, a#3#2#0))); + +function _System.Tuple3._0(DatatypeType) : Box; + +// Constructor injectivity +axiom (forall a#4#0#0: Box, a#4#1#0: Box, a#4#2#0: Box :: + { #_System._tuple#3._#Make3(a#4#0#0, a#4#1#0, a#4#2#0) } + _System.Tuple3._0(#_System._tuple#3._#Make3(a#4#0#0, a#4#1#0, a#4#2#0)) + == a#4#0#0); + +// Inductive rank +axiom (forall a#5#0#0: Box, a#5#1#0: Box, a#5#2#0: Box :: + { #_System._tuple#3._#Make3(a#5#0#0, a#5#1#0, a#5#2#0) } + BoxRank(a#5#0#0) < DtRank(#_System._tuple#3._#Make3(a#5#0#0, a#5#1#0, a#5#2#0))); + +function _System.Tuple3._1(DatatypeType) : Box; + +// Constructor injectivity +axiom (forall a#6#0#0: Box, a#6#1#0: Box, a#6#2#0: Box :: + { #_System._tuple#3._#Make3(a#6#0#0, a#6#1#0, a#6#2#0) } + _System.Tuple3._1(#_System._tuple#3._#Make3(a#6#0#0, a#6#1#0, a#6#2#0)) + == a#6#1#0); + +// Inductive rank +axiom (forall a#7#0#0: Box, a#7#1#0: Box, a#7#2#0: Box :: + { #_System._tuple#3._#Make3(a#7#0#0, a#7#1#0, a#7#2#0) } + BoxRank(a#7#1#0) < DtRank(#_System._tuple#3._#Make3(a#7#0#0, a#7#1#0, a#7#2#0))); + +function _System.Tuple3._2(DatatypeType) : Box; + +// Constructor injectivity +axiom (forall a#8#0#0: Box, a#8#1#0: Box, a#8#2#0: Box :: + { #_System._tuple#3._#Make3(a#8#0#0, a#8#1#0, a#8#2#0) } + _System.Tuple3._2(#_System._tuple#3._#Make3(a#8#0#0, a#8#1#0, a#8#2#0)) + == a#8#2#0); + +// Inductive rank +axiom (forall a#9#0#0: Box, a#9#1#0: Box, a#9#2#0: Box :: + { #_System._tuple#3._#Make3(a#9#0#0, a#9#1#0, a#9#2#0) } + BoxRank(a#9#2#0) < DtRank(#_System._tuple#3._#Make3(a#9#0#0, a#9#1#0, a#9#2#0))); + +// Depth-one case-split function +function $IsA#_System.Tuple3(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple3(d) } + $IsA#_System.Tuple3(d) ==> _System.Tuple3.___hMake3_q(d)); + +// Questionmark data type disjunctivity +axiom (forall _System._tuple#3$T0: Ty, + _System._tuple#3$T1: Ty, + _System._tuple#3$T2: Ty, + d: DatatypeType :: + { _System.Tuple3.___hMake3_q(d), $Is(d, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) } + $Is(d, + Tclass._System.Tuple3(_System._tuple#3$T0, _System._tuple#3$T1, _System._tuple#3$T2)) + ==> _System.Tuple3.___hMake3_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple3#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#3._#Make3 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple3#Equal(a, b) } + true + ==> (_System.Tuple3#Equal(a, b) + <==> _System.Tuple3._0(a) == _System.Tuple3._0(b) + && _System.Tuple3._1(a) == _System.Tuple3._1(b) + && _System.Tuple3._2(a) == _System.Tuple3._2(b))); + +// Datatype extensionality axiom: _System._tuple#3 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple3#Equal(a, b) } + _System.Tuple3#Equal(a, b) <==> a == b); + +const unique class._System.Tuple3: ClassName; + +// Constructor identifier +axiom (forall a#10#0#0: Box, a#10#1#0: Box :: + { #_System._tuple#2._#Make2(a#10#0#0, a#10#1#0) } + DatatypeCtorId(#_System._tuple#2._#Make2(a#10#0#0, a#10#1#0)) + == ##_System._tuple#2._#Make2); + +const unique ##_System._tuple#2._#Make2: DtCtorId; + +function _System.Tuple2.___hMake2_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#2._#Make2); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + ==> (exists a#11#0#0: Box, a#11#1#0: Box :: + d == #_System._tuple#2._#Make2(a#11#0#0, a#11#1#0))); + +const unique Tagclass._System.Tuple2: TyTag; + +// Tclass._System.Tuple2 Tag +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tag(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == Tagclass._System.Tuple2 + && TagFamily(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == tytagFamily$_tuple#2); + +function Tclass._System.Tuple2_0(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 0 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_0(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T0); + +function Tclass._System.Tuple2_1(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 1 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_1(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T1); + +// Box/unbox axiom for Tclass._System.Tuple2 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1))); + +// Constructor $Is +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, a#12#0#0: Box, a#12#1#0: Box :: + { $Is(#_System._tuple#2._#Make2(a#12#0#0, a#12#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(#_System._tuple#2._#Make2(a#12#0#0, a#12#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + <==> $IsBox(a#12#0#0, _System._tuple#2$T0) && $IsBox(a#12#1#0, _System._tuple#2$T1)); + +// Constructor $IsAlloc +axiom (forall _System._tuple#2$T0: Ty, + _System._tuple#2$T1: Ty, + a#12#0#0: Box, + a#12#1#0: Box, + $h: Heap :: + { $IsAlloc(#_System._tuple#2._#Make2(a#12#0#0, a#12#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) } + $IsGoodHeap($h) + ==> ($IsAlloc(#_System._tuple#2._#Make2(a#12#0#0, a#12#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) + <==> $IsAllocBox(a#12#0#0, _System._tuple#2$T0, $h) + && $IsAllocBox(a#12#1#0, _System._tuple#2$T1, $h))); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T0: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T1: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h)); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T1: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T0: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h)); + +// Constructor literal +axiom (forall a#13#0#0: Box, a#13#1#0: Box :: + { #_System._tuple#2._#Make2(Lit(a#13#0#0), Lit(a#13#1#0)) } + #_System._tuple#2._#Make2(Lit(a#13#0#0), Lit(a#13#1#0)) + == Lit(#_System._tuple#2._#Make2(a#13#0#0, a#13#1#0))); + +// Constructor injectivity +axiom (forall a#14#0#0: Box, a#14#1#0: Box :: + { #_System._tuple#2._#Make2(a#14#0#0, a#14#1#0) } + _System.Tuple2._0(#_System._tuple#2._#Make2(a#14#0#0, a#14#1#0)) == a#14#0#0); + +// Inductive rank +axiom (forall a#15#0#0: Box, a#15#1#0: Box :: + { #_System._tuple#2._#Make2(a#15#0#0, a#15#1#0) } + BoxRank(a#15#0#0) < DtRank(#_System._tuple#2._#Make2(a#15#0#0, a#15#1#0))); + +// Constructor injectivity +axiom (forall a#16#0#0: Box, a#16#1#0: Box :: + { #_System._tuple#2._#Make2(a#16#0#0, a#16#1#0) } + _System.Tuple2._1(#_System._tuple#2._#Make2(a#16#0#0, a#16#1#0)) == a#16#1#0); + +// Inductive rank +axiom (forall a#17#0#0: Box, a#17#1#0: Box :: + { #_System._tuple#2._#Make2(a#17#0#0, a#17#1#0) } + BoxRank(a#17#1#0) < DtRank(#_System._tuple#2._#Make2(a#17#0#0, a#17#1#0))); + +// Depth-one case-split function +function $IsA#_System.Tuple2(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple2(d) } + $IsA#_System.Tuple2(d) ==> _System.Tuple2.___hMake2_q(d)); + +// Questionmark data type disjunctivity +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d), $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> _System.Tuple2.___hMake2_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple2#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#2._#Make2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + true + ==> (_System.Tuple2#Equal(a, b) + <==> _System.Tuple2._0(a) == _System.Tuple2._0(b) + && _System.Tuple2._1(a) == _System.Tuple2._1(b))); + +// Datatype extensionality axiom: _System._tuple#2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + _System.Tuple2#Equal(a, b) <==> a == b); + +const unique class._System.Tuple2: ClassName; + +// Constructor function declaration +function #_System._tuple#0._#Make0() : DatatypeType; + +// Constructor identifier +axiom DatatypeCtorId(#_System._tuple#0._#Make0()) == ##_System._tuple#0._#Make0; + +const unique ##_System._tuple#0._#Make0: DtCtorId; + +function _System.Tuple0.___hMake0_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#0._#Make0); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) ==> d == #_System._tuple#0._#Make0()); + +function Tclass._System.Tuple0() : Ty; + +const unique Tagclass._System.Tuple0: TyTag; + +// Tclass._System.Tuple0 Tag +axiom Tag(Tclass._System.Tuple0()) == Tagclass._System.Tuple0 + && TagFamily(Tclass._System.Tuple0()) == tytagFamily$_tuple#0; + +// Box/unbox axiom for Tclass._System.Tuple0 +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.Tuple0()) } + $IsBox(bx, Tclass._System.Tuple0()) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, Tclass._System.Tuple0())); + +// Constructor $Is +axiom $Is(#_System._tuple#0._#Make0(), Tclass._System.Tuple0()); + +// Constructor $IsAlloc +axiom (forall $h: Heap :: + { $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h) } + $IsGoodHeap($h) + ==> $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h)); + +// Constructor literal +axiom #_System._tuple#0._#Make0() == Lit(#_System._tuple#0._#Make0()); + +// Depth-one case-split function +function $IsA#_System.Tuple0(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple0(d) } + $IsA#_System.Tuple0(d) ==> _System.Tuple0.___hMake0_q(d)); + +// Questionmark data type disjunctivity +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d), $Is(d, Tclass._System.Tuple0()) } + $Is(d, Tclass._System.Tuple0()) ==> _System.Tuple0.___hMake0_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple0#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#0._#Make0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + true ==> (_System.Tuple0#Equal(a, b) <==> true)); + +// Datatype extensionality axiom: _System._tuple#0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + _System.Tuple0#Equal(a, b) <==> a == b); + +const unique class._System.Tuple0: ClassName; + +const BaseFuel__module.Bot.Valid: LayerType; + +const StartFuel__module.Bot.Valid: LayerType; + +const StartFuelAssert__module.Bot.Valid: LayerType; + +const unique class._module.Cell?: ClassName; + +function Tclass._module.Cell?() : Ty; + +const unique Tagclass._module.Cell?: TyTag; + +// Tclass._module.Cell? Tag +axiom Tag(Tclass._module.Cell?()) == Tagclass._module.Cell? + && TagFamily(Tclass._module.Cell?()) == tytagFamily$Cell; + +// Box/unbox axiom for Tclass._module.Cell? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Cell?()) } + $IsBox(bx, Tclass._module.Cell?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Cell?())); + +// Cell: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.Cell?()) } + $Is($o, Tclass._module.Cell?()) + <==> $o == null || dtype($o) == Tclass._module.Cell?()); + +// Cell: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.Cell?(), $h) } + $IsAlloc($o, Tclass._module.Cell?(), $h) <==> $o == null || read($h, $o, alloc)); + +axiom FDim(_module.Cell.val) == 0 + && FieldOfDecl(class._module.Cell?, field$val) == _module.Cell.val + && !$IsGhostField(_module.Cell.val); + +const _module.Cell.val: Field int; + +// Cell.val: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Cell.val) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Cell?() + ==> $Is(read($h, $o, _module.Cell.val), TInt)); + +// Cell.val: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Cell.val) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Cell?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Cell.val), TInt, $h)); + +function Tclass._module.Cell() : Ty; + +const unique Tagclass._module.Cell: TyTag; + +// Tclass._module.Cell Tag +axiom Tag(Tclass._module.Cell()) == Tagclass._module.Cell + && TagFamily(Tclass._module.Cell()) == tytagFamily$Cell; + +// Box/unbox axiom for Tclass._module.Cell +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Cell()) } + $IsBox(bx, Tclass._module.Cell()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Cell())); + +procedure {:verboseName "Cell._ctor (well-formedness)"} CheckWellFormed$$_module.Cell.__ctor(this: ref + where this != null + && + $Is(this, Tclass._module.Cell()) + && $IsAlloc(this, Tclass._module.Cell(), $Heap), + v#0: int); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Cell._ctor (call)"} Call$$_module.Cell.__ctor(v#0: int) + returns (this: ref + where this != null + && + $Is(this, Tclass._module.Cell()) + && $IsAlloc(this, Tclass._module.Cell(), $Heap)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, this, _module.Cell.val) == v#0; + // constructor allocates the object + ensures !read(old($Heap), this, alloc); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Cell._ctor (correctness)"} Impl$$_module.Cell.__ctor(v#0: int) + returns (this: ref where this != null && $Is(this, Tclass._module.Cell()), + $_reverifyPost: bool); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, this, _module.Cell.val) == v#0; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Cell._ctor (correctness)"} Impl$$_module.Cell.__ctor(v#0: int) returns (this: ref, $_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var this.val: int; + + // AddMethodImpl: _ctor, Impl$$_module.Cell.__ctor + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- divided block before new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(11,3) + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(12,9) + assume true; + assume true; + this.val := v#0; + // ----- new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(11,3) + assume !read($Heap, this, alloc); + assume read($Heap, this, _module.Cell.val) == this.val; + $Heap := update($Heap, this, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- divided block after new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(11,3) +} + + + +// _module.Cell: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._module.Cell()) } + $Is(c#0, Tclass._module.Cell()) + <==> $Is(c#0, Tclass._module.Cell?()) && c#0 != null); + +// _module.Cell: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._module.Cell(), $h) } + $IsAlloc(c#0, Tclass._module.Cell(), $h) + <==> $IsAlloc(c#0, Tclass._module.Cell?(), $h)); + +const unique class._module.Point?: ClassName; + +function Tclass._module.Point?() : Ty; + +const unique Tagclass._module.Point?: TyTag; + +// Tclass._module.Point? Tag +axiom Tag(Tclass._module.Point?()) == Tagclass._module.Point? + && TagFamily(Tclass._module.Point?()) == tytagFamily$Point; + +// Box/unbox axiom for Tclass._module.Point? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Point?()) } + $IsBox(bx, Tclass._module.Point?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Point?())); + +// Point: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.Point?()) } + $Is($o, Tclass._module.Point?()) + <==> $o == null || dtype($o) == Tclass._module.Point?()); + +// Point: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.Point?(), $h) } + $IsAlloc($o, Tclass._module.Point?(), $h) <==> $o == null || read($h, $o, alloc)); + +axiom FDim(_module.Point.Value) == 0 + && FieldOfDecl(class._module.Point?, field$Value) == _module.Point.Value + && $IsGhostField(_module.Point.Value); + +const _module.Point.Value: Field DatatypeType; + +// Point.Value: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.Value) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Point?() + ==> $Is(read($h, $o, _module.Point.Value), Tclass._System.Tuple3(TInt, TInt, TInt))); + +// Point.Value: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.Value) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Point?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Point.Value), Tclass._System.Tuple3(TInt, TInt, TInt), $h)); + +axiom FDim(_module.Point.Repr) == 0 + && FieldOfDecl(class._module.Point?, field$Repr) == _module.Point.Repr + && $IsGhostField(_module.Point.Repr); + +const _module.Point.Repr: Field (Set Box); + +// Point.Repr: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.Repr) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Point?() + ==> $Is(read($h, $o, _module.Point.Repr), TSet(Tclass._System.object()))); + +// Point.Repr: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.Repr) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Point?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Point.Repr), TSet(Tclass._System.object()), $h)); + +// function declaration for _module.Point.Valid +function _module.Point.Valid($heap: Heap, this: ref) : bool; + +function _module.Point.Valid#canCall($heap: Heap, this: ref) : bool; + +function Tclass._module.Point() : Ty; + +const unique Tagclass._module.Point: TyTag; + +// Tclass._module.Point Tag +axiom Tag(Tclass._module.Point()) == Tagclass._module.Point + && TagFamily(Tclass._module.Point()) == tytagFamily$Point; + +// Box/unbox axiom for Tclass._module.Point +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Point()) } + $IsBox(bx, Tclass._module.Point()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Point())); + +// frame axiom for _module.Point.Valid +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Point.Valid($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Point()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && ($o == this || read($h0, this, _module.Point.Repr)[$Box($o)]) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Point.Valid($h0, this) == _module.Point.Valid($h1, this)); + +// consequence axiom for _module.Point.Valid +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Point.Valid($Heap, this) } + _module.Point.Valid#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap)) + ==> + _module.Point.Valid($Heap, this) + ==> read($Heap, this, _module.Point.Repr)[$Box(this)]); + +function _module.Point.Valid#requires(Heap, ref) : bool; + +// #requires axiom for _module.Point.Valid +axiom (forall $Heap: Heap, this: ref :: + { _module.Point.Valid#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap) + ==> _module.Point.Valid#requires($Heap, this) == true); + +axiom FDim(_module.Point.x) == 0 + && FieldOfDecl(class._module.Point?, field$x) == _module.Point.x + && !$IsGhostField(_module.Point.x); + +axiom FDim(_module.Point.y) == 0 + && FieldOfDecl(class._module.Point?, field$y) == _module.Point.y + && !$IsGhostField(_module.Point.y); + +axiom FDim(_module.Point.z) == 0 + && FieldOfDecl(class._module.Point?, field$z) == _module.Point.z + && !$IsGhostField(_module.Point.z); + +// definition axiom for _module.Point.Valid (revealed) +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Point.Valid($Heap, this), $IsGoodHeap($Heap) } + _module.Point.Valid#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap)) + ==> (read($Heap, this, _module.Point.Repr)[$Box(this)] + ==> + Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + ==> + read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + ==> + read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z) + ==> + read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x) + ==> $IsA#_System.Tuple3(read($Heap, this, _module.Point.Value))) + && _module.Point.Valid($Heap, this) + == ( + read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + && read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + && read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z) + && read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x) + && _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(read($Heap, read($Heap, this, _module.Point.x), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.y), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.z), _module.Cell.val)))))); + +procedure {:verboseName "Point.Valid (well-formedness)"} CheckWellformed$$_module.Point.Valid(this: ref + where this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap)); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + ensures _module.Point.Valid($Heap, this) + ==> read($Heap, this, _module.Point.Repr)[$Box(this)]; + + + +implementation {:verboseName "Point.Valid (well-formedness)"} CheckWellformed$$_module.Point.Valid(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + var b$reqreads#5: bool; + var b$reqreads#6: bool; + var b$reqreads#7: bool; + var b$reqreads#8: bool; + var b$reqreads#9: bool; + var b$reqreads#10: bool; + var b$reqreads#11: bool; + var b$reqreads#12: bool; + var b$reqreads#13: bool; + var b$reqreads#14: bool; + var b$reqreads#15: bool; + var b$reqreads#16: bool; + var b$reqreads#17: bool; + var b$reqreads#18: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + b$reqreads#5 := true; + b$reqreads#6 := true; + b$reqreads#7 := true; + b$reqreads#8 := true; + b$reqreads#9 := true; + b$reqreads#10 := true; + b$reqreads#11 := true; + b$reqreads#12 := true; + b$reqreads#13 := true; + b$reqreads#14 := true; + b$reqreads#15 := true; + b$reqreads#16 := true; + b$reqreads#17 := true; + b$reqreads#18 := true; + + // AddWellformednessCheck for function Valid + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Point.Repr)[$Box($o)]); + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + b$reqreads#0 := $_Frame[this, _module.Point.Repr]; + assert b$reqreads#0; + if (*) + { + if (*) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Point?(), $Heap); + assert this == this + || (Set#Subset(Set#Union(read($Heap, this, _module.Point.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, this, _module.Point.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this)))) + && !Set#Subset(Set#Union(read($Heap, this, _module.Point.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, this, _module.Point.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + assume this == this || _module.Point.Valid#canCall($Heap, this); + assume _module.Point.Valid($Heap, this); + assume read($Heap, this, _module.Point.Repr)[$Box(this)]; + } + else + { + assume _module.Point.Valid($Heap, this) + ==> read($Heap, this, _module.Point.Repr)[$Box(this)]; + } + + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Point.Repr)[$Box($o)]); + b$reqreads#1 := $_Frame[this, _module.Point.Repr]; + if (read($Heap, this, _module.Point.Repr)[$Box(this)]) + { + b$reqreads#2 := $_Frame[this, _module.Point.x]; + b$reqreads#3 := $_Frame[this, _module.Point.y]; + b$reqreads#4 := $_Frame[this, _module.Point.z]; + b$reqreads#5 := $_Frame[this, _module.Point.Repr]; + } + + if (read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr))) + { + b$reqreads#6 := $_Frame[this, _module.Point.x]; + b$reqreads#7 := $_Frame[this, _module.Point.y]; + } + + if (read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + && read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y)) + { + b$reqreads#8 := $_Frame[this, _module.Point.y]; + b$reqreads#9 := $_Frame[this, _module.Point.z]; + } + + if (read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + && read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + && read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z)) + { + b$reqreads#10 := $_Frame[this, _module.Point.z]; + b$reqreads#11 := $_Frame[this, _module.Point.x]; + } + + if (read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + && read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + && read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z) + && read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x)) + { + b$reqreads#12 := $_Frame[this, _module.Point.Value]; + b$reqreads#13 := $_Frame[this, _module.Point.x]; + assert read($Heap, this, _module.Point.x) != null; + b$reqreads#14 := $_Frame[read($Heap, this, _module.Point.x), _module.Cell.val]; + b$reqreads#15 := $_Frame[this, _module.Point.y]; + assert read($Heap, this, _module.Point.y) != null; + b$reqreads#16 := $_Frame[read($Heap, this, _module.Point.y), _module.Cell.val]; + b$reqreads#17 := $_Frame[this, _module.Point.z]; + assert read($Heap, this, _module.Point.z) != null; + b$reqreads#18 := $_Frame[read($Heap, this, _module.Point.z), _module.Cell.val]; + } + + assume _module.Point.Valid($Heap, this) + == ( + read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + && read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + && read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z) + && read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x) + && _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(read($Heap, read($Heap, this, _module.Point.x), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.y), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.z), _module.Cell.val))))); + assume read($Heap, this, _module.Point.Repr)[$Box(this)] + ==> + Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + ==> + read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + ==> + read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z) + ==> + read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x) + ==> $IsA#_System.Tuple3(read($Heap, this, _module.Point.Value)); + // CheckWellformedWithResult: any expression + assume $Is(_module.Point.Valid($Heap, this), TBool); + assert b$reqreads#1; + assert b$reqreads#2; + assert b$reqreads#3; + assert b$reqreads#4; + assert b$reqreads#5; + assert b$reqreads#6; + assert b$reqreads#7; + assert b$reqreads#8; + assert b$reqreads#9; + assert b$reqreads#10; + assert b$reqreads#11; + assert b$reqreads#12; + assert b$reqreads#13; + assert b$reqreads#14; + assert b$reqreads#15; + assert b$reqreads#16; + assert b$reqreads#17; + assert b$reqreads#18; + } +} + + + +const _module.Point.x: Field ref; + +// Point.x: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.x) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Point?() + ==> $Is(read($h, $o, _module.Point.x), Tclass._module.Cell())); + +// Point.x: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.x) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Point?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Point.x), Tclass._module.Cell(), $h)); + +const _module.Point.y: Field ref; + +// Point.y: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.y) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Point?() + ==> $Is(read($h, $o, _module.Point.y), Tclass._module.Cell())); + +// Point.y: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.y) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Point?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Point.y), Tclass._module.Cell(), $h)); + +const _module.Point.z: Field ref; + +// Point.z: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.z) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Point?() + ==> $Is(read($h, $o, _module.Point.z), Tclass._module.Cell())); + +// Point.z: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Point.z) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Point?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Point.z), Tclass._module.Cell(), $h)); + +procedure {:verboseName "Point._ctor (well-formedness)"} CheckWellFormed$$_module.Point.__ctor(this: ref + where this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap), + a#0: int, + b#0: int, + c#0: int); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Point._ctor (call)"} Call$$_module.Point.__ctor(a#0: int, b#0: int, c#0: int) + returns (this: ref + where this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Point.Valid#canCall($Heap, this); + free ensures _module.Point.Valid#canCall($Heap, this) + && + _module.Point.Valid($Heap, this) + && + read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + && read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + && read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z) + && read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x) + && _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(read($Heap, read($Heap, this, _module.Point.x), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.y), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.z), _module.Cell.val)))); + ensures (forall $o: ref :: + { read($Heap, this, _module.Point.Repr)[$Box($o)] } + read($Heap, this, _module.Point.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures $IsA#_System.Tuple3(read($Heap, this, _module.Point.Value)); + ensures _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(a#0), $Box(b#0), $Box(c#0))); + // constructor allocates the object + ensures !read(old($Heap), this, alloc); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Point._ctor (correctness)"} Impl$$_module.Point.__ctor(a#0: int, b#0: int, c#0: int) + returns (this: ref where this != null && $Is(this, Tclass._module.Point()), + $_reverifyPost: bool); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Point.Valid#canCall($Heap, this); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.Repr)[$Box(this)]; + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(read($Heap, read($Heap, this, _module.Point.x), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.y), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.z), _module.Cell.val)))); + ensures (forall $o: ref :: + { read($Heap, this, _module.Point.Repr)[$Box($o)] } + read($Heap, this, _module.Point.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures $IsA#_System.Tuple3(read($Heap, this, _module.Point.Value)); + ensures _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(a#0), $Box(b#0), $Box(c#0))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Point._ctor (correctness)"} Impl$$_module.Point.__ctor(a#0: int, b#0: int, c#0: int) returns (this: ref, $_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var this.Value: DatatypeType; + var this.Repr: Set Box; + var this.x: ref; + var this.y: ref; + var this.z: ref; + var defass#this.x: bool; + var defass#this.y: bool; + var defass#this.z: bool; + var $nw: ref; + var v##0: int; + var v##1: int; + var v##2: int; + + // AddMethodImpl: _ctor, Impl$$_module.Point.__ctor + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- divided block before new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(35,3) + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(36,7) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(36,10) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + v##0 := a#0; + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Cell.__ctor(v##0); + // TrCallStmt: After ProcessCallStmt + this.x := $nw; + defass#this.x := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(37,7) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(37,10) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + v##1 := b#0; + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Cell.__ctor(v##1); + // TrCallStmt: After ProcessCallStmt + this.y := $nw; + defass#this.y := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(38,7) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(38,10) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + v##2 := c#0; + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Cell.__ctor(v##2); + // TrCallStmt: After ProcessCallStmt + this.z := $nw; + defass#this.z := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(39,10) + assume true; + assert defass#this.x; + assert defass#this.y; + assert defass#this.z; + assume true; + this.Repr := Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(this)), $Box(this.x)), + $Box(this.y)), + $Box(this.z)); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(40,11) + assume true; + assume true; + this.Value := #_System._tuple#3._#Make3($Box(a#0), $Box(b#0), $Box(c#0)); + // ----- new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(35,3) + assert defass#this.x; + assert defass#this.y; + assert defass#this.z; + assume !read($Heap, this, alloc); + assume read($Heap, this, _module.Point.Value) == this.Value; + assume read($Heap, this, _module.Point.Repr) == this.Repr; + assume read($Heap, this, _module.Point.x) == this.x; + assume read($Heap, this, _module.Point.y) == this.y; + assume read($Heap, this, _module.Point.z) == this.z; + $Heap := update($Heap, this, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- divided block after new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(35,3) +} + + + +procedure {:verboseName "Point.Mutate (well-formedness)"} CheckWellFormed$$_module.Point.Mutate(this: ref + where this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap), + a#0: int, + b#0: int, + c#0: int); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Point.Mutate (well-formedness)"} CheckWellFormed$$_module.Point.Mutate(this: ref, a#0: int, b#0: int, c#0: int) +{ + var $_Frame: [ref,Field beta]bool; + + // AddMethodImpl: Mutate, CheckWellFormed$$_module.Point.Mutate + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Point.Repr)[$Box($o)]); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Point?(), $Heap); + assume _module.Point.Valid#canCall($Heap, this); + assume _module.Point.Valid($Heap, this); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Point.Repr)[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Point?(), $Heap); + assume _module.Point.Valid#canCall($Heap, this); + assume _module.Point.Valid($Heap, this); + assert $IsAlloc(this, Tclass._module.Point(), old($Heap)); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Point.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Point.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + assume _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(a#0), $Box(b#0), $Box(c#0))); +} + + + +procedure {:verboseName "Point.Mutate (call)"} Call$$_module.Point.Mutate(this: ref + where this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap), + a#0: int, + b#0: int, + c#0: int); + // user-defined preconditions + requires _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.Repr)[$Box(this)]; + requires _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)); + requires _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y); + requires _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z); + requires _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x); + requires _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(read($Heap, read($Heap, this, _module.Point.x), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.y), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.z), _module.Cell.val)))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Point.Valid#canCall($Heap, this); + free ensures _module.Point.Valid#canCall($Heap, this) + && + _module.Point.Valid($Heap, this) + && + read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + && read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + && read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z) + && read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x) + && _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(read($Heap, read($Heap, this, _module.Point.x), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.y), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.z), _module.Cell.val)))); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Point.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Point.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures $IsA#_System.Tuple3(read($Heap, this, _module.Point.Value)); + ensures _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(a#0), $Box(b#0), $Box(c#0))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Point.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Point.Mutate (correctness)"} Impl$$_module.Point.Mutate(this: ref + where this != null + && + $Is(this, Tclass._module.Point()) + && $IsAlloc(this, Tclass._module.Point(), $Heap), + a#0: int, + b#0: int, + c#0: int) + returns ($_reverifyPost: bool); + free requires 1 == $FunctionContextHeight; + // user-defined preconditions + free requires _module.Point.Valid#canCall($Heap, this) + && + _module.Point.Valid($Heap, this) + && + read($Heap, this, _module.Point.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)) + && read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y) + && read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z) + && read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x) + && _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(read($Heap, read($Heap, this, _module.Point.x), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.y), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.z), _module.Cell.val)))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Point.Valid#canCall($Heap, this); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.Repr)[$Box(this)]; + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || Set#Subset(Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Point.x))), + $Box(read($Heap, this, _module.Point.y))), + $Box(read($Heap, this, _module.Point.z))), + read($Heap, this, _module.Point.Repr)); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.x) != read($Heap, this, _module.Point.y); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.z); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x); + ensures _module.Point.Valid#canCall($Heap, this) + ==> _module.Point.Valid($Heap, this) + || _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(read($Heap, read($Heap, this, _module.Point.x), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.y), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Point.z), _module.Cell.val)))); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Point.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Point.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures $IsA#_System.Tuple3(read($Heap, this, _module.Point.Value)); + ensures _System.Tuple3#Equal(read($Heap, this, _module.Point.Value), + #_System._tuple#3._#Make3($Box(a#0), $Box(b#0), $Box(c#0))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Point.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Point.Mutate (correctness)"} Impl$$_module.Point.Mutate(this: ref, a#0: int, b#0: int, c#0: int) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $obj0: ref; + var $obj1: ref; + var $obj2: ref; + var $rhs#0: int; + var $rhs#1: int; + var $rhs#2: int; + var $rhs#3: DatatypeType; + + // AddMethodImpl: Mutate, Impl$$_module.Point.Mutate + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Point.Repr)[$Box($o)]); + $_reverifyPost := false; + // ----- update statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(49,25) + assert read($Heap, this, _module.Point.x) != null; + assume true; + $obj0 := read($Heap, this, _module.Point.x); + assert $_Frame[$obj0, _module.Cell.val]; + assert read($Heap, this, _module.Point.y) != null; + assume true; + $obj1 := read($Heap, this, _module.Point.y); + assert $_Frame[$obj1, _module.Cell.val]; + assert read($Heap, this, _module.Point.z) != null; + assume true; + $obj2 := read($Heap, this, _module.Point.z); + assert $_Frame[$obj2, _module.Cell.val]; + assume true; + $rhs#0 := a#0; + assume true; + $rhs#1 := b#0; + assume true; + $rhs#2 := c#0; + assert read($Heap, this, _module.Point.y) != read($Heap, this, _module.Point.x) + || $rhs#1 == $rhs#0; + assert read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.x) + || $rhs#2 == $rhs#0; + assert read($Heap, this, _module.Point.z) != read($Heap, this, _module.Point.y) + || $rhs#2 == $rhs#1; + $Heap := update($Heap, $obj0, _module.Cell.val, $rhs#0); + assume $IsGoodHeap($Heap); + $Heap := update($Heap, $obj1, _module.Cell.val, $rhs#1); + assume $IsGoodHeap($Heap); + $Heap := update($Heap, $obj2, _module.Cell.val, $rhs#2); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(50,11) + assume true; + assert $_Frame[this, _module.Point.Value]; + assume true; + $rhs#3 := #_System._tuple#3._#Make3($Box(a#0), $Box(b#0), $Box(c#0)); + $Heap := update($Heap, this, _module.Point.Value, $rhs#3); + assume $IsGoodHeap($Heap); +} + + + +// _module.Point: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._module.Point()) } + $Is(c#0, Tclass._module.Point()) + <==> $Is(c#0, Tclass._module.Point?()) && c#0 != null); + +// _module.Point: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._module.Point(), $h) } + $IsAlloc(c#0, Tclass._module.Point(), $h) + <==> $IsAlloc(c#0, Tclass._module.Point?(), $h)); + +const unique class._module.Arm?: ClassName; + +function Tclass._module.Arm?() : Ty; + +const unique Tagclass._module.Arm?: TyTag; + +// Tclass._module.Arm? Tag +axiom Tag(Tclass._module.Arm?()) == Tagclass._module.Arm? + && TagFamily(Tclass._module.Arm?()) == tytagFamily$Arm; + +// Box/unbox axiom for Tclass._module.Arm? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Arm?()) } + $IsBox(bx, Tclass._module.Arm?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Arm?())); + +// Arm: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.Arm?()) } + $Is($o, Tclass._module.Arm?()) + <==> $o == null || dtype($o) == Tclass._module.Arm?()); + +// Arm: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.Arm?(), $h) } + $IsAlloc($o, Tclass._module.Arm?(), $h) <==> $o == null || read($h, $o, alloc)); + +axiom FDim(_module.Arm.Value) == 0 + && FieldOfDecl(class._module.Arm?, field$Value) == _module.Arm.Value + && $IsGhostField(_module.Arm.Value); + +const _module.Arm.Value: Field DatatypeType; + +// Arm.Value: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Arm.Value) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Arm?() + ==> $Is(read($h, $o, _module.Arm.Value), Tclass._System.Tuple2(TInt, TInt))); + +// Arm.Value: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Arm.Value) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Arm?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Arm.Value), Tclass._System.Tuple2(TInt, TInt), $h)); + +axiom FDim(_module.Arm.Repr) == 0 + && FieldOfDecl(class._module.Arm?, field$Repr) == _module.Arm.Repr + && $IsGhostField(_module.Arm.Repr); + +const _module.Arm.Repr: Field (Set Box); + +// Arm.Repr: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Arm.Repr) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Arm?() + ==> $Is(read($h, $o, _module.Arm.Repr), TSet(Tclass._System.object()))); + +// Arm.Repr: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Arm.Repr) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Arm?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Arm.Repr), TSet(Tclass._System.object()), $h)); + +// function declaration for _module.Arm.Valid +function _module.Arm.Valid($heap: Heap, this: ref) : bool; + +function _module.Arm.Valid#canCall($heap: Heap, this: ref) : bool; + +function Tclass._module.Arm() : Ty; + +const unique Tagclass._module.Arm: TyTag; + +// Tclass._module.Arm Tag +axiom Tag(Tclass._module.Arm()) == Tagclass._module.Arm + && TagFamily(Tclass._module.Arm()) == tytagFamily$Arm; + +// Box/unbox axiom for Tclass._module.Arm +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Arm()) } + $IsBox(bx, Tclass._module.Arm()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Arm())); + +// frame axiom for _module.Arm.Valid +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Arm.Valid($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Arm()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && ($o == this || read($h0, this, _module.Arm.Repr)[$Box($o)]) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Arm.Valid($h0, this) == _module.Arm.Valid($h1, this)); + +// consequence axiom for _module.Arm.Valid +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Arm.Valid($Heap, this) } + _module.Arm.Valid#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap)) + ==> + _module.Arm.Valid($Heap, this) + ==> read($Heap, this, _module.Arm.Repr)[$Box(this)]); + +function _module.Arm.Valid#requires(Heap, ref) : bool; + +// #requires axiom for _module.Arm.Valid +axiom (forall $Heap: Heap, this: ref :: + { _module.Arm.Valid#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap) + ==> _module.Arm.Valid#requires($Heap, this) == true); + +axiom FDim(_module.Arm.polar) == 0 + && FieldOfDecl(class._module.Arm?, field$polar) == _module.Arm.polar + && !$IsGhostField(_module.Arm.polar); + +axiom FDim(_module.Arm.azim) == 0 + && FieldOfDecl(class._module.Arm?, field$azim) == _module.Arm.azim + && !$IsGhostField(_module.Arm.azim); + +// definition axiom for _module.Arm.Valid (revealed) +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Arm.Valid($Heap, this), $IsGoodHeap($Heap) } + _module.Arm.Valid#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap)) + ==> (read($Heap, this, _module.Arm.Repr)[$Box(this)] + ==> + Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)) + ==> + read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim) + ==> $IsA#_System.Tuple2(read($Heap, this, _module.Arm.Value))) + && _module.Arm.Valid($Heap, this) + == ( + read($Heap, this, _module.Arm.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)) + && read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim) + && _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(read($Heap, read($Heap, this, _module.Arm.polar), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Arm.azim), _module.Cell.val)))))); + +procedure {:verboseName "Arm.Valid (well-formedness)"} CheckWellformed$$_module.Arm.Valid(this: ref + where this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap)); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + ensures _module.Arm.Valid($Heap, this) + ==> read($Heap, this, _module.Arm.Repr)[$Box(this)]; + + + +implementation {:verboseName "Arm.Valid (well-formedness)"} CheckWellformed$$_module.Arm.Valid(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + var b$reqreads#5: bool; + var b$reqreads#6: bool; + var b$reqreads#7: bool; + var b$reqreads#8: bool; + var b$reqreads#9: bool; + var b$reqreads#10: bool; + var b$reqreads#11: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + b$reqreads#5 := true; + b$reqreads#6 := true; + b$reqreads#7 := true; + b$reqreads#8 := true; + b$reqreads#9 := true; + b$reqreads#10 := true; + b$reqreads#11 := true; + + // AddWellformednessCheck for function Valid + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Arm.Repr)[$Box($o)]); + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + b$reqreads#0 := $_Frame[this, _module.Arm.Repr]; + assert b$reqreads#0; + if (*) + { + if (*) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Arm?(), $Heap); + assert this == this + || (Set#Subset(Set#Union(read($Heap, this, _module.Arm.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, this, _module.Arm.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this)))) + && !Set#Subset(Set#Union(read($Heap, this, _module.Arm.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, this, _module.Arm.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + assume this == this || _module.Arm.Valid#canCall($Heap, this); + assume _module.Arm.Valid($Heap, this); + assume read($Heap, this, _module.Arm.Repr)[$Box(this)]; + } + else + { + assume _module.Arm.Valid($Heap, this) + ==> read($Heap, this, _module.Arm.Repr)[$Box(this)]; + } + + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Arm.Repr)[$Box($o)]); + b$reqreads#1 := $_Frame[this, _module.Arm.Repr]; + if (read($Heap, this, _module.Arm.Repr)[$Box(this)]) + { + b$reqreads#2 := $_Frame[this, _module.Arm.polar]; + b$reqreads#3 := $_Frame[this, _module.Arm.azim]; + b$reqreads#4 := $_Frame[this, _module.Arm.Repr]; + } + + if (read($Heap, this, _module.Arm.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr))) + { + b$reqreads#5 := $_Frame[this, _module.Arm.polar]; + b$reqreads#6 := $_Frame[this, _module.Arm.azim]; + } + + if (read($Heap, this, _module.Arm.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)) + && read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim)) + { + b$reqreads#7 := $_Frame[this, _module.Arm.Value]; + b$reqreads#8 := $_Frame[this, _module.Arm.polar]; + assert read($Heap, this, _module.Arm.polar) != null; + b$reqreads#9 := $_Frame[read($Heap, this, _module.Arm.polar), _module.Cell.val]; + b$reqreads#10 := $_Frame[this, _module.Arm.azim]; + assert read($Heap, this, _module.Arm.azim) != null; + b$reqreads#11 := $_Frame[read($Heap, this, _module.Arm.azim), _module.Cell.val]; + } + + assume _module.Arm.Valid($Heap, this) + == ( + read($Heap, this, _module.Arm.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)) + && read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim) + && _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(read($Heap, read($Heap, this, _module.Arm.polar), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Arm.azim), _module.Cell.val))))); + assume read($Heap, this, _module.Arm.Repr)[$Box(this)] + ==> + Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)) + ==> + read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim) + ==> $IsA#_System.Tuple2(read($Heap, this, _module.Arm.Value)); + // CheckWellformedWithResult: any expression + assume $Is(_module.Arm.Valid($Heap, this), TBool); + assert b$reqreads#1; + assert b$reqreads#2; + assert b$reqreads#3; + assert b$reqreads#4; + assert b$reqreads#5; + assert b$reqreads#6; + assert b$reqreads#7; + assert b$reqreads#8; + assert b$reqreads#9; + assert b$reqreads#10; + assert b$reqreads#11; + } +} + + + +const _module.Arm.polar: Field ref; + +// Arm.polar: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Arm.polar) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Arm?() + ==> $Is(read($h, $o, _module.Arm.polar), Tclass._module.Cell())); + +// Arm.polar: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Arm.polar) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Arm?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Arm.polar), Tclass._module.Cell(), $h)); + +const _module.Arm.azim: Field ref; + +// Arm.azim: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Arm.azim) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Arm?() + ==> $Is(read($h, $o, _module.Arm.azim), Tclass._module.Cell())); + +// Arm.azim: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Arm.azim) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Arm?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Arm.azim), Tclass._module.Cell(), $h)); + +procedure {:verboseName "Arm._ctor (well-formedness)"} CheckWellFormed$$_module.Arm.__ctor(this: ref + where this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap), + polar_in#0: int, + azim_in#0: int); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Arm._ctor (call)"} Call$$_module.Arm.__ctor(polar_in#0: int, azim_in#0: int) + returns (this: ref + where this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Arm.Valid#canCall($Heap, this); + free ensures _module.Arm.Valid#canCall($Heap, this) + && + _module.Arm.Valid($Heap, this) + && + read($Heap, this, _module.Arm.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)) + && read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim) + && _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(read($Heap, read($Heap, this, _module.Arm.polar), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Arm.azim), _module.Cell.val)))); + ensures (forall $o: ref :: + { read($Heap, this, _module.Arm.Repr)[$Box($o)] } + read($Heap, this, _module.Arm.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures $IsA#_System.Tuple2(read($Heap, this, _module.Arm.Value)); + ensures _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(polar_in#0), $Box(azim_in#0))); + // constructor allocates the object + ensures !read(old($Heap), this, alloc); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Arm._ctor (correctness)"} Impl$$_module.Arm.__ctor(polar_in#0: int, azim_in#0: int) + returns (this: ref where this != null && $Is(this, Tclass._module.Arm()), + $_reverifyPost: bool); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Arm.Valid#canCall($Heap, this); + ensures _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || read($Heap, this, _module.Arm.Repr)[$Box(this)]; + ensures _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)); + ensures _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim); + ensures _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(read($Heap, read($Heap, this, _module.Arm.polar), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Arm.azim), _module.Cell.val)))); + ensures (forall $o: ref :: + { read($Heap, this, _module.Arm.Repr)[$Box($o)] } + read($Heap, this, _module.Arm.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures $IsA#_System.Tuple2(read($Heap, this, _module.Arm.Value)); + ensures _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(polar_in#0), $Box(azim_in#0))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Arm._ctor (correctness)"} Impl$$_module.Arm.__ctor(polar_in#0: int, azim_in#0: int) returns (this: ref, $_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var this.Value: DatatypeType; + var this.Repr: Set Box; + var this.polar: ref; + var this.azim: ref; + var defass#this.polar: bool; + var defass#this.azim: bool; + var $nw: ref; + var v##0: int; + var v##1: int; + + // AddMethodImpl: _ctor, Impl$$_module.Arm.__ctor + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- divided block before new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(74,3) + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(75,11) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(75,14) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + v##0 := polar_in#0; + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Cell.__ctor(v##0); + // TrCallStmt: After ProcessCallStmt + this.polar := $nw; + defass#this.polar := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(76,10) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(76,13) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + v##1 := azim_in#0; + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Cell.__ctor(v##1); + // TrCallStmt: After ProcessCallStmt + this.azim := $nw; + defass#this.azim := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(77,10) + assume true; + assert defass#this.polar; + assert defass#this.azim; + assume true; + this.Repr := Set#UnionOne(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(this)), $Box(this.polar)), + $Box(this.azim)); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(78,11) + assume true; + assume true; + this.Value := #_System._tuple#2._#Make2($Box(polar_in#0), $Box(azim_in#0)); + // ----- new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(74,3) + assert defass#this.polar; + assert defass#this.azim; + assume !read($Heap, this, alloc); + assume read($Heap, this, _module.Arm.Value) == this.Value; + assume read($Heap, this, _module.Arm.Repr) == this.Repr; + assume read($Heap, this, _module.Arm.polar) == this.polar; + assume read($Heap, this, _module.Arm.azim) == this.azim; + $Heap := update($Heap, this, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- divided block after new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(74,3) +} + + + +procedure {:verboseName "Arm.Mutate (well-formedness)"} CheckWellFormed$$_module.Arm.Mutate(this: ref + where this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap), + polar_in#0: int, + azim_in#0: int); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Arm.Mutate (well-formedness)"} CheckWellFormed$$_module.Arm.Mutate(this: ref, polar_in#0: int, azim_in#0: int) +{ + var $_Frame: [ref,Field beta]bool; + + // AddMethodImpl: Mutate, CheckWellFormed$$_module.Arm.Mutate + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Arm.Repr)[$Box($o)]); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Arm?(), $Heap); + assume _module.Arm.Valid#canCall($Heap, this); + assume _module.Arm.Valid($Heap, this); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Arm.Repr)[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Arm?(), $Heap); + assume _module.Arm.Valid#canCall($Heap, this); + assume _module.Arm.Valid($Heap, this); + assert $IsAlloc(this, Tclass._module.Arm(), old($Heap)); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Arm.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Arm.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + assume _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(polar_in#0), $Box(azim_in#0))); +} + + + +procedure {:verboseName "Arm.Mutate (call)"} Call$$_module.Arm.Mutate(this: ref + where this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap), + polar_in#0: int, + azim_in#0: int); + // user-defined preconditions + requires _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || read($Heap, this, _module.Arm.Repr)[$Box(this)]; + requires _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)); + requires _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim); + requires _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(read($Heap, read($Heap, this, _module.Arm.polar), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Arm.azim), _module.Cell.val)))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Arm.Valid#canCall($Heap, this); + free ensures _module.Arm.Valid#canCall($Heap, this) + && + _module.Arm.Valid($Heap, this) + && + read($Heap, this, _module.Arm.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)) + && read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim) + && _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(read($Heap, read($Heap, this, _module.Arm.polar), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Arm.azim), _module.Cell.val)))); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Arm.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Arm.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures $IsA#_System.Tuple2(read($Heap, this, _module.Arm.Value)); + ensures _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(polar_in#0), $Box(azim_in#0))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Arm.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Arm.Mutate (correctness)"} Impl$$_module.Arm.Mutate(this: ref + where this != null + && + $Is(this, Tclass._module.Arm()) + && $IsAlloc(this, Tclass._module.Arm(), $Heap), + polar_in#0: int, + azim_in#0: int) + returns ($_reverifyPost: bool); + free requires 1 == $FunctionContextHeight; + // user-defined preconditions + free requires _module.Arm.Valid#canCall($Heap, this) + && + _module.Arm.Valid($Heap, this) + && + read($Heap, this, _module.Arm.Repr)[$Box(this)] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)) + && read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim) + && _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(read($Heap, read($Heap, this, _module.Arm.polar), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Arm.azim), _module.Cell.val)))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Arm.Valid#canCall($Heap, this); + ensures _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || read($Heap, this, _module.Arm.Repr)[$Box(this)]; + ensures _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Arm.polar))), + $Box(read($Heap, this, _module.Arm.azim))), + read($Heap, this, _module.Arm.Repr)); + ensures _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || read($Heap, this, _module.Arm.polar) != read($Heap, this, _module.Arm.azim); + ensures _module.Arm.Valid#canCall($Heap, this) + ==> _module.Arm.Valid($Heap, this) + || _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(read($Heap, read($Heap, this, _module.Arm.polar), _module.Cell.val)), + $Box(read($Heap, read($Heap, this, _module.Arm.azim), _module.Cell.val)))); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Arm.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Arm.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures $IsA#_System.Tuple2(read($Heap, this, _module.Arm.Value)); + ensures _System.Tuple2#Equal(read($Heap, this, _module.Arm.Value), + #_System._tuple#2._#Make2($Box(polar_in#0), $Box(azim_in#0))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Arm.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Arm.Mutate (correctness)"} Impl$$_module.Arm.Mutate(this: ref, polar_in#0: int, azim_in#0: int) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $obj0: ref; + var $obj1: ref; + var $rhs#0: int; + var $rhs#1: int; + var $rhs#2: DatatypeType; + + // AddMethodImpl: Mutate, Impl$$_module.Arm.Mutate + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Arm.Repr)[$Box($o)]); + $_reverifyPost := false; + // ----- update statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(87,25) + assert read($Heap, this, _module.Arm.polar) != null; + assume true; + $obj0 := read($Heap, this, _module.Arm.polar); + assert $_Frame[$obj0, _module.Cell.val]; + assert read($Heap, this, _module.Arm.azim) != null; + assume true; + $obj1 := read($Heap, this, _module.Arm.azim); + assert $_Frame[$obj1, _module.Cell.val]; + assume true; + $rhs#0 := polar_in#0; + assume true; + $rhs#1 := azim_in#0; + assert read($Heap, this, _module.Arm.azim) != read($Heap, this, _module.Arm.polar) + || $rhs#1 == $rhs#0; + $Heap := update($Heap, $obj0, _module.Cell.val, $rhs#0); + assume $IsGoodHeap($Heap); + $Heap := update($Heap, $obj1, _module.Cell.val, $rhs#1); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(88,11) + assume true; + assert $_Frame[this, _module.Arm.Value]; + assume true; + $rhs#2 := #_System._tuple#2._#Make2($Box(polar_in#0), $Box(azim_in#0)); + $Heap := update($Heap, this, _module.Arm.Value, $rhs#2); + assume $IsGoodHeap($Heap); +} + + + +// _module.Arm: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._module.Arm()) } + $Is(c#0, Tclass._module.Arm()) + <==> $Is(c#0, Tclass._module.Arm?()) && c#0 != null); + +// _module.Arm: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._module.Arm(), $h) } + $IsAlloc(c#0, Tclass._module.Arm(), $h) + <==> $IsAlloc(c#0, Tclass._module.Arm?(), $h)); + +const unique class._module.Bot?: ClassName; + +function Tclass._module.Bot?() : Ty; + +const unique Tagclass._module.Bot?: TyTag; + +// Tclass._module.Bot? Tag +axiom Tag(Tclass._module.Bot?()) == Tagclass._module.Bot? + && TagFamily(Tclass._module.Bot?()) == tytagFamily$Bot; + +// Box/unbox axiom for Tclass._module.Bot? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Bot?()) } + $IsBox(bx, Tclass._module.Bot?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Bot?())); + +// Bot: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.Bot?()) } + $Is($o, Tclass._module.Bot?()) + <==> $o == null || dtype($o) == Tclass._module.Bot?()); + +// Bot: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.Bot?(), $h) } + $IsAlloc($o, Tclass._module.Bot?(), $h) <==> $o == null || read($h, $o, alloc)); + +axiom FDim(_module.Bot.Repr) == 0 + && FieldOfDecl(class._module.Bot?, field$Repr) == _module.Bot.Repr + && $IsGhostField(_module.Bot.Repr); + +const _module.Bot.Repr: Field (Set Box); + +// Bot.Repr: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Bot.Repr) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Bot?() + ==> $Is(read($h, $o, _module.Bot.Repr), TSet(Tclass._System.object()))); + +// Bot.Repr: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Bot.Repr) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Bot?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Bot.Repr), TSet(Tclass._System.object()), $h)); + +// function declaration for _module.Bot.Valid +function _module.Bot.Valid($ly: LayerType, $heap: Heap, this: ref) : bool; + +function _module.Bot.Valid#canCall($heap: Heap, this: ref) : bool; + +// layer synonym axiom +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Bot.Valid($LS($ly), $Heap, this) } + _module.Bot.Valid($LS($ly), $Heap, this) == _module.Bot.Valid($ly, $Heap, this)); + +// fuel synonym axiom +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Bot.Valid(AsFuelBottom($ly), $Heap, this) } + _module.Bot.Valid($ly, $Heap, this) == _module.Bot.Valid($LZ, $Heap, this)); + +function Tclass._module.Bot() : Ty; + +const unique Tagclass._module.Bot: TyTag; + +// Tclass._module.Bot Tag +axiom Tag(Tclass._module.Bot()) == Tagclass._module.Bot + && TagFamily(Tclass._module.Bot()) == tytagFamily$Bot; + +// Box/unbox axiom for Tclass._module.Bot +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Bot()) } + $IsBox(bx, Tclass._module.Bot()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Bot())); + +// frame axiom for _module.Bot.Valid +axiom (forall $ly: LayerType, $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Bot.Valid($ly, $h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Bot()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && ($o == this || read($h0, this, _module.Bot.Repr)[$Box($o)]) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Bot.Valid($ly, $h0, this) == _module.Bot.Valid($ly, $h1, this)); + +// consequence axiom for _module.Bot.Valid +axiom 1 <= $FunctionContextHeight + ==> (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Bot.Valid($ly, $Heap, this) } + _module.Bot.Valid#canCall($Heap, this) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)) + ==> + _module.Bot.Valid($ly, $Heap, this) + ==> read($Heap, this, _module.Bot.Repr)[$Box(this)]); + +function _module.Bot.Valid#requires(LayerType, Heap, ref) : bool; + +// #requires axiom for _module.Bot.Valid +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Bot.Valid#requires($ly, $Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + ==> _module.Bot.Valid#requires($ly, $Heap, this) == true); + +axiom FDim(_module.Bot.pos) == 0 + && FieldOfDecl(class._module.Bot?, field$pos) == _module.Bot.pos + && !$IsGhostField(_module.Bot.pos); + +axiom FDim(_module.Bot.left) == 0 + && FieldOfDecl(class._module.Bot?, field$left) == _module.Bot.left + && !$IsGhostField(_module.Bot.left); + +axiom FDim(_module.Bot.right) == 0 + && FieldOfDecl(class._module.Bot?, field$right) == _module.Bot.right + && !$IsGhostField(_module.Bot.right); + +// definition axiom for _module.Bot.Valid (revealed) +axiom 1 <= $FunctionContextHeight + ==> (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Bot.Valid($LS($ly), $Heap, this), $IsGoodHeap($Heap) } + _module.Bot.Valid#canCall($Heap, this) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)) + ==> (read($Heap, this, _module.Bot.Repr)[$Box(this)] + ==> + read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + ==> + Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + ==> + read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + ==> + Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + ==> + Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + ==> + Set#Subset(read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + ==> + Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + ==> + Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + ==> + Set#Disjoint(Set#Union(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)), + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr)) + ==> _module.Point.Valid#canCall($Heap, read($Heap, this, _module.Bot.pos)) + && (_module.Point.Valid($Heap, read($Heap, this, _module.Bot.pos)) + ==> _module.Arm.Valid#canCall($Heap, read($Heap, this, _module.Bot.left)) + && (_module.Arm.Valid($Heap, read($Heap, this, _module.Bot.left)) + ==> _module.Arm.Valid#canCall($Heap, read($Heap, this, _module.Bot.right))))) + && _module.Bot.Valid($LS($ly), $Heap, this) + == ( + read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && + Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(Set#Union(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)), + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr)) + && _module.Point.Valid($Heap, read($Heap, this, _module.Bot.pos)) + && _module.Arm.Valid($Heap, read($Heap, this, _module.Bot.left)) + && _module.Arm.Valid($Heap, read($Heap, this, _module.Bot.right)))); + +procedure {:verboseName "Bot.Valid (well-formedness)"} {:opaque} CheckWellformed$$_module.Bot.Valid(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + ensures _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this) + ==> read($Heap, this, _module.Bot.Repr)[$Box(this)]; + + + +implementation {:verboseName "Bot.Valid (well-formedness)"} {:opaque} CheckWellformed$$_module.Bot.Valid(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + var b$reqreads#5: bool; + var b$reqreads#6: bool; + var b$reqreads#7: bool; + var b$reqreads#8: bool; + var b$reqreads#9: bool; + var b$reqreads#10: bool; + var b$reqreads#11: bool; + var b$reqreads#12: bool; + var b$reqreads#13: bool; + var b$reqreads#14: bool; + var b$reqreads#15: bool; + var b$reqreads#16: bool; + var b$reqreads#17: bool; + var b$reqreads#18: bool; + var b$reqreads#19: bool; + var b$reqreads#20: bool; + var b$reqreads#21: bool; + var b$reqreads#22: bool; + var b$reqreads#23: bool; + var b$reqreads#24: bool; + var b$reqreads#25: bool; + var b$reqreads#26: bool; + var b$reqreads#27: bool; + var b$reqreads#28: bool; + var b$reqreads#29: bool; + var b$reqreads#30: bool; + var b$reqreads#31: bool; + var b$reqreads#32: bool; + var b$reqreads#33: bool; + var b$reqreads#34: bool; + var b$reqreads#35: bool; + var b$reqreads#36: bool; + var b$reqreads#37: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + b$reqreads#5 := true; + b$reqreads#6 := true; + b$reqreads#7 := true; + b$reqreads#8 := true; + b$reqreads#9 := true; + b$reqreads#10 := true; + b$reqreads#11 := true; + b$reqreads#12 := true; + b$reqreads#13 := true; + b$reqreads#14 := true; + b$reqreads#15 := true; + b$reqreads#16 := true; + b$reqreads#17 := true; + b$reqreads#18 := true; + b$reqreads#19 := true; + b$reqreads#20 := true; + b$reqreads#21 := true; + b$reqreads#22 := true; + b$reqreads#23 := true; + b$reqreads#24 := true; + b$reqreads#25 := true; + b$reqreads#26 := true; + b$reqreads#27 := true; + b$reqreads#28 := true; + b$reqreads#29 := true; + b$reqreads#30 := true; + b$reqreads#31 := true; + b$reqreads#32 := true; + b$reqreads#33 := true; + b$reqreads#34 := true; + b$reqreads#35 := true; + b$reqreads#36 := true; + b$reqreads#37 := true; + + // AddWellformednessCheck for function Valid + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Bot.Repr)[$Box($o)]); + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + b$reqreads#0 := $_Frame[this, _module.Bot.Repr]; + assert b$reqreads#0; + if (*) + { + if (*) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + assert this == this + || (Set#Subset(Set#Union(read($Heap, this, _module.Bot.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, this, _module.Bot.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this)))) + && !Set#Subset(Set#Union(read($Heap, this, _module.Bot.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, this, _module.Bot.Repr), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))))); + assume this == this || _module.Bot.Valid#canCall($Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + assume read($Heap, this, _module.Bot.Repr)[$Box(this)]; + } + else + { + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this) + ==> read($Heap, this, _module.Bot.Repr)[$Box(this)]; + } + + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Bot.Repr)[$Box($o)]); + b$reqreads#1 := $_Frame[this, _module.Bot.Repr]; + if (read($Heap, this, _module.Bot.Repr)[$Box(this)]) + { + b$reqreads#2 := $_Frame[this, _module.Bot.pos]; + b$reqreads#3 := $_Frame[this, _module.Bot.Repr]; + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))]) + { + b$reqreads#4 := $_Frame[this, _module.Bot.left]; + b$reqreads#5 := $_Frame[this, _module.Bot.right]; + b$reqreads#6 := $_Frame[this, _module.Bot.Repr]; + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr))) + { + b$reqreads#7 := $_Frame[this, _module.Bot.left]; + b$reqreads#8 := $_Frame[this, _module.Bot.right]; + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right)) + { + b$reqreads#9 := $_Frame[this, _module.Bot.pos]; + assert read($Heap, this, _module.Bot.pos) != null; + b$reqreads#10 := $_Frame[read($Heap, this, _module.Bot.pos), _module.Point.Repr]; + b$reqreads#11 := $_Frame[this, _module.Bot.Repr]; + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr))) + { + b$reqreads#12 := $_Frame[this, _module.Bot.left]; + assert read($Heap, this, _module.Bot.left) != null; + b$reqreads#13 := $_Frame[read($Heap, this, _module.Bot.left), _module.Arm.Repr]; + b$reqreads#14 := $_Frame[this, _module.Bot.Repr]; + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr))) + { + b$reqreads#15 := $_Frame[this, _module.Bot.right]; + assert read($Heap, this, _module.Bot.right) != null; + b$reqreads#16 := $_Frame[read($Heap, this, _module.Bot.right), _module.Arm.Repr]; + b$reqreads#17 := $_Frame[this, _module.Bot.Repr]; + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr))) + { + b$reqreads#18 := $_Frame[this, _module.Bot.pos]; + assert read($Heap, this, _module.Bot.pos) != null; + b$reqreads#19 := $_Frame[read($Heap, this, _module.Bot.pos), _module.Point.Repr]; + b$reqreads#20 := $_Frame[this, _module.Bot.left]; + assert read($Heap, this, _module.Bot.left) != null; + b$reqreads#21 := $_Frame[read($Heap, this, _module.Bot.left), _module.Arm.Repr]; + if (Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr))) + { + b$reqreads#22 := $_Frame[this, _module.Bot.pos]; + assert read($Heap, this, _module.Bot.pos) != null; + b$reqreads#23 := $_Frame[read($Heap, this, _module.Bot.pos), _module.Point.Repr]; + b$reqreads#24 := $_Frame[this, _module.Bot.left]; + assert read($Heap, this, _module.Bot.left) != null; + b$reqreads#25 := $_Frame[read($Heap, this, _module.Bot.left), _module.Arm.Repr]; + } + + if (Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr))) + { + b$reqreads#26 := $_Frame[this, _module.Bot.pos]; + assert read($Heap, this, _module.Bot.pos) != null; + b$reqreads#27 := $_Frame[read($Heap, this, _module.Bot.pos), _module.Point.Repr]; + b$reqreads#28 := $_Frame[this, _module.Bot.left]; + assert read($Heap, this, _module.Bot.left) != null; + b$reqreads#29 := $_Frame[read($Heap, this, _module.Bot.left), _module.Arm.Repr]; + b$reqreads#30 := $_Frame[this, _module.Bot.right]; + assert read($Heap, this, _module.Bot.right) != null; + b$reqreads#31 := $_Frame[read($Heap, this, _module.Bot.right), _module.Arm.Repr]; + } + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && + Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(Set#Union(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)), + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr))) + { + b$reqreads#32 := $_Frame[this, _module.Bot.pos]; + assert read($Heap, this, _module.Bot.pos) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Bot.pos), Tclass._module.Point?(), $Heap); + b$reqreads#33 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == read($Heap, this, _module.Bot.pos) + || read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Point.Valid#canCall($Heap, read($Heap, this, _module.Bot.pos)); + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && + Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(Set#Union(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)), + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr)) + && _module.Point.Valid($Heap, read($Heap, this, _module.Bot.pos))) + { + b$reqreads#34 := $_Frame[this, _module.Bot.left]; + assert read($Heap, this, _module.Bot.left) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Bot.left), Tclass._module.Arm?(), $Heap); + b$reqreads#35 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == read($Heap, this, _module.Bot.left) + || read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Arm.Valid#canCall($Heap, read($Heap, this, _module.Bot.left)); + } + + if (read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && + Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(Set#Union(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)), + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr)) + && _module.Point.Valid($Heap, read($Heap, this, _module.Bot.pos)) + && _module.Arm.Valid($Heap, read($Heap, this, _module.Bot.left))) + { + b$reqreads#36 := $_Frame[this, _module.Bot.right]; + assert read($Heap, this, _module.Bot.right) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Bot.right), Tclass._module.Arm?(), $Heap); + b$reqreads#37 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == read($Heap, this, _module.Bot.right) + || read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Arm.Valid#canCall($Heap, read($Heap, this, _module.Bot.right)); + } + + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this) + == ( + read($Heap, this, _module.Bot.Repr)[$Box(this)] + && read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + && Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + && read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && Set#Subset(read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + && + Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(Set#Union(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)), + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr)) + && _module.Point.Valid($Heap, read($Heap, this, _module.Bot.pos)) + && _module.Arm.Valid($Heap, read($Heap, this, _module.Bot.left)) + && _module.Arm.Valid($Heap, read($Heap, this, _module.Bot.right))); + assume read($Heap, this, _module.Bot.Repr)[$Box(this)] + ==> + read($Heap, this, _module.Bot.Repr)[$Box(read($Heap, this, _module.Bot.pos))] + ==> + Set#Subset(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Bot.left))), + $Box(read($Heap, this, _module.Bot.right))), + read($Heap, this, _module.Bot.Repr)) + ==> + read($Heap, this, _module.Bot.left) != read($Heap, this, _module.Bot.right) + ==> + Set#Subset(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, this, _module.Bot.Repr)) + ==> + Set#Subset(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + ==> + Set#Subset(read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr), + read($Heap, this, _module.Bot.Repr)) + ==> + Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)) + && Set#Disjoint(Set#Union(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)), + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr)) + ==> _module.Point.Valid#canCall($Heap, read($Heap, this, _module.Bot.pos)) + && (_module.Point.Valid($Heap, read($Heap, this, _module.Bot.pos)) + ==> _module.Arm.Valid#canCall($Heap, read($Heap, this, _module.Bot.left)) + && (_module.Arm.Valid($Heap, read($Heap, this, _module.Bot.left)) + ==> _module.Arm.Valid#canCall($Heap, read($Heap, this, _module.Bot.right)))); + // CheckWellformedWithResult: any expression + assume $Is(_module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this), TBool); + assert b$reqreads#1; + assert b$reqreads#2; + assert b$reqreads#3; + assert b$reqreads#4; + assert b$reqreads#5; + assert b$reqreads#6; + assert b$reqreads#7; + assert b$reqreads#8; + assert b$reqreads#9; + assert b$reqreads#10; + assert b$reqreads#11; + assert b$reqreads#12; + assert b$reqreads#13; + assert b$reqreads#14; + assert b$reqreads#15; + assert b$reqreads#16; + assert b$reqreads#17; + assert b$reqreads#18; + assert b$reqreads#19; + assert b$reqreads#20; + assert b$reqreads#21; + assert b$reqreads#22; + assert b$reqreads#23; + assert b$reqreads#24; + assert b$reqreads#25; + assert b$reqreads#26; + assert b$reqreads#27; + assert b$reqreads#28; + assert b$reqreads#29; + assert b$reqreads#30; + assert b$reqreads#31; + assert b$reqreads#32; + assert b$reqreads#33; + assert b$reqreads#34; + assert b$reqreads#35; + assert b$reqreads#36; + assert b$reqreads#37; + } +} + + + +const _module.Bot.pos: Field ref; + +// Bot.pos: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Bot.pos) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Bot?() + ==> $Is(read($h, $o, _module.Bot.pos), Tclass._module.Point())); + +// Bot.pos: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Bot.pos) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Bot?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Bot.pos), Tclass._module.Point(), $h)); + +const _module.Bot.left: Field ref; + +// Bot.left: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Bot.left) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Bot?() + ==> $Is(read($h, $o, _module.Bot.left), Tclass._module.Arm())); + +// Bot.left: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Bot.left) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Bot?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Bot.left), Tclass._module.Arm(), $h)); + +const _module.Bot.right: Field ref; + +// Bot.right: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Bot.right) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Bot?() + ==> $Is(read($h, $o, _module.Bot.right), Tclass._module.Arm())); + +// Bot.right: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Bot.right) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Bot?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Bot.right), Tclass._module.Arm(), $h)); + +procedure {:verboseName "Bot._ctor (well-formedness)"} CheckWellFormed$$_module.Bot.__ctor(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Bot._ctor (call)"} Call$$_module.Bot.__ctor() + returns (this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Bot.Valid#canCall($Heap, this); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + ensures (forall $o: ref :: + { read($Heap, this, _module.Bot.Repr)[$Box($o)] } + read($Heap, this, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + // constructor allocates the object + ensures !read(old($Heap), this, alloc); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Bot._ctor (correctness)"} Impl$$_module.Bot.__ctor() + returns (this: ref where this != null && $Is(this, Tclass._module.Bot()), + $_reverifyPost: bool); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Bot.Valid#canCall($Heap, this); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + ensures (forall $o: ref :: + { read($Heap, this, _module.Bot.Repr)[$Box($o)] } + read($Heap, this, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Bot._ctor (correctness)"} Impl$$_module.Bot.__ctor() returns (this: ref, $_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var this.Repr: Set Box; + var this.pos: ref; + var this.left: ref; + var this.right: ref; + var defass#this.pos: bool; + var defass#this.left: bool; + var defass#this.right: bool; + var $nw: ref; + var a##0: int; + var b##0: int; + var c##0: int; + var polar_in##0: int; + var azim_in##0: int; + var polar_in##1: int; + var azim_in##1: int; + var $rhs#0: Set Box; + + // AddMethodImpl: _ctor, Impl$$_module.Bot.__ctor + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- divided block before new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(112,3) + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(113,9) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(113,12) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + a##0 := LitInt(0); + assume true; + // ProcessCallStmt: CheckSubrange + b##0 := LitInt(0); + assume true; + // ProcessCallStmt: CheckSubrange + c##0 := LitInt(0); + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Point.__ctor(a##0, b##0, c##0); + // TrCallStmt: After ProcessCallStmt + this.pos := $nw; + defass#this.pos := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(114,10) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(114,13) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + polar_in##0 := LitInt(0); + assume true; + // ProcessCallStmt: CheckSubrange + azim_in##0 := LitInt(0); + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Arm.__ctor(polar_in##0, azim_in##0); + // TrCallStmt: After ProcessCallStmt + this.left := $nw; + defass#this.left := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(115,11) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(115,14) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + polar_in##1 := LitInt(0); + assume true; + // ProcessCallStmt: CheckSubrange + azim_in##1 := LitInt(0); + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Arm.__ctor(polar_in##1, azim_in##1); + // TrCallStmt: After ProcessCallStmt + this.right := $nw; + defass#this.right := true; + // ----- new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(112,3) + assert defass#this.pos; + assert defass#this.left; + assert defass#this.right; + assume !read($Heap, this, alloc); + assume read($Heap, this, _module.Bot.Repr) == this.Repr; + assume read($Heap, this, _module.Bot.pos) == this.pos; + assume read($Heap, this, _module.Bot.left) == this.left; + assume read($Heap, this, _module.Bot.right) == this.right; + $Heap := update($Heap, this, alloc, true); + assume $IsGoodHeap($Heap); + assume $IsHeapAnchor($Heap); + // ----- divided block after new; ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(112,3) + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(117,10) + assume true; + assert $_Frame[this, _module.Bot.Repr]; + assert read($Heap, this, _module.Bot.pos) != null; + assert read($Heap, this, _module.Bot.left) != null; + assert read($Heap, this, _module.Bot.right) != null; + assume true; + $rhs#0 := Set#Union(Set#Union(Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(this)), + read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Repr)), + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Repr)), + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.Repr)); + $Heap := update($Heap, this, _module.Bot.Repr, $rhs#0); + assume $IsGoodHeap($Heap); + // ----- reveal statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(118,5) + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(118,17) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: Make the call + call Call$$_module.Bot.reveal__Valid(this); + // TrCallStmt: After ProcessCallStmt +} + + + +// function declaration for _module.Bot.flying +function _module.Bot.flying($heap: Heap, this: ref) : bool; + +function _module.Bot.flying#canCall($heap: Heap, this: ref) : bool; + +// frame axiom for _module.Bot.flying +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Bot.flying($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Bot()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && read($h0, this, _module.Bot.Repr)[$Box($o)] + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Bot.flying($h0, this) == _module.Bot.flying($h1, this)); + +// consequence axiom for _module.Bot.flying +axiom 2 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Bot.flying($Heap, this) } + _module.Bot.flying#canCall($Heap, this) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + && _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)) + ==> true); + +function _module.Bot.flying#requires(Heap, ref) : bool; + +// #requires axiom for _module.Bot.flying +axiom (forall $Heap: Heap, this: ref :: + { _module.Bot.flying#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + ==> _module.Bot.flying#requires($Heap, this) + == _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)); + +// definition axiom for _module.Bot.flying (revealed) +axiom 2 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Bot.flying($Heap, this), $IsGoodHeap($Heap) } + _module.Bot.flying#canCall($Heap, this) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + && _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)) + ==> _module.Bot.flying($Heap, this) + == (read($Heap, + read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z), + _module.Cell.val) + > 0)); + +procedure {:verboseName "Bot.flying (well-formedness)"} CheckWellformed$$_module.Bot.flying(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Bot.flying (well-formedness)"} CheckWellformed$$_module.Bot.flying(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + + // AddWellformednessCheck for function flying + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Bot.Repr)[$Box($o)]); + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + // ----- reveal statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(122,15) + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(122,27) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: Make the call + call Call$$_module.Bot.reveal__Valid(this); + // TrCallStmt: After ProcessCallStmt + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + b$reqreads#0 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == this || read($Heap, this, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Bot.Valid#canCall($Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + assert b$reqreads#0; + b$reqreads#1 := $_Frame[this, _module.Bot.Repr]; + assert b$reqreads#1; + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Bot.Repr)[$Box($o)]); + b$reqreads#2 := $_Frame[this, _module.Bot.pos]; + assert read($Heap, this, _module.Bot.pos) != null; + b$reqreads#3 := $_Frame[read($Heap, this, _module.Bot.pos), _module.Point.z]; + assert read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z) != null; + b$reqreads#4 := $_Frame[read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z), _module.Cell.val]; + assume _module.Bot.flying($Heap, this) + == (read($Heap, + read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z), + _module.Cell.val) + > 0); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.Bot.flying($Heap, this), TBool); + assert b$reqreads#2; + assert b$reqreads#3; + assert b$reqreads#4; + } +} + + + +// function declaration for _module.Bot.arms_up +function _module.Bot.arms__up($heap: Heap, this: ref) : bool; + +function _module.Bot.arms__up#canCall($heap: Heap, this: ref) : bool; + +// frame axiom for _module.Bot.arms__up +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Bot.arms__up($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Bot()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && read($h0, this, _module.Bot.Repr)[$Box($o)] + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Bot.arms__up($h0, this) == _module.Bot.arms__up($h1, this)); + +// consequence axiom for _module.Bot.arms__up +axiom 2 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Bot.arms__up($Heap, this) } + _module.Bot.arms__up#canCall($Heap, this) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + && _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)) + ==> true); + +function _module.Bot.arms__up#requires(Heap, ref) : bool; + +// #requires axiom for _module.Bot.arms__up +axiom (forall $Heap: Heap, this: ref :: + { _module.Bot.arms__up#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + ==> _module.Bot.arms__up#requires($Heap, this) + == _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)); + +// definition axiom for _module.Bot.arms__up (revealed) +axiom 2 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Bot.arms__up($Heap, this), $IsGoodHeap($Heap) } + _module.Bot.arms__up#canCall($Heap, this) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + && _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)) + ==> _module.Bot.arms__up($Heap, this) + == (read($Heap, + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar), + _module.Cell.val) + == read($Heap, + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), + _module.Cell.val) + && read($Heap, + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), + _module.Cell.val) + == LitInt(0))); + +procedure {:verboseName "Bot.arms_up (well-formedness)"} CheckWellformed$$_module.Bot.arms__up(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Bot.arms_up (well-formedness)"} CheckWellformed$$_module.Bot.arms__up(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + var b$reqreads#5: bool; + var b$reqreads#6: bool; + var b$reqreads#7: bool; + var b$reqreads#8: bool; + var b$reqreads#9: bool; + var b$reqreads#10: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + b$reqreads#5 := true; + b$reqreads#6 := true; + b$reqreads#7 := true; + b$reqreads#8 := true; + b$reqreads#9 := true; + b$reqreads#10 := true; + + // AddWellformednessCheck for function arms_up + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Bot.Repr)[$Box($o)]); + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + // ----- reveal statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(129,15) + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(129,27) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: Make the call + call Call$$_module.Bot.reveal__Valid(this); + // TrCallStmt: After ProcessCallStmt + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + b$reqreads#0 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == this || read($Heap, this, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Bot.Valid#canCall($Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + assert b$reqreads#0; + b$reqreads#1 := $_Frame[this, _module.Bot.Repr]; + assert b$reqreads#1; + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Bot.Repr)[$Box($o)]); + b$reqreads#2 := $_Frame[this, _module.Bot.left]; + assert read($Heap, this, _module.Bot.left) != null; + b$reqreads#3 := $_Frame[read($Heap, this, _module.Bot.left), _module.Arm.polar]; + assert read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar) != null; + b$reqreads#4 := $_Frame[read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar), _module.Cell.val]; + b$reqreads#5 := $_Frame[this, _module.Bot.right]; + assert read($Heap, this, _module.Bot.right) != null; + b$reqreads#6 := $_Frame[read($Heap, this, _module.Bot.right), _module.Arm.polar]; + assert read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar) != null; + b$reqreads#7 := $_Frame[read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), _module.Cell.val]; + if (read($Heap, + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar), + _module.Cell.val) + == read($Heap, + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), + _module.Cell.val)) + { + b$reqreads#8 := $_Frame[this, _module.Bot.right]; + assert read($Heap, this, _module.Bot.right) != null; + b$reqreads#9 := $_Frame[read($Heap, this, _module.Bot.right), _module.Arm.polar]; + assert read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar) != null; + b$reqreads#10 := $_Frame[read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), _module.Cell.val]; + } + + assume _module.Bot.arms__up($Heap, this) + == (read($Heap, + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar), + _module.Cell.val) + == read($Heap, + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), + _module.Cell.val) + && read($Heap, + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), + _module.Cell.val) + == LitInt(0)); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.Bot.arms__up($Heap, this), TBool); + assert b$reqreads#2; + assert b$reqreads#3; + assert b$reqreads#4; + assert b$reqreads#5; + assert b$reqreads#6; + assert b$reqreads#7; + assert b$reqreads#8; + assert b$reqreads#9; + assert b$reqreads#10; + } +} + + + +// function declaration for _module.Bot.robot_inv +function _module.Bot.robot__inv($heap: Heap, this: ref) : bool; + +function _module.Bot.robot__inv#canCall($heap: Heap, this: ref) : bool; + +// frame axiom for _module.Bot.robot__inv +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Bot.robot__inv($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Bot()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && read($h0, this, _module.Bot.Repr)[$Box($o)] + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Bot.robot__inv($h0, this) == _module.Bot.robot__inv($h1, this)); + +// consequence axiom for _module.Bot.robot__inv +axiom 3 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Bot.robot__inv($Heap, this) } + _module.Bot.robot__inv#canCall($Heap, this) + || (3 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + && _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)) + ==> true); + +function _module.Bot.robot__inv#requires(Heap, ref) : bool; + +// #requires axiom for _module.Bot.robot__inv +axiom (forall $Heap: Heap, this: ref :: + { _module.Bot.robot__inv#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + ==> _module.Bot.robot__inv#requires($Heap, this) + == _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)); + +// definition axiom for _module.Bot.robot__inv (revealed) +axiom 3 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Bot.robot__inv($Heap, this), $IsGoodHeap($Heap) } + _module.Bot.robot__inv#canCall($Heap, this) + || (3 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap) + && _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this)) + ==> _module.Bot.flying#canCall($Heap, this) + && (_module.Bot.flying($Heap, this) ==> _module.Bot.arms__up#canCall($Heap, this)) + && _module.Bot.robot__inv($Heap, this) + == (_module.Bot.flying($Heap, this) ==> _module.Bot.arms__up($Heap, this))); + +procedure {:verboseName "Bot.robot_inv (well-formedness)"} CheckWellformed$$_module.Bot.robot__inv(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Bot.robot_inv (well-formedness)"} CheckWellformed$$_module.Bot.robot__inv(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + + // AddWellformednessCheck for function robot_inv + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Bot.Repr)[$Box($o)]); + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + // ----- reveal statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(136,15) + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(136,27) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: Make the call + call Call$$_module.Bot.reveal__Valid(this); + // TrCallStmt: After ProcessCallStmt + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + b$reqreads#0 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == this || read($Heap, this, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Bot.Valid#canCall($Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + assert b$reqreads#0; + b$reqreads#1 := $_Frame[this, _module.Bot.Repr]; + assert b$reqreads#1; + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Bot.Repr)[$Box($o)]); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + b$reqreads#2 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && read($Heap, this, _module.Bot.Repr)[$Box($o)] + ==> $_Frame[$o, $f]); + assume _module.Bot.flying#canCall($Heap, this); + if (_module.Bot.flying($Heap, this)) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + b$reqreads#3 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && read($Heap, this, _module.Bot.Repr)[$Box($o)] + ==> $_Frame[$o, $f]); + assume _module.Bot.arms__up#canCall($Heap, this); + } + + assume _module.Bot.robot__inv($Heap, this) + == (_module.Bot.flying($Heap, this) ==> _module.Bot.arms__up($Heap, this)); + assume _module.Bot.flying#canCall($Heap, this) + && (_module.Bot.flying($Heap, this) ==> _module.Bot.arms__up#canCall($Heap, this)); + // CheckWellformedWithResult: any expression + assume $Is(_module.Bot.robot__inv($Heap, this), TBool); + assert b$reqreads#2; + assert b$reqreads#3; + } +} + + + +procedure {:verboseName "Bot.Fly (well-formedness)"} CheckWellFormed$$_module.Bot.Fly(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Bot.Fly (well-formedness)"} CheckWellFormed$$_module.Bot.Fly(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + + // AddMethodImpl: Fly, CheckWellFormed$$_module.Bot.Fly + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Bot.Repr)[$Box($o)]); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Bot.Repr)[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + assert $IsAlloc(this, Tclass._module.Bot(), old($Heap)); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + assume _module.Bot.robot__inv#canCall($Heap, this); + assume _module.Bot.robot__inv($Heap, this); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, this); + assume _module.Bot.flying#canCall($Heap, this); + assume _module.Bot.flying($Heap, this); +} + + + +procedure {:verboseName "Bot.Fly (call)"} Call$$_module.Bot.Fly(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + // user-defined preconditions + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Bot.Valid#canCall($Heap, this); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures _module.Bot.robot__inv#canCall($Heap, this) + && (_module.Bot.robot__inv($Heap, this) + ==> _module.Bot.flying#canCall($Heap, this)); + free ensures _module.Bot.robot__inv#canCall($Heap, this) + && + _module.Bot.robot__inv($Heap, this) + && (_module.Bot.flying($Heap, this) ==> _module.Bot.arms__up($Heap, this)); + free ensures _module.Bot.flying#canCall($Heap, this) + && + _module.Bot.flying($Heap, this) + && read($Heap, + read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z), + _module.Cell.val) + > 0; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Bot.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Bot.Fly (correctness)"} Impl$$_module.Bot.Fly(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)) + returns ($_reverifyPost: bool); + free requires 4 == $FunctionContextHeight; + // user-defined preconditions + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Bot.Valid#canCall($Heap, this); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, this); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, this, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), this, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures _module.Bot.robot__inv#canCall($Heap, this) + && (_module.Bot.robot__inv($Heap, this) + ==> _module.Bot.flying#canCall($Heap, this)); + ensures _module.Bot.robot__inv#canCall($Heap, this) + ==> _module.Bot.robot__inv($Heap, this) + || (_module.Bot.flying($Heap, this) + ==> + _module.Bot.arms__up#canCall($Heap, this) + ==> _module.Bot.arms__up($Heap, this) + || read($Heap, + read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar), + _module.Cell.val) + == read($Heap, + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), + _module.Cell.val)); + ensures _module.Bot.robot__inv#canCall($Heap, this) + ==> _module.Bot.robot__inv($Heap, this) + || (_module.Bot.flying($Heap, this) + ==> + _module.Bot.arms__up#canCall($Heap, this) + ==> _module.Bot.arms__up($Heap, this) + || read($Heap, + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar), + _module.Cell.val) + == LitInt(0)); + ensures _module.Bot.flying#canCall($Heap, this) + ==> _module.Bot.flying($Heap, this) + || read($Heap, + read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z), + _module.Cell.val) + > 0; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), this, _module.Bot.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Bot.Fly (correctness)"} Impl$$_module.Bot.Fly(this: ref) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $obj0: ref; + var $obj1: ref; + var $rhs#0: int; + var $rhs#1: int; + var $rhs#2: int; + var $rhs#3: int; + var $rhs#4: DatatypeType; + var $rhs#5: DatatypeType; + var $rhs#6: DatatypeType; + + // AddMethodImpl: Fly, Impl$$_module.Bot.Fly + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, this, _module.Bot.Repr)[$Box($o)]); + $_reverifyPost := false; + // ----- reveal statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(148,5) + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(148,17) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: Make the call + call Call$$_module.Bot.reveal__Valid(this); + // TrCallStmt: After ProcessCallStmt + // ----- update statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(149,37) + assert read($Heap, this, _module.Bot.left) != null; + assert read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar) != null; + assume true; + $obj0 := read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar); + assert $_Frame[$obj0, _module.Cell.val]; + assert read($Heap, this, _module.Bot.right) != null; + assert read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar) != null; + assume true; + $obj1 := read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar); + assert $_Frame[$obj1, _module.Cell.val]; + assume true; + $rhs#0 := LitInt(0); + assume true; + $rhs#1 := LitInt(0); + assert read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.polar) + != read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.polar) + || $rhs#1 == $rhs#0; + $Heap := update($Heap, $obj0, _module.Cell.val, $rhs#0); + assume $IsGoodHeap($Heap); + $Heap := update($Heap, $obj1, _module.Cell.val, $rhs#1); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(150,15) + assert read($Heap, this, _module.Bot.pos) != null; + assert read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z) != null; + assume true; + assert $_Frame[read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z), _module.Cell.val]; + assume true; + $rhs#2 := LitInt(100); + $Heap := update($Heap, + read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.z), + _module.Cell.val, + $rhs#2); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(151,20) + assert read($Heap, this, _module.Bot.right) != null; + assert read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.azim) != null; + assume true; + assert $_Frame[read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.azim), _module.Cell.val]; + assume true; + $rhs#3 := LitInt(17); + $Heap := update($Heap, + read($Heap, read($Heap, this, _module.Bot.right), _module.Arm.azim), + _module.Cell.val, + $rhs#3); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(152,15) + assert read($Heap, this, _module.Bot.pos) != null; + assume true; + assert $_Frame[read($Heap, this, _module.Bot.pos), _module.Point.Value]; + assert read($Heap, this, _module.Bot.pos) != null; + assume _System.Tuple3.___hMake3_q(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Value)); + assert read($Heap, this, _module.Bot.pos) != null; + assume _System.Tuple3.___hMake3_q(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Value)); + assume _System.Tuple3.___hMake3_q(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Value)) + && _System.Tuple3.___hMake3_q(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Value)); + $rhs#4 := #_System._tuple#3._#Make3(_System.Tuple3._0(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Value)), + _System.Tuple3._1(read($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Value)), + $Box(LitInt(100))); + $Heap := update($Heap, read($Heap, this, _module.Bot.pos), _module.Point.Value, $rhs#4); + assume $IsGoodHeap($Heap); + // ----- update statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(153,29) + assert read($Heap, this, _module.Bot.left) != null; + assume true; + $obj0 := read($Heap, this, _module.Bot.left); + assert $_Frame[$obj0, _module.Arm.Value]; + assert read($Heap, this, _module.Bot.right) != null; + assume true; + $obj1 := read($Heap, this, _module.Bot.right); + assert $_Frame[$obj1, _module.Arm.Value]; + assert read($Heap, this, _module.Bot.left) != null; + assume _System.Tuple2.___hMake2_q(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Value)); + assume _System.Tuple2.___hMake2_q(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Value)); + $rhs#5 := #_System._tuple#2._#Make2($Box(LitInt(0)), + _System.Tuple2._1(read($Heap, read($Heap, this, _module.Bot.left), _module.Arm.Value))); + assume true; + $rhs#6 := Lit(#_System._tuple#2._#Make2($Box(LitInt(0)), $Box(LitInt(17)))); + assert read($Heap, this, _module.Bot.right) != read($Heap, this, _module.Bot.left) + || $rhs#6 == $rhs#5; + $Heap := update($Heap, $obj0, _module.Arm.Value, $rhs#5); + assume $IsGoodHeap($Heap); + $Heap := update($Heap, $obj1, _module.Arm.Value, $rhs#6); + assume $IsGoodHeap($Heap); + // ----- reveal statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(154,5) + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(154,17) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: Make the call + call Call$$_module.Bot.reveal__Valid(this); + // TrCallStmt: After ProcessCallStmt +} + + + +procedure {:verboseName "Bot.reveal_Valid (well-formedness)"} {:auto_generated} {:opaque_reveal} {:verify false} CheckWellFormed$$_module.Bot.reveal__Valid(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +const MoreFuel__module.Bot.Valid0: LayerType; + +procedure {:verboseName "Bot.reveal_Valid (call)"} {:auto_generated} {:opaque_reveal} {:verify false} Call$$_module.Bot.reveal__Valid(this: ref + where this != null + && + $Is(this, Tclass._module.Bot()) + && $IsAlloc(this, Tclass._module.Bot(), $Heap)); + modifies $Heap, $Tick; + // frame condition + free ensures old($Heap) == $Heap; + free ensures StartFuel__module.Bot.Valid == $LS(MoreFuel__module.Bot.Valid0); + free ensures StartFuelAssert__module.Bot.Valid == $LS($LS(MoreFuel__module.Bot.Valid0)); + // Shortcut to LZ + free ensures AsFuelBottom(MoreFuel__module.Bot.Valid0) == MoreFuel__module.Bot.Valid0; + + + +// _module.Bot: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._module.Bot()) } + $Is(c#0, Tclass._module.Bot()) + <==> $Is(c#0, Tclass._module.Bot?()) && c#0 != null); + +// _module.Bot: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._module.Bot(), $h) } + $IsAlloc(c#0, Tclass._module.Bot(), $h) + <==> $IsAlloc(c#0, Tclass._module.Bot?(), $h)); + +const unique class._module.__default: ClassName; + +function Tclass._module.__default() : Ty; + +const unique Tagclass._module.__default: TyTag; + +// Tclass._module.__default Tag +axiom Tag(Tclass._module.__default()) == Tagclass._module.__default + && TagFamily(Tclass._module.__default()) == tytagFamily$_default; + +// Box/unbox axiom for Tclass._module.__default +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.__default()) } + $IsBox(bx, Tclass._module.__default()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.__default())); + +// _default: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.__default()) } + $Is($o, Tclass._module.__default()) + <==> $o == null || dtype($o) == Tclass._module.__default()); + +// _default: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.__default(), $h) } + $IsAlloc($o, Tclass._module.__default(), $h) + <==> $o == null || read($h, $o, alloc)); + +procedure {:verboseName "FlyRobots (well-formedness)"} CheckWellFormed$$_module.__default.FlyRobots(b0#0: ref + where $Is(b0#0, Tclass._module.Bot()) && $IsAlloc(b0#0, Tclass._module.Bot(), $Heap), + b1#0: ref + where $Is(b1#0, Tclass._module.Bot()) && $IsAlloc(b1#0, Tclass._module.Bot(), $Heap)); + free requires 5 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "FlyRobots (well-formedness)"} CheckWellFormed$$_module.__default.FlyRobots(b0#0: ref, b1#0: ref) +{ + var $_Frame: [ref,Field beta]bool; + + // AddMethodImpl: FlyRobots, CheckWellFormed$$_module.__default.FlyRobots + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1#0, _module.Bot.Repr)[$Box($o)]); + assert b0#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b0#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b0#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b0#0); + assert b1#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b1#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b1#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b1#0); + if (*) + { + assume b0#0 != b1#0; + assert b0#0 != null; + assert b1#0 != null; + assume Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + } + else + { + assume b0#0 != b1#0 + ==> Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + } + + assert b0#0 != null; + assert b1#0 != null; + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || + read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + assert b0#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b0#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b0#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b0#0); + assert b0#0 != null; + assert b0#0 != null; + assert $IsAlloc(b0#0, Tclass._module.Bot(), old($Heap)); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + assert b1#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b1#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b1#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b1#0); + assert b1#0 != null; + assert b1#0 != null; + assert $IsAlloc(b1#0, Tclass._module.Bot(), old($Heap)); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + if (*) + { + assume b0#0 != b1#0; + assert b0#0 != null; + assert b1#0 != null; + assume Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + } + else + { + assume b0#0 != b1#0 + ==> Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + } + + assert b0#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b0#0, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b0#0); + assume _module.Bot.robot__inv#canCall($Heap, b0#0); + assume _module.Bot.robot__inv($Heap, b0#0); + assert b1#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b1#0, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b1#0); + assume _module.Bot.robot__inv#canCall($Heap, b1#0); + assume _module.Bot.robot__inv($Heap, b1#0); + assert b0#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b0#0, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b0#0); + assume _module.Bot.flying#canCall($Heap, b0#0); + assume _module.Bot.flying($Heap, b0#0); + assert b1#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b1#0, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b1#0); + assume _module.Bot.flying#canCall($Heap, b1#0); + assume _module.Bot.flying($Heap, b1#0); +} + + + +procedure {:verboseName "FlyRobots (call)"} Call$$_module.__default.FlyRobots(b0#0: ref + where $Is(b0#0, Tclass._module.Bot()) && $IsAlloc(b0#0, Tclass._module.Bot(), $Heap), + b1#0: ref + where $Is(b1#0, Tclass._module.Bot()) && $IsAlloc(b1#0, Tclass._module.Bot(), $Heap)); + // user-defined preconditions + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + requires b0#0 != b1#0 + ==> Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Bot.Valid#canCall($Heap, b0#0); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures _module.Bot.Valid#canCall($Heap, b1#0); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures true; + ensures b0#0 != b1#0 + ==> Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + free ensures _module.Bot.robot__inv#canCall($Heap, b0#0) + && (_module.Bot.robot__inv($Heap, b0#0) + ==> _module.Bot.robot__inv#canCall($Heap, b1#0)); + free ensures _module.Bot.robot__inv#canCall($Heap, b0#0) + && + _module.Bot.robot__inv($Heap, b0#0) + && (_module.Bot.flying($Heap, b0#0) ==> _module.Bot.arms__up($Heap, b0#0)); + free ensures _module.Bot.robot__inv#canCall($Heap, b1#0) + && + _module.Bot.robot__inv($Heap, b1#0) + && (_module.Bot.flying($Heap, b1#0) ==> _module.Bot.arms__up($Heap, b1#0)); + free ensures _module.Bot.flying#canCall($Heap, b0#0) + && (_module.Bot.flying($Heap, b0#0) ==> _module.Bot.flying#canCall($Heap, b1#0)); + free ensures _module.Bot.flying#canCall($Heap, b0#0) + && + _module.Bot.flying($Heap, b0#0) + && read($Heap, + read($Heap, read($Heap, b0#0, _module.Bot.pos), _module.Point.z), + _module.Cell.val) + > 0; + free ensures _module.Bot.flying#canCall($Heap, b1#0) + && + _module.Bot.flying($Heap, b1#0) + && read($Heap, + read($Heap, read($Heap, b1#0, _module.Bot.pos), _module.Point.z), + _module.Cell.val) + > 0; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || + read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "FlyRobots (correctness)"} Impl$$_module.__default.FlyRobots(b0#0: ref + where $Is(b0#0, Tclass._module.Bot()) && $IsAlloc(b0#0, Tclass._module.Bot(), $Heap), + b1#0: ref + where $Is(b1#0, Tclass._module.Bot()) && $IsAlloc(b1#0, Tclass._module.Bot(), $Heap)) + returns ($_reverifyPost: bool); + free requires 5 == $FunctionContextHeight; + // user-defined preconditions + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + requires b0#0 != b1#0 + ==> Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Bot.Valid#canCall($Heap, b0#0); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures _module.Bot.Valid#canCall($Heap, b1#0); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures true; + ensures b0#0 != b1#0 + ==> Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + free ensures _module.Bot.robot__inv#canCall($Heap, b0#0) + && (_module.Bot.robot__inv($Heap, b0#0) + ==> _module.Bot.robot__inv#canCall($Heap, b1#0)); + ensures _module.Bot.robot__inv#canCall($Heap, b0#0) + ==> _module.Bot.robot__inv($Heap, b0#0) + || (_module.Bot.flying($Heap, b0#0) + ==> + _module.Bot.arms__up#canCall($Heap, b0#0) + ==> _module.Bot.arms__up($Heap, b0#0) + || read($Heap, + read($Heap, read($Heap, b0#0, _module.Bot.left), _module.Arm.polar), + _module.Cell.val) + == read($Heap, + read($Heap, read($Heap, b0#0, _module.Bot.right), _module.Arm.polar), + _module.Cell.val)); + ensures _module.Bot.robot__inv#canCall($Heap, b0#0) + ==> _module.Bot.robot__inv($Heap, b0#0) + || (_module.Bot.flying($Heap, b0#0) + ==> + _module.Bot.arms__up#canCall($Heap, b0#0) + ==> _module.Bot.arms__up($Heap, b0#0) + || read($Heap, + read($Heap, read($Heap, b0#0, _module.Bot.right), _module.Arm.polar), + _module.Cell.val) + == LitInt(0)); + ensures _module.Bot.robot__inv#canCall($Heap, b1#0) + ==> _module.Bot.robot__inv($Heap, b1#0) + || (_module.Bot.flying($Heap, b1#0) + ==> + _module.Bot.arms__up#canCall($Heap, b1#0) + ==> _module.Bot.arms__up($Heap, b1#0) + || read($Heap, + read($Heap, read($Heap, b1#0, _module.Bot.left), _module.Arm.polar), + _module.Cell.val) + == read($Heap, + read($Heap, read($Heap, b1#0, _module.Bot.right), _module.Arm.polar), + _module.Cell.val)); + ensures _module.Bot.robot__inv#canCall($Heap, b1#0) + ==> _module.Bot.robot__inv($Heap, b1#0) + || (_module.Bot.flying($Heap, b1#0) + ==> + _module.Bot.arms__up#canCall($Heap, b1#0) + ==> _module.Bot.arms__up($Heap, b1#0) + || read($Heap, + read($Heap, read($Heap, b1#0, _module.Bot.right), _module.Arm.polar), + _module.Cell.val) + == LitInt(0)); + free ensures _module.Bot.flying#canCall($Heap, b0#0) + && (_module.Bot.flying($Heap, b0#0) ==> _module.Bot.flying#canCall($Heap, b1#0)); + ensures _module.Bot.flying#canCall($Heap, b0#0) + ==> _module.Bot.flying($Heap, b0#0) + || read($Heap, + read($Heap, read($Heap, b0#0, _module.Bot.pos), _module.Point.z), + _module.Cell.val) + > 0; + ensures _module.Bot.flying#canCall($Heap, b1#0) + ==> _module.Bot.flying($Heap, b1#0) + || read($Heap, + read($Heap, read($Heap, b1#0, _module.Bot.pos), _module.Point.z), + _module.Cell.val) + > 0; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || + read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "FlyRobots (correctness)"} Impl$$_module.__default.FlyRobots(b0#0: ref, b1#0: ref) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + + // AddMethodImpl: FlyRobots, Impl$$_module.__default.FlyRobots + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1#0, _module.Bot.Repr)[$Box($o)]); + $_reverifyPost := false; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(170,9) + // TrCallStmt: Before ProcessCallStmt + assume true; + assert b0#0 != null; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Bot.Fly(b0#0); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(171,9) + // TrCallStmt: Before ProcessCallStmt + assume true; + assert b1#0 != null; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Bot.Fly(b1#0); + // TrCallStmt: After ProcessCallStmt +} + + + +// function declaration for _module._default.ArmyRepr +function _module.__default.ArmyRepr($heap: Heap, bots#0: Seq Box) : Set Box; + +function _module.__default.ArmyRepr#canCall($heap: Heap, bots#0: Seq Box) : bool; + +// frame axiom for _module.__default.ArmyRepr +axiom (forall $h0: Heap, $h1: Heap, bots#0: Seq Box :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.__default.ArmyRepr($h1, bots#0) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && (_module.__default.ArmyRepr#canCall($h0, bots#0) + || $Is(bots#0, TSeq(Tclass._module.Bot()))) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && $Is($o, Tclass._module.Bot()) && Seq#Contains(bots#0, $Box($o)) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.__default.ArmyRepr($h0, bots#0) + == _module.__default.ArmyRepr($h1, bots#0)); + +// consequence axiom for _module.__default.ArmyRepr +axiom 1 <= $FunctionContextHeight + ==> (forall $Heap: Heap, bots#0: Seq Box :: + { _module.__default.ArmyRepr($Heap, bots#0) } + _module.__default.ArmyRepr#canCall($Heap, bots#0) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && $Is(bots#0, TSeq(Tclass._module.Bot()))) + ==> $Is(_module.__default.ArmyRepr($Heap, bots#0), TSet(Tclass._System.object()))); + +function _module.__default.ArmyRepr#requires(Heap, Seq Box) : bool; + +// #requires axiom for _module.__default.ArmyRepr +axiom (forall $Heap: Heap, bots#0: Seq Box :: + { _module.__default.ArmyRepr#requires($Heap, bots#0), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) && $Is(bots#0, TSeq(Tclass._module.Bot())) + ==> _module.__default.ArmyRepr#requires($Heap, bots#0) == true); + +// definition axiom for _module.__default.ArmyRepr (revealed) +axiom 1 <= $FunctionContextHeight + ==> (forall $Heap: Heap, bots#0: Seq Box :: + { _module.__default.ArmyRepr($Heap, bots#0), $IsGoodHeap($Heap) } + _module.__default.ArmyRepr#canCall($Heap, bots#0) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && $Is(bots#0, TSeq(Tclass._module.Bot()))) + ==> _module.__default.ArmyRepr($Heap, bots#0) + == (lambda $y#0: Box :: + (exists b#0: ref, o#0: ref :: + { read($Heap, b#0, _module.Bot.Repr)[$Box(o#0)] } + $Is(b#0, Tclass._module.Bot()) + && $Is(o#0, Tclass._System.object()) + && + Seq#Contains(bots#0, $Box(b#0)) + && read($Heap, b#0, _module.Bot.Repr)[$Box(o#0)] + && $y#0 == $Box(o#0)))); + +procedure {:verboseName "ArmyRepr (well-formedness)"} CheckWellformed$$_module.__default.ArmyRepr(bots#0: Seq Box where $Is(bots#0, TSeq(Tclass._module.Bot()))); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "ArmyRepr (well-formedness)"} CheckWellformed$$_module.__default.ArmyRepr(bots#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var b#1: ref; + var b#2: ref; + var b#3: ref; + var o#1: ref; + var b$reqreads#0: bool; + + b$reqreads#0 := true; + + // AddWellformednessCheck for function ArmyRepr + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $Is($o, Tclass._module.Bot()) && Seq#Contains(bots#0, $Box($o))); + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + // Begin Comprehension WF check + havoc b#1; + if ($Is(b#1, Tclass._module.Bot()) && $IsAlloc(b#1, Tclass._module.Bot(), $Heap)) + { + if (Seq#Contains(bots#0, $Box(b#1))) + { + } + } + + // End Comprehension WF check + // Begin Comprehension WF check + havoc b#2; + if ($Is(b#2, Tclass._module.Bot()) && $IsAlloc(b#2, Tclass._module.Bot(), $Heap)) + { + if (Seq#Contains(bots#0, $Box(b#2))) + { + } + } + + // End Comprehension WF check + if (*) + { + assume $Is(_module.__default.ArmyRepr($Heap, bots#0), TSet(Tclass._System.object())); + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $Is($o, Tclass._module.Bot()) && Seq#Contains(bots#0, $Box($o))); + // Begin Comprehension WF check + havoc b#3; + havoc o#1; + if ($Is(b#3, Tclass._module.Bot()) + && $IsAlloc(b#3, Tclass._module.Bot(), $Heap) + && + $Is(o#1, Tclass._System.object()) + && $IsAlloc(o#1, Tclass._System.object(), $Heap)) + { + if (Seq#Contains(bots#0, $Box(b#3))) + { + assert b#3 != null; + b$reqreads#0 := $_Frame[b#3, _module.Bot.Repr]; + } + + if (Seq#Contains(bots#0, $Box(b#3)) && read($Heap, b#3, _module.Bot.Repr)[$Box(o#1)]) + { + } + } + + // End Comprehension WF check + assume _module.__default.ArmyRepr($Heap, bots#0) + == (lambda $y#1: Box :: + (exists b#4: ref, o#2: ref :: + { read($Heap, b#4, _module.Bot.Repr)[$Box(o#2)] } + $Is(b#4, Tclass._module.Bot()) + && $Is(o#2, Tclass._System.object()) + && + Seq#Contains(bots#0, $Box(b#4)) + && read($Heap, b#4, _module.Bot.Repr)[$Box(o#2)] + && $y#1 == $Box(o#2))); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.ArmyRepr($Heap, bots#0), TSet(Tclass._System.object())); + assert b$reqreads#0; + } +} + + + +// function declaration for _module._default.ValidArmy +function _module.__default.ValidArmy($heap: Heap, bots#0: Seq Box) : bool; + +function _module.__default.ValidArmy#canCall($heap: Heap, bots#0: Seq Box) : bool; + +// frame axiom for _module.__default.ValidArmy +axiom (forall $h0: Heap, $h1: Heap, bots#0: Seq Box :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.__default.ValidArmy($h1, bots#0) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && (_module.__default.ValidArmy#canCall($h0, bots#0) + || $Is(bots#0, TSeq(Tclass._module.Bot()))) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null + && (($Is($o, Tclass._module.Bot()) && Seq#Contains(bots#0, $Box($o))) + || _module.__default.ArmyRepr($h0, bots#0)[$Box($o)]) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.__default.ValidArmy($h0, bots#0) + == _module.__default.ValidArmy($h1, bots#0)); + +// consequence axiom for _module.__default.ValidArmy +axiom 2 <= $FunctionContextHeight + ==> (forall $Heap: Heap, bots#0: Seq Box :: + { _module.__default.ValidArmy($Heap, bots#0) } + _module.__default.ValidArmy#canCall($Heap, bots#0) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && $Is(bots#0, TSeq(Tclass._module.Bot()))) + ==> true); + +function _module.__default.ValidArmy#requires(Heap, Seq Box) : bool; + +// #requires axiom for _module.__default.ValidArmy +axiom (forall $Heap: Heap, bots#0: Seq Box :: + { _module.__default.ValidArmy#requires($Heap, bots#0), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) && $Is(bots#0, TSeq(Tclass._module.Bot())) + ==> _module.__default.ValidArmy#requires($Heap, bots#0) == true); + +// definition axiom for _module.__default.ValidArmy (revealed) +axiom 2 <= $FunctionContextHeight + ==> (forall $Heap: Heap, bots#0: Seq Box :: + { _module.__default.ValidArmy($Heap, bots#0), $IsGoodHeap($Heap) } + _module.__default.ValidArmy#canCall($Heap, bots#0) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && $Is(bots#0, TSeq(Tclass._module.Bot()))) + ==> (forall i#0: int :: + { $Unbox(Seq#Index(bots#0, i#0)): ref } + LitInt(0) <= i#0 + ==> + i#0 < Seq#Length(bots#0) + ==> _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, i#0)): ref)) + && _module.__default.ValidArmy($Heap, bots#0) + == ((forall i#0: int :: + { $Unbox(Seq#Index(bots#0, i#0)): ref } + true + ==> + LitInt(0) <= i#0 && i#0 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#0)): ref)) + && (forall i#1: int, j#0: int :: + { $Unbox(Seq#Index(bots#0, j#0)): ref, $Unbox(Seq#Index(bots#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < j#0 && j#0 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#0)): ref, _module.Bot.Repr))))); + +procedure {:verboseName "ValidArmy (well-formedness)"} CheckWellformed$$_module.__default.ValidArmy(bots#0: Seq Box where $Is(bots#0, TSeq(Tclass._module.Bot()))); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "ValidArmy (well-formedness)"} CheckWellformed$$_module.__default.ValidArmy(bots#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var b#0: ref; + var ##bots#0: Seq Box; + var b$reqreads#0: bool; + var b#1: ref; + var ##bots#1: Seq Box; + var i#2: int; + var i#3: int; + var j#1: int; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + + // AddWellformednessCheck for function ValidArmy + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> ($Is($o, Tclass._module.Bot()) && Seq#Contains(bots#0, $Box($o))) + || _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)]); + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + // Begin Comprehension WF check + havoc b#0; + if ($Is(b#0, Tclass._module.Bot()) && $IsAlloc(b#0, Tclass._module.Bot(), $Heap)) + { + if (Seq#Contains(bots#0, $Box(b#0))) + { + } + } + + // End Comprehension WF check + ##bots#0 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#0, TSeq(Tclass._module.Bot()), $Heap); + b$reqreads#0 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && + $Is($o, Tclass._module.Bot()) + && Seq#Contains(##bots#0, $Box($o)) + ==> $_Frame[$o, $f]); + assume _module.__default.ArmyRepr#canCall($Heap, bots#0); + assert b$reqreads#0; + // Begin Comprehension WF check + havoc b#1; + if ($Is(b#1, Tclass._module.Bot()) && $IsAlloc(b#1, Tclass._module.Bot(), $Heap)) + { + if (Seq#Contains(bots#0, $Box(b#1))) + { + } + } + + // End Comprehension WF check + ##bots#1 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#1, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ArmyRepr#canCall($Heap, bots#0); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> ($Is($o, Tclass._module.Bot()) && Seq#Contains(bots#0, $Box($o))) + || _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)]); + // Begin Comprehension WF check + havoc i#2; + if (true) + { + if (LitInt(0) <= i#2) + { + } + + if (LitInt(0) <= i#2 && i#2 < Seq#Length(bots#0)) + { + assert 0 <= i#2 && i#2 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, i#2)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, i#2)): ref, Tclass._module.Bot?(), $Heap); + b$reqreads#1 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == $Unbox(Seq#Index(bots#0, i#2)): ref + || read($Heap, $Unbox(Seq#Index(bots#0, i#2)): ref, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, i#2)): ref); + } + } + + // End Comprehension WF check + if ((forall i#4: int :: + { $Unbox(Seq#Index(bots#0, i#4)): ref } + true + ==> + LitInt(0) <= i#4 && i#4 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#4)): ref))) + { + // Begin Comprehension WF check + havoc i#3; + havoc j#1; + if (true) + { + if (LitInt(0) <= i#3) + { + } + + if (LitInt(0) <= i#3 && i#3 < j#1) + { + } + + if (LitInt(0) <= i#3 && i#3 < j#1 && j#1 < Seq#Length(bots#0)) + { + assert 0 <= i#3 && i#3 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, i#3)): ref != null; + b$reqreads#2 := $_Frame[$Unbox(Seq#Index(bots#0, i#3)): ref, _module.Bot.Repr]; + assert 0 <= j#1 && j#1 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#1)): ref != null; + b$reqreads#3 := $_Frame[$Unbox(Seq#Index(bots#0, j#1)): ref, _module.Bot.Repr]; + } + } + + // End Comprehension WF check + } + + assume _module.__default.ValidArmy($Heap, bots#0) + == ((forall i#4: int :: + { $Unbox(Seq#Index(bots#0, i#4)): ref } + true + ==> + LitInt(0) <= i#4 && i#4 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#4)): ref)) + && (forall i#5: int, j#2: int :: + { $Unbox(Seq#Index(bots#0, j#2)): ref, $Unbox(Seq#Index(bots#0, i#5)): ref } + true + ==> + LitInt(0) <= i#5 && i#5 < j#2 && j#2 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#5)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#2)): ref, _module.Bot.Repr)))); + assume (forall i#4: int :: + { $Unbox(Seq#Index(bots#0, i#4)): ref } + LitInt(0) <= i#4 && i#4 < Seq#Length(bots#0) + ==> _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, i#4)): ref)); + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.ValidArmy($Heap, bots#0), TBool); + assert b$reqreads#1; + assert b$reqreads#2; + assert b$reqreads#3; + } +} + + + +procedure {:verboseName "FlyRobotArmy (well-formedness)"} CheckWellFormed$$_module.__default.FlyRobotArmy(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap)); + free requires 7 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "FlyRobotArmy (well-formedness)"} CheckWellFormed$$_module.__default.FlyRobotArmy(bots#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##bots#0: Seq Box; + var ##bots#1: Seq Box; + var ##bots#2: Seq Box; + var ##bots#3: Seq Box; + var ##bots#4: Seq Box; + var b#0: ref; + + // AddMethodImpl: FlyRobotArmy, CheckWellFormed$$_module.__default.FlyRobotArmy + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)]); + ##bots#0 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#0, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ValidArmy#canCall($Heap, bots#0); + assume _module.__default.ValidArmy($Heap, bots#0); + ##bots#1 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#1, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ArmyRepr#canCall($Heap, bots#0); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || _module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + ##bots#2 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#2, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ValidArmy#canCall($Heap, bots#0); + assume _module.__default.ValidArmy($Heap, bots#0); + ##bots#3 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#3, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ArmyRepr#canCall($Heap, bots#0); + ##bots#4 := bots#0; + assert $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), old($Heap)); + assume _module.__default.ArmyRepr#canCall(old($Heap), bots#0); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)] + && !_module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + havoc b#0; + assume $Is(b#0, Tclass._module.Bot()) && $IsAlloc(b#0, Tclass._module.Bot(), $Heap); + if (*) + { + assume Seq#Contains(bots#0, $Box(b#0)); + assert b#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#0); + assert b#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b#0, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#0); + assume _module.Bot.robot__inv#canCall($Heap, b#0); + assume _module.Bot.robot__inv($Heap, b#0); + assert b#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b#0, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#0); + assume _module.Bot.flying#canCall($Heap, b#0); + assume _module.Bot.flying($Heap, b#0); + } + else + { + assume Seq#Contains(bots#0, $Box(b#0)) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#0) + && _module.Bot.robot__inv($Heap, b#0) + && _module.Bot.flying($Heap, b#0); + } + + assume (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv($Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.flying($Heap, b#1))); +} + + + +procedure {:verboseName "FlyRobotArmy (call)"} Call$$_module.__default.FlyRobotArmy(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap)); + // user-defined preconditions + requires _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#0: int :: + { $Unbox(Seq#Index(bots#0, i#0)): ref } + true + ==> + LitInt(0) <= i#0 && i#0 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#0)): ref)); + requires _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#1: int, j#0: int :: + { $Unbox(Seq#Index(bots#0, j#0)): ref, $Unbox(Seq#Index(bots#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < j#0 && j#0 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#0)): ref, _module.Bot.Repr))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.ValidArmy#canCall($Heap, bots#0) + && (_module.__default.ValidArmy($Heap, bots#0) + ==> _module.__default.ArmyRepr#canCall($Heap, bots#0) + && _module.__default.ArmyRepr#canCall(old($Heap), bots#0)); + free ensures _module.__default.ValidArmy#canCall($Heap, bots#0) + && + _module.__default.ValidArmy($Heap, bots#0) + && + (forall i#2: int :: + { $Unbox(Seq#Index(bots#0, i#2)): ref } + true + ==> + LitInt(0) <= i#2 && i#2 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#2)): ref)) + && (forall i#3: int, j#1: int :: + { $Unbox(Seq#Index(bots#0, j#1)): ref, $Unbox(Seq#Index(bots#0, i#3)): ref } + true + ==> + LitInt(0) <= i#3 && i#3 < j#1 && j#1 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#3)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#1)): ref, _module.Bot.Repr))); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)] + && !_module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.Valid#canCall($Heap, b#1)) + && ( + (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#1)) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv#canCall($Heap, b#1)) + && ( + (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.robot__inv($Heap, b#1)) + ==> + Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.flying#canCall($Heap, b#1)))); + free ensures (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv($Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.flying($Heap, b#1))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || _module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "FlyRobotArmy (correctness)"} Impl$$_module.__default.FlyRobotArmy(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap)) + returns ($_reverifyPost: bool); + free requires 7 == $FunctionContextHeight; + // user-defined preconditions + free requires _module.__default.ValidArmy#canCall($Heap, bots#0) + && + _module.__default.ValidArmy($Heap, bots#0) + && + (forall i#4: int :: + { $Unbox(Seq#Index(bots#0, i#4)): ref } + true + ==> + LitInt(0) <= i#4 && i#4 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#4)): ref)) + && (forall i#5: int, j#2: int :: + { $Unbox(Seq#Index(bots#0, j#2)): ref, $Unbox(Seq#Index(bots#0, i#5)): ref } + true + ==> + LitInt(0) <= i#5 && i#5 < j#2 && j#2 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#5)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#2)): ref, _module.Bot.Repr))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.ValidArmy#canCall($Heap, bots#0) + && (_module.__default.ValidArmy($Heap, bots#0) + ==> _module.__default.ArmyRepr#canCall($Heap, bots#0) + && _module.__default.ArmyRepr#canCall(old($Heap), bots#0)); + ensures _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#6: int :: + { $Unbox(Seq#Index(bots#0, i#6)): ref } + true + ==> + LitInt(0) <= i#6 && i#6 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#6)): ref)); + ensures _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#7: int, j#3: int :: + { $Unbox(Seq#Index(bots#0, j#3)): ref, $Unbox(Seq#Index(bots#0, i#7)): ref } + true + ==> + LitInt(0) <= i#7 && i#7 < j#3 && j#3 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#7)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#3)): ref, _module.Bot.Repr))); + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)] + && !_module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.Valid#canCall($Heap, b#1)) + && ( + (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#1)) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv#canCall($Heap, b#1)) + && ( + (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.robot__inv($Heap, b#1)) + ==> + Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.flying#canCall($Heap, b#1)))); + ensures (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv($Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.flying($Heap, b#1))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || _module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "FlyRobotArmy (correctness)"} Impl$$_module.__default.FlyRobotArmy(bots#0: Seq Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var bots##0_0: Seq Box; + var n#1_0: int; + var $PreLoopHeap$loop#1_0: Heap; + var $decr_init$loop#1_00: int; + var $w$loop#1_0: bool; + var ##bots#1_0: Seq Box; + var j#1_1: int; + var i#1_2: int; + var $decr$loop#1_00: int; + var bots##1_0_0: Seq Box; + var n##1_0_0: int; + + // AddMethodImpl: FlyRobotArmy, Impl$$_module.__default.FlyRobotArmy + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)]); + $_reverifyPost := false; + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(198,3) + if (*) + { + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(200,29) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + bots##0_0 := bots#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && _module.__default.ArmyRepr($Heap, bots##0_0)[$Box($o)] + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyRobotArmy__Recursively(bots##0_0); + // TrCallStmt: After ProcessCallStmt + } + else + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(203,11) + assume true; + assume true; + n#1_0 := LitInt(0); + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(204,5) + // Assume Fuel Constant + $PreLoopHeap$loop#1_0 := $Heap; + $decr_init$loop#1_00 := Seq#Length(bots#0) - n#1_0; + havoc $w$loop#1_0; + while (true) + free invariant $w$loop#1_0 ==> true; + invariant $w$loop#1_0 ==> LitInt(0) <= n#1_0; + invariant $w$loop#1_0 ==> n#1_0 <= Seq#Length(bots#0); + free invariant $w$loop#1_0 ==> _module.__default.ValidArmy#canCall($Heap, bots#0); + invariant $w$loop#1_0 + ==> + _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#1_0: int :: + { $Unbox(Seq#Index(bots#0, i#1_0)): ref } + true + ==> + LitInt(0) <= i#1_0 && i#1_0 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#1_0)): ref)); + invariant $w$loop#1_0 + ==> + _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#1_1: int, j#1_0: int :: + { $Unbox(Seq#Index(bots#0, j#1_0)): ref, $Unbox(Seq#Index(bots#0, i#1_1)): ref } + true + ==> + LitInt(0) <= i#1_1 && i#1_1 < j#1_0 && j#1_0 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#1_1)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#1_0)): ref, _module.Bot.Repr))); + free invariant $w$loop#1_0 + ==> _module.__default.ValidArmy#canCall($Heap, bots#0) + && + _module.__default.ValidArmy($Heap, bots#0) + && + (forall i#1_0: int :: + { $Unbox(Seq#Index(bots#0, i#1_0)): ref } + true + ==> + LitInt(0) <= i#1_0 && i#1_0 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#1_0)): ref)) + && (forall i#1_1: int, j#1_0: int :: + { $Unbox(Seq#Index(bots#0, j#1_0)): ref, $Unbox(Seq#Index(bots#0, i#1_1)): ref } + true + ==> + LitInt(0) <= i#1_1 && i#1_1 < j#1_0 && j#1_0 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#1_1)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#1_0)): ref, _module.Bot.Repr))); + free invariant $w$loop#1_0 + ==> (forall j#1_2: int :: + { $Unbox(Seq#Index(bots#0, j#1_2)): ref } + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && ( + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + ==> (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && ( + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + ==> + LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)))); + invariant $w$loop#1_0 + ==> (forall j#1_2: int :: + { $Unbox(Seq#Index(bots#0, j#1_2)): ref } + true + ==> (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref))); + free invariant $w$loop#1_0 + ==> (forall j#1_2: int :: + { $Unbox(Seq#Index(bots#0, j#1_2)): ref } + true + ==> (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref))); + free invariant $w$loop#1_0 ==> true; + invariant $w$loop#1_0 + ==> (forall i#1_3: int :: + { $Unbox(Seq#Index(bots#0, i#1_3)): ref } + { $Unbox(Seq#Index(bots#0, i#1_3)): ref } + true + ==> + LitInt(0) <= i#1_3 && i#1_3 < Seq#Length(bots#0) + ==> (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, i#1_3)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, i#1_3)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc))); + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#1_0[$o] + || _module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)]); + free invariant $HeapSucc($PreLoopHeap$loop#1_0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#1_0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#1_0, $o, $f) || $_Frame[$o, $f]); + free invariant Seq#Length(bots#0) - n#1_0 <= $decr_init$loop#1_00 + && (Seq#Length(bots#0) - n#1_0 == $decr_init$loop#1_00 ==> true); + { + if (!$w$loop#1_0) + { + if (LitInt(0) <= n#1_0) + { + } + + assume true; + assume LitInt(0) <= n#1_0 && n#1_0 <= Seq#Length(bots#0); + ##bots#1_0 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#1_0, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ValidArmy#canCall($Heap, bots#0); + assume _module.__default.ValidArmy#canCall($Heap, bots#0); + assume _module.__default.ValidArmy($Heap, bots#0); + // Begin Comprehension WF check + havoc j#1_1; + if (true) + { + if (LitInt(0) <= j#1_1) + { + } + + if (LitInt(0) <= j#1_1 && j#1_1 < n#1_0) + { + assert {:subsumption 0} 0 <= j#1_1 && j#1_1 < Seq#Length(bots#0); + assert {:subsumption 0} $Unbox(Seq#Index(bots#0, j#1_1)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#1_1)): ref, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_1)): ref); + if (_module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_1)): ref)) + { + assert {:subsumption 0} 0 <= j#1_1 && j#1_1 < Seq#Length(bots#0); + assert {:subsumption 0} $Unbox(Seq#Index(bots#0, j#1_1)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#1_1)): ref, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_1)): ref); + assume _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_1)): ref); + } + + if (_module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_1)): ref) + && _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#1_1)): ref)) + { + assert {:subsumption 0} 0 <= j#1_1 && j#1_1 < Seq#Length(bots#0); + assert {:subsumption 0} $Unbox(Seq#Index(bots#0, j#1_1)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#1_1)): ref, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_1)): ref); + assume _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_1)): ref); + } + } + } + + // End Comprehension WF check + assume (forall j#1_2: int :: + { $Unbox(Seq#Index(bots#0, j#1_2)): ref } + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && ( + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + ==> (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && ( + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + ==> + LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)))); + assume (forall j#1_2: int :: + { $Unbox(Seq#Index(bots#0, j#1_2)): ref } + true + ==> (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref))); + // Begin Comprehension WF check + havoc i#1_2; + if (true) + { + if (LitInt(0) <= i#1_2) + { + } + + if (LitInt(0) <= i#1_2 && i#1_2 < Seq#Length(bots#0)) + { + assert {:subsumption 0} 0 <= i#1_2 && i#1_2 < Seq#Length(bots#0); + assert {:subsumption 0} $Unbox(Seq#Index(bots#0, i#1_2)): ref != null; + assert {:subsumption 0} 0 <= i#1_2 && i#1_2 < Seq#Length(bots#0); + assert {:subsumption 0} $Unbox(Seq#Index(bots#0, i#1_2)): ref != null; + assert $IsAlloc($Unbox(Seq#Index(bots#0, i#1_2)): ref, Tclass._module.Bot(), old($Heap)); + } + } + + // End Comprehension WF check + assume true; + assume (forall i#1_3: int :: + { $Unbox(Seq#Index(bots#0, i#1_3)): ref } + { $Unbox(Seq#Index(bots#0, i#1_3)): ref } + true + ==> + LitInt(0) <= i#1_3 && i#1_3 < Seq#Length(bots#0) + ==> (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, i#1_3)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, i#1_3)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc))); + assume true; + assume false; + } + + assume true; + if (Seq#Length(bots#0) <= n#1_0) + { + break; + } + + $decr$loop#1_00 := Seq#Length(bots#0) - n#1_0; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(210,13) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + bots##1_0_0 := bots#0; + assume true; + // ProcessCallStmt: CheckSubrange + n##1_0_0 := n#1_0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && read($Heap, $Unbox(Seq#Index(bots##1_0_0, n##1_0_0)): ref, _module.Bot.Repr)[$Box($o)] + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyOne(bots##1_0_0, n##1_0_0); + // TrCallStmt: After ProcessCallStmt + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(211,9) + assume true; + assume true; + n#1_0 := n#1_0 + 1; + // ----- loop termination check ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(204,5) + assert 0 <= $decr$loop#1_00 || Seq#Length(bots#0) - n#1_0 == $decr$loop#1_00; + assert Seq#Length(bots#0) - n#1_0 < $decr$loop#1_00; + assume LitInt(0) <= n#1_0 && n#1_0 <= Seq#Length(bots#0) + ==> _module.__default.ValidArmy#canCall($Heap, bots#0) + && (_module.__default.ValidArmy($Heap, bots#0) + ==> (forall j#1_2: int :: + { $Unbox(Seq#Index(bots#0, j#1_2)): ref } + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && ( + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + ==> (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + && ( + (LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref)) + ==> + LitInt(0) <= j#1_2 && j#1_2 < n#1_0 + ==> _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, j#1_2)): ref))))); + } + } +} + + + +procedure {:verboseName "FlyRobotArmy_Recursively (well-formedness)"} CheckWellFormed$$_module.__default.FlyRobotArmy__Recursively(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap)); + free requires 6 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "FlyRobotArmy_Recursively (well-formedness)"} CheckWellFormed$$_module.__default.FlyRobotArmy__Recursively(bots#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##bots#0: Seq Box; + var ##bots#1: Seq Box; + var ##bots#2: Seq Box; + var i#0: int; + var b#0: ref; + + // AddMethodImpl: FlyRobotArmy_Recursively, CheckWellFormed$$_module.__default.FlyRobotArmy__Recursively + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)]); + ##bots#0 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#0, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ValidArmy#canCall($Heap, bots#0); + assume _module.__default.ValidArmy($Heap, bots#0); + ##bots#1 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#1, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ArmyRepr#canCall($Heap, bots#0); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || _module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + ##bots#2 := bots#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#2, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ValidArmy#canCall($Heap, bots#0); + assume _module.__default.ValidArmy($Heap, bots#0); + havoc i#0; + assume true; + if (*) + { + assume LitInt(0) <= i#0; + assume i#0 < Seq#Length(bots#0); + assert 0 <= i#0 && i#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, i#0)): ref != null; + assert 0 <= i#0 && i#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, i#0)): ref != null; + assert $IsAlloc($Unbox(Seq#Index(bots#0, i#0)): ref, Tclass._module.Bot(), old($Heap)); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, i#0)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, i#0)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + } + else + { + assume LitInt(0) <= i#0 && i#0 < Seq#Length(bots#0) + ==> (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, i#0)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, i#0)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + } + + assume (forall i#1: int :: + { $Unbox(Seq#Index(bots#0, i#1)): ref } { $Unbox(Seq#Index(bots#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < Seq#Length(bots#0) + ==> (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc))); + havoc b#0; + assume $Is(b#0, Tclass._module.Bot()) && $IsAlloc(b#0, Tclass._module.Bot(), $Heap); + if (*) + { + assume Seq#Contains(bots#0, $Box(b#0)); + assert b#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b#0, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#0); + assume _module.Bot.robot__inv#canCall($Heap, b#0); + assume _module.Bot.robot__inv($Heap, b#0); + assert b#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b#0, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b#0); + assume _module.Bot.flying#canCall($Heap, b#0); + assume _module.Bot.flying($Heap, b#0); + } + else + { + assume Seq#Contains(bots#0, $Box(b#0)) + ==> _module.Bot.robot__inv($Heap, b#0) && _module.Bot.flying($Heap, b#0); + } + + assume (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv($Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.flying($Heap, b#1))); +} + + + +procedure {:verboseName "FlyRobotArmy_Recursively (call)"} Call$$_module.__default.FlyRobotArmy__Recursively(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap)); + // user-defined preconditions + requires _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#2: int :: + { $Unbox(Seq#Index(bots#0, i#2)): ref } + true + ==> + LitInt(0) <= i#2 && i#2 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#2)): ref)); + requires _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#3: int, j#0: int :: + { $Unbox(Seq#Index(bots#0, j#0)): ref, $Unbox(Seq#Index(bots#0, i#3)): ref } + true + ==> + LitInt(0) <= i#3 && i#3 < j#0 && j#0 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#3)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#0)): ref, _module.Bot.Repr))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.ValidArmy#canCall($Heap, bots#0); + free ensures _module.__default.ValidArmy#canCall($Heap, bots#0) + && + _module.__default.ValidArmy($Heap, bots#0) + && + (forall i#4: int :: + { $Unbox(Seq#Index(bots#0, i#4)): ref } + true + ==> + LitInt(0) <= i#4 && i#4 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#4)): ref)) + && (forall i#5: int, j#1: int :: + { $Unbox(Seq#Index(bots#0, j#1)): ref, $Unbox(Seq#Index(bots#0, i#5)): ref } + true + ==> + LitInt(0) <= i#5 && i#5 < j#1 && j#1 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#5)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#1)): ref, _module.Bot.Repr))); + free ensures true; + ensures (forall i#1: int :: + { $Unbox(Seq#Index(bots#0, i#1)): ref } { $Unbox(Seq#Index(bots#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < Seq#Length(bots#0) + ==> (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc))); + free ensures (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv#canCall($Heap, b#1)) + && ( + (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.robot__inv($Heap, b#1)) + ==> + Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.flying#canCall($Heap, b#1))); + ensures (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv($Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.flying($Heap, b#1))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || _module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "FlyRobotArmy_Recursively (correctness)"} Impl$$_module.__default.FlyRobotArmy__Recursively(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap)) + returns ($_reverifyPost: bool); + free requires 6 == $FunctionContextHeight; + // user-defined preconditions + free requires _module.__default.ValidArmy#canCall($Heap, bots#0) + && + _module.__default.ValidArmy($Heap, bots#0) + && + (forall i#6: int :: + { $Unbox(Seq#Index(bots#0, i#6)): ref } + true + ==> + LitInt(0) <= i#6 && i#6 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#6)): ref)) + && (forall i#7: int, j#2: int :: + { $Unbox(Seq#Index(bots#0, j#2)): ref, $Unbox(Seq#Index(bots#0, i#7)): ref } + true + ==> + LitInt(0) <= i#7 && i#7 < j#2 && j#2 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#7)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#2)): ref, _module.Bot.Repr))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.ValidArmy#canCall($Heap, bots#0); + ensures _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#8: int :: + { $Unbox(Seq#Index(bots#0, i#8)): ref } + true + ==> + LitInt(0) <= i#8 && i#8 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, i#8)): ref)); + ensures _module.__default.ValidArmy#canCall($Heap, bots#0) + ==> _module.__default.ValidArmy($Heap, bots#0) + || (forall i#9: int, j#3: int :: + { $Unbox(Seq#Index(bots#0, j#3)): ref, $Unbox(Seq#Index(bots#0, i#9)): ref } + true + ==> + LitInt(0) <= i#9 && i#9 < j#3 && j#3 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#9)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#3)): ref, _module.Bot.Repr))); + free ensures true; + ensures (forall i#1: int :: + { $Unbox(Seq#Index(bots#0, i#1)): ref } { $Unbox(Seq#Index(bots#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < Seq#Length(bots#0) + ==> (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc))); + free ensures (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv#canCall($Heap, b#1)) + && ( + (Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.robot__inv($Heap, b#1)) + ==> + Seq#Contains(bots#0, $Box(b#1)) + ==> _module.Bot.flying#canCall($Heap, b#1))); + ensures (forall b#1: ref :: + { _module.Bot.flying($Heap, b#1) } + { _module.Bot.robot__inv($Heap, b#1) } + { Seq#Contains(bots#0, $Box(b#1)) } + $Is(b#1, Tclass._module.Bot()) + ==> (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.robot__inv($Heap, b#1)) + && (Seq#Contains(bots#0, $Box(b#1)) ==> _module.Bot.flying($Heap, b#1))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || _module.__default.ArmyRepr(old($Heap), bots#0)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "FlyRobotArmy_Recursively (correctness)"} Impl$$_module.__default.FlyRobotArmy__Recursively(bots#0: Seq Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var bots##0_0: Seq Box; + var n##0_0: int; + var bots##0_1: Seq Box; + + // AddMethodImpl: FlyRobotArmy_Recursively, Impl$$_module.__default.FlyRobotArmy__Recursively + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> _module.__default.ArmyRepr($Heap, bots#0)[$Box($o)]); + $_reverifyPost := false; + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(223,3) + assume true; + if (!Seq#Equal(bots#0, Seq#Empty(): Seq Box)) + { + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(224,11) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + bots##0_0 := bots#0; + assume true; + // ProcessCallStmt: CheckSubrange + n##0_0 := LitInt(0); + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && read($Heap, $Unbox(Seq#Index(bots##0_0, n##0_0)): ref, _module.Bot.Repr)[$Box($o)] + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyOne(bots##0_0, n##0_0); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(225,29) + // TrCallStmt: Before ProcessCallStmt + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(bots#0); + assume true; + // ProcessCallStmt: CheckSubrange + bots##0_1 := Seq#Drop(bots#0, LitInt(1)); + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && _module.__default.ArmyRepr($Heap, bots##0_1)[$Box($o)] + ==> $_Frame[$o, $f]); + assert Seq#Rank(bots##0_1) < Seq#Rank(bots#0); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyRobotArmy__Recursively(bots##0_1); + // TrCallStmt: After ProcessCallStmt + } + else + { + } +} + + + +procedure {:verboseName "FlyOne (well-formedness)"} CheckWellFormed$$_module.__default.FlyOne(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap), + n#0: int); + free requires 5 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "FlyOne (well-formedness)"} CheckWellFormed$$_module.__default.FlyOne(bots#0: Seq Box, n#0: int) +{ + var $_Frame: [ref,Field beta]bool; + var j#0: int; + var i#0: int; + var j#2: int; + var j#4: int; + var j#6: int; + var j#8: int; + var j#10: int; + + // AddMethodImpl: FlyOne, CheckWellFormed$$_module.__default.FlyOne + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)]); + if (LitInt(0) <= n#0) + { + } + + assume LitInt(0) <= n#0 && n#0 < Seq#Length(bots#0); + havoc j#0; + assume true; + if (*) + { + assume LitInt(0) <= j#0; + assume j#0 < Seq#Length(bots#0); + assert 0 <= j#0 && j#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#0)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#0)): ref, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, j#0)): ref); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#0)): ref); + } + else + { + assume LitInt(0) <= j#0 && j#0 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#0)): ref); + } + + assume (forall j#1: int :: + { $Unbox(Seq#Index(bots#0, j#1)): ref } + true + ==> + LitInt(0) <= j#1 && j#1 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1)): ref)); + havoc i#0; + havoc j#2; + assume true; + if (*) + { + assume LitInt(0) <= i#0; + assume i#0 < j#2; + assume j#2 < Seq#Length(bots#0); + assert 0 <= i#0 && i#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, i#0)): ref != null; + assert 0 <= j#2 && j#2 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#2)): ref != null; + assume Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#0)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#2)): ref, _module.Bot.Repr)); + } + else + { + assume LitInt(0) <= i#0 && i#0 < j#2 && j#2 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#0)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#2)): ref, _module.Bot.Repr)); + } + + assume (forall i#1: int, j#3: int :: + { $Unbox(Seq#Index(bots#0, j#3)): ref, $Unbox(Seq#Index(bots#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < j#3 && j#3 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#3)): ref, _module.Bot.Repr))); + havoc j#4; + assume true; + if (*) + { + assume LitInt(0) <= j#4; + assume j#4 < n#0; + assert 0 <= j#4 && j#4 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#4)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#4)): ref, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + assume _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + assume _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + assert 0 <= j#4 && j#4 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#4)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#4)): ref, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + assume _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + assume _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + } + else + { + assume LitInt(0) <= j#4 && j#4 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#4)): ref) + && _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#4)): ref); + } + + assume (forall j#5: int :: + { $Unbox(Seq#Index(bots#0, j#5)): ref } + true + ==> (LitInt(0) <= j#5 && j#5 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#5)): ref)) + && (LitInt(0) <= j#5 && j#5 < n#0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#5)): ref))); + assert 0 <= n#0 && n#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, n#0)): ref != null; + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + havoc j#6; + assume true; + if (*) + { + assume LitInt(0) <= j#6; + assume j#6 < Seq#Length(bots#0); + assert 0 <= j#6 && j#6 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#6)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#6)): ref, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, j#6)): ref); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#6)): ref); + } + else + { + assume LitInt(0) <= j#6 && j#6 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#6)): ref); + } + + assume (forall j#7: int :: + { $Unbox(Seq#Index(bots#0, j#7)): ref } + true + ==> + LitInt(0) <= j#7 && j#7 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#7)): ref)); + assert 0 <= n#0 && n#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, n#0)): ref != null; + assert 0 <= n#0 && n#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, n#0)): ref != null; + assert $IsAlloc($Unbox(Seq#Index(bots#0, n#0)): ref, Tclass._module.Bot(), old($Heap)); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + assert 0 <= n#0 && n#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, n#0)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, n#0)): ref, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, n#0)): ref); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, n#0)): ref); + assume _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref); + assume _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref); + assert 0 <= n#0 && n#0 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, n#0)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, n#0)): ref, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, n#0)): ref); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, n#0)): ref); + assume _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref); + assume _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref); + havoc j#8; + assume true; + if (*) + { + assume LitInt(0) <= j#8; + assume j#8 < Seq#Length(bots#0); + assume j#8 != n#0; + assert 0 <= j#8 && j#8 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#8)): ref != null; + assert 0 <= j#8 && j#8 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#8)): ref != null; + assert $IsAlloc($Unbox(Seq#Index(bots#0, j#8)): ref, Tclass._module.Bot(), old($Heap)); + assume Set#Equal(read($Heap, $Unbox(Seq#Index(bots#0, j#8)): ref, _module.Bot.Repr), + read(old($Heap), $Unbox(Seq#Index(bots#0, j#8)): ref, _module.Bot.Repr)); + } + else + { + assume LitInt(0) <= j#8 && j#8 < Seq#Length(bots#0) && j#8 != n#0 + ==> Set#Equal(read($Heap, $Unbox(Seq#Index(bots#0, j#8)): ref, _module.Bot.Repr), + read(old($Heap), $Unbox(Seq#Index(bots#0, j#8)): ref, _module.Bot.Repr)); + } + + assume (forall j#9: int :: + { $Unbox(Seq#Index(bots#0, j#9)): ref } { $Unbox(Seq#Index(bots#0, j#9)): ref } + true + ==> + LitInt(0) <= j#9 && j#9 < Seq#Length(bots#0) && j#9 != n#0 + ==> Set#Equal(read($Heap, $Unbox(Seq#Index(bots#0, j#9)): ref, _module.Bot.Repr), + read(old($Heap), $Unbox(Seq#Index(bots#0, j#9)): ref, _module.Bot.Repr))); + havoc j#10; + assume true; + if (*) + { + assume LitInt(0) <= j#10; + assume j#10 < n#0; + assert 0 <= j#10 && j#10 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#10)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#10)): ref, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + assume _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + assume _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + assert 0 <= j#10 && j#10 < Seq#Length(bots#0); + assert $Unbox(Seq#Index(bots#0, j#10)): ref != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc($Unbox(Seq#Index(bots#0, j#10)): ref, Tclass._module.Bot?(), $Heap); + assert {:subsumption 0} Lit(true) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + assume _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + assume _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + } + else + { + assume LitInt(0) <= j#10 && j#10 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#10)): ref) + && _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#10)): ref); + } + + assume (forall j#11: int :: + { $Unbox(Seq#Index(bots#0, j#11)): ref } + true + ==> (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref)) + && (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref))); +} + + + +procedure {:verboseName "FlyOne (call)"} Call$$_module.__default.FlyOne(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap), + n#0: int); + // user-defined preconditions + requires LitInt(0) <= n#0; + requires n#0 < Seq#Length(bots#0); + requires (forall j#1: int :: + { $Unbox(Seq#Index(bots#0, j#1)): ref } + true + ==> + LitInt(0) <= j#1 && j#1 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1)): ref)); + requires (forall i#1: int, j#3: int :: + { $Unbox(Seq#Index(bots#0, j#3)): ref, $Unbox(Seq#Index(bots#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < j#3 && j#3 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#3)): ref, _module.Bot.Repr))); + requires (forall j#5: int :: + { $Unbox(Seq#Index(bots#0, j#5)): ref } + true + ==> (LitInt(0) <= j#5 && j#5 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#5)): ref)) + && (LitInt(0) <= j#5 && j#5 < n#0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#5)): ref))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures (forall j#7: int :: + { $Unbox(Seq#Index(bots#0, j#7)): ref } + LitInt(0) <= j#7 && j#7 < Seq#Length(bots#0) + ==> _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, j#7)): ref)); + free ensures (forall j#7: int :: + { $Unbox(Seq#Index(bots#0, j#7)): ref } + true + ==> + LitInt(0) <= j#7 && j#7 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#7)): ref)); + free ensures true; + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + && (_module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref)); + free ensures _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + && + _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + && (_module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> _module.Bot.arms__up($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref)); + free ensures _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + && + _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + && read($Heap, + read($Heap, + read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.pos), + _module.Point.z), + _module.Cell.val) + > 0; + free ensures true; + ensures (forall j#9: int :: + { $Unbox(Seq#Index(bots#0, j#9)): ref } { $Unbox(Seq#Index(bots#0, j#9)): ref } + true + ==> + LitInt(0) <= j#9 && j#9 < Seq#Length(bots#0) && j#9 != n#0 + ==> Set#Equal(read($Heap, $Unbox(Seq#Index(bots#0, j#9)): ref, _module.Bot.Repr), + read(old($Heap), $Unbox(Seq#Index(bots#0, j#9)): ref, _module.Bot.Repr))); + free ensures (forall j#11: int :: + { $Unbox(Seq#Index(bots#0, j#11)): ref } + (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref)) + && ( + (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref)) + ==> + LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref))); + ensures (forall j#11: int :: + { $Unbox(Seq#Index(bots#0, j#11)): ref } + true + ==> (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref)) + && (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "FlyOne (correctness)"} Impl$$_module.__default.FlyOne(bots#0: Seq Box + where $Is(bots#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(bots#0, TSeq(Tclass._module.Bot()), $Heap), + n#0: int) + returns ($_reverifyPost: bool); + free requires 5 == $FunctionContextHeight; + // user-defined preconditions + requires LitInt(0) <= n#0; + requires n#0 < Seq#Length(bots#0); + free requires (forall j#1: int :: + { $Unbox(Seq#Index(bots#0, j#1)): ref } + true + ==> + LitInt(0) <= j#1 && j#1 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#1)): ref)); + requires (forall i#1: int, j#3: int :: + { $Unbox(Seq#Index(bots#0, j#3)): ref, $Unbox(Seq#Index(bots#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < j#3 && j#3 < Seq#Length(bots#0) + ==> Set#Disjoint(read($Heap, $Unbox(Seq#Index(bots#0, i#1)): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(bots#0, j#3)): ref, _module.Bot.Repr))); + requires (forall j#5: int :: + { $Unbox(Seq#Index(bots#0, j#5)): ref } + true + ==> (LitInt(0) <= j#5 && j#5 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#5)): ref)) + && (LitInt(0) <= j#5 && j#5 < n#0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#5)): ref))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures (forall j#7: int :: + { $Unbox(Seq#Index(bots#0, j#7)): ref } + LitInt(0) <= j#7 && j#7 < Seq#Length(bots#0) + ==> _module.Bot.Valid#canCall($Heap, $Unbox(Seq#Index(bots#0, j#7)): ref)); + ensures (forall j#7: int :: + { $Unbox(Seq#Index(bots#0, j#7)): ref } + true + ==> + LitInt(0) <= j#7 && j#7 < Seq#Length(bots#0) + ==> _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, $Unbox(Seq#Index(bots#0, j#7)): ref)); + free ensures true; + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)] + && !read(old($Heap), $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + free ensures _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + && (_module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref)); + ensures _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + || (_module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> + _module.Bot.arms__up#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> _module.Bot.arms__up($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + || read($Heap, + read($Heap, + read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.left), + _module.Arm.polar), + _module.Cell.val) + == read($Heap, + read($Heap, + read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.right), + _module.Arm.polar), + _module.Cell.val)); + ensures _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + || (_module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> + _module.Bot.arms__up#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> _module.Bot.arms__up($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + || read($Heap, + read($Heap, + read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.right), + _module.Arm.polar), + _module.Cell.val) + == LitInt(0)); + ensures _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref) + || read($Heap, + read($Heap, + read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.pos), + _module.Point.z), + _module.Cell.val) + > 0; + free ensures true; + ensures (forall j#9: int :: + { $Unbox(Seq#Index(bots#0, j#9)): ref } { $Unbox(Seq#Index(bots#0, j#9)): ref } + true + ==> + LitInt(0) <= j#9 && j#9 < Seq#Length(bots#0) && j#9 != n#0 + ==> Set#Equal(read($Heap, $Unbox(Seq#Index(bots#0, j#9)): ref, _module.Bot.Repr), + read(old($Heap), $Unbox(Seq#Index(bots#0, j#9)): ref, _module.Bot.Repr))); + free ensures (forall j#11: int :: + { $Unbox(Seq#Index(bots#0, j#11)): ref } + (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.robot__inv#canCall($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref)) + && ( + (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref)) + ==> + LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.flying#canCall($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref))); + ensures (forall j#11: int :: + { $Unbox(Seq#Index(bots#0, j#11)): ref } + true + ==> (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.robot__inv($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref)) + && (LitInt(0) <= j#11 && j#11 < n#0 + ==> _module.Bot.flying($Heap, $Unbox(Seq#Index(bots#0, j#11)): ref))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || read(old($Heap), $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "FlyOne (correctness)"} Impl$$_module.__default.FlyOne(bots#0: Seq Box, n#0: int) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + + // AddMethodImpl: FlyOne, Impl$$_module.__default.FlyOne + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)]); + $_reverifyPost := false; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(242,14) + // TrCallStmt: Before ProcessCallStmt + assert 0 <= n#0 && n#0 < Seq#Length(bots#0); + assume true; + assert $Unbox(Seq#Index(bots#0, n#0)): ref != null; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && read($Heap, $Unbox(Seq#Index(bots#0, n#0)): ref, _module.Bot.Repr)[$Box($o)] + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.Bot.Fly($Unbox(Seq#Index(bots#0, n#0)): ref); + // TrCallStmt: After ProcessCallStmt +} + + + +procedure {:verboseName "FormArmy (well-formedness)"} CheckWellFormed$$_module.__default.FormArmy(b0#0: ref + where $Is(b0#0, Tclass._module.Bot()) && $IsAlloc(b0#0, Tclass._module.Bot(), $Heap), + b1#0: ref + where $Is(b1#0, Tclass._module.Bot()) && $IsAlloc(b1#0, Tclass._module.Bot(), $Heap), + b2#0: ref + where $Is(b2#0, Tclass._module.Bot()) && $IsAlloc(b2#0, Tclass._module.Bot(), $Heap)); + free requires 8 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "FormArmy (well-formedness)"} CheckWellFormed$$_module.__default.FormArmy(b0#0: ref, b1#0: ref, b2#0: ref) +{ + var $_Frame: [ref,Field beta]bool; + + // AddMethodImpl: FormArmy, CheckWellFormed$$_module.__default.FormArmy + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b2#0, _module.Bot.Repr)[$Box($o)]); + assert b0#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b0#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b0#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b0#0); + assert b1#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b1#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b1#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b1#0); + assert b2#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b2#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b2#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b2#0); + assert b0#0 != null; + assert b1#0 != null; + if (Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr))) + { + assert b0#0 != null; + assert b1#0 != null; + } + + if (Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)) + && Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr))) + { + assert b0#0 != null; + assert b1#0 != null; + assert b2#0 != null; + } + + assume Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)) + && Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)) + && Set#Disjoint(Set#Union(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)), + read($Heap, b2#0, _module.Bot.Repr)); + assert b0#0 != null; + assert b1#0 != null; + assert b2#0 != null; + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || + read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b2#0, _module.Bot.Repr)[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + assert b0#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b0#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b0#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b0#0); + assert b1#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b1#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b1#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b1#0); + assert b2#0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(b2#0, Tclass._module.Bot?(), $Heap); + assume _module.Bot.Valid#canCall($Heap, b2#0); + assume _module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b2#0); + assert b0#0 != null; + assert b1#0 != null; + if (Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr))) + { + assert b0#0 != null; + assert b1#0 != null; + } + + if (Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)) + && Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr))) + { + assert b0#0 != null; + assert b1#0 != null; + assert b2#0 != null; + } + + assume Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)) + && Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)) + && Set#Disjoint(Set#Union(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)), + read($Heap, b2#0, _module.Bot.Repr)); + assert b0#0 != null; + assert b1#0 != null; + assert b2#0 != null; + assert b0#0 != null; + assert $IsAlloc(b0#0, Tclass._module.Bot(), old($Heap)); + assert b1#0 != null; + assert $IsAlloc(b1#0, Tclass._module.Bot(), old($Heap)); + assert b2#0 != null; + assert $IsAlloc(b2#0, Tclass._module.Bot(), old($Heap)); + assume (forall $o: ref :: + { read(old($Heap), $o, alloc) } + ( + read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b2#0, _module.Bot.Repr)[$Box($o)]) + && !Set#Union(Set#Union(read(old($Heap), b0#0, _module.Bot.Repr), + read(old($Heap), b1#0, _module.Bot.Repr)), + read(old($Heap), b2#0, _module.Bot.Repr))[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); +} + + + +procedure {:verboseName "FormArmy (call)"} Call$$_module.__default.FormArmy(b0#0: ref + where $Is(b0#0, Tclass._module.Bot()) && $IsAlloc(b0#0, Tclass._module.Bot(), $Heap), + b1#0: ref + where $Is(b1#0, Tclass._module.Bot()) && $IsAlloc(b1#0, Tclass._module.Bot(), $Heap), + b2#0: ref + where $Is(b2#0, Tclass._module.Bot()) && $IsAlloc(b2#0, Tclass._module.Bot(), $Heap)); + // user-defined preconditions + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b2#0); + requires Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + requires Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + requires Set#Disjoint(Set#Union(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)), + read($Heap, b2#0, _module.Bot.Repr)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Bot.Valid#canCall($Heap, b0#0) + && (_module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b0#0) + ==> _module.Bot.Valid#canCall($Heap, b1#0) + && (_module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b1#0) + ==> _module.Bot.Valid#canCall($Heap, b2#0))); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b2#0); + free ensures true; + ensures Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + ensures Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + ensures Set#Disjoint(Set#Union(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)), + read($Heap, b2#0, _module.Bot.Repr)); + free ensures true; + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + ( + read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b2#0, _module.Bot.Repr)[$Box($o)]) + && !Set#Union(Set#Union(read(old($Heap), b0#0, _module.Bot.Repr), + read(old($Heap), b1#0, _module.Bot.Repr)), + read(old($Heap), b2#0, _module.Bot.Repr))[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || + read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b2#0, _module.Bot.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "FormArmy (correctness)"} Impl$$_module.__default.FormArmy(b0#0: ref + where $Is(b0#0, Tclass._module.Bot()) && $IsAlloc(b0#0, Tclass._module.Bot(), $Heap), + b1#0: ref + where $Is(b1#0, Tclass._module.Bot()) && $IsAlloc(b1#0, Tclass._module.Bot(), $Heap), + b2#0: ref + where $Is(b2#0, Tclass._module.Bot()) && $IsAlloc(b2#0, Tclass._module.Bot(), $Heap)) + returns ($_reverifyPost: bool); + free requires 8 == $FunctionContextHeight; + // user-defined preconditions + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + requires _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b2#0); + requires Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + requires Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + requires Set#Disjoint(Set#Union(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)), + read($Heap, b2#0, _module.Bot.Repr)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.Bot.Valid#canCall($Heap, b0#0) + && (_module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b0#0) + ==> _module.Bot.Valid#canCall($Heap, b1#0) + && (_module.Bot.Valid(StartFuel__module.Bot.Valid, $Heap, b1#0) + ==> _module.Bot.Valid#canCall($Heap, b2#0))); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b0#0); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b1#0); + ensures _module.Bot.Valid(StartFuelAssert__module.Bot.Valid, $Heap, b2#0); + free ensures true; + ensures Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + ensures Set#Disjoint(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)); + ensures Set#Disjoint(Set#Union(read($Heap, b0#0, _module.Bot.Repr), read($Heap, b1#0, _module.Bot.Repr)), + read($Heap, b2#0, _module.Bot.Repr)); + free ensures true; + ensures (forall $o: ref :: + { read(old($Heap), $o, alloc) } + ( + read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b2#0, _module.Bot.Repr)[$Box($o)]) + && !Set#Union(Set#Union(read(old($Heap), b0#0, _module.Bot.Repr), + read(old($Heap), b1#0, _module.Bot.Repr)), + read(old($Heap), b2#0, _module.Bot.Repr))[$Box($o)] + ==> $o != null && !read(old($Heap), $o, alloc)); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || + read(old($Heap), b0#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b1#0, _module.Bot.Repr)[$Box($o)] + || read(old($Heap), b2#0, _module.Bot.Repr)[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "FormArmy (correctness)"} Impl$$_module.__default.FormArmy(b0#0: ref, b1#0: ref, b2#0: ref) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var army#0: Seq Box + where $Is(army#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(army#0, TSeq(Tclass._module.Bot()), $Heap); + var army##0: Seq Box; + var bots##0: Seq Box; + var bots##1: Seq Box; + var army##1: Seq Box; + + // AddMethodImpl: FormArmy, Impl$$_module.__default.FormArmy + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> read($Heap, b0#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1#0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b2#0, _module.Bot.Repr)[$Box($o)]); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(254,12) + assume true; + assume true; + army#0 := Seq#Build(Seq#Build(Seq#Build(Seq#Empty(): Seq Box, $Box(b0#0)), $Box(b1#0)), $Box(b2#0)); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(255,12) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + army##0 := army#0; + // ProcessCallStmt: Make the call + call Call$$_module.__default.ArmyRepr3(army##0); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(256,15) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + bots##0 := army#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && _module.__default.ArmyRepr($Heap, bots##0)[$Box($o)] + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyRobotArmy(bots##0); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(257,15) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + bots##1 := army#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && _module.__default.ArmyRepr($Heap, bots##1)[$Box($o)] + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyRobotArmy(bots##1); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(258,12) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + army##1 := army#0; + // ProcessCallStmt: Make the call + call Call$$_module.__default.ArmyRepr3(army##1); + // TrCallStmt: After ProcessCallStmt +} + + + +procedure {:verboseName "ArmyRepr3 (well-formedness)"} CheckWellFormed$$_module.__default.ArmyRepr3(army#0: Seq Box + where $Is(army#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(army#0, TSeq(Tclass._module.Bot()), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "ArmyRepr3 (well-formedness)"} CheckWellFormed$$_module.__default.ArmyRepr3(army#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##bots#0: Seq Box; + + // AddMethodImpl: ArmyRepr3, CheckWellFormed$$_module.__default.ArmyRepr3 + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + assume Seq#Length(army#0) == LitInt(3); + havoc $Heap; + assume old($Heap) == $Heap; + ##bots#0 := army#0; + // assume allocatedness for argument to function + assume $IsAlloc(##bots#0, TSeq(Tclass._module.Bot()), $Heap); + assume _module.__default.ArmyRepr#canCall($Heap, army#0); + assert 0 <= LitInt(0) && LitInt(0) < Seq#Length(army#0); + assert $Unbox(Seq#Index(army#0, LitInt(0))): ref != null; + assert 0 <= LitInt(1) && LitInt(1) < Seq#Length(army#0); + assert $Unbox(Seq#Index(army#0, LitInt(1))): ref != null; + assert 0 <= LitInt(2) && LitInt(2) < Seq#Length(army#0); + assert $Unbox(Seq#Index(army#0, LitInt(2))): ref != null; + assume Set#Equal(_module.__default.ArmyRepr($Heap, army#0), + Set#Union(Set#Union(read($Heap, $Unbox(Seq#Index(army#0, LitInt(0))): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(army#0, LitInt(1))): ref, _module.Bot.Repr)), + read($Heap, $Unbox(Seq#Index(army#0, LitInt(2))): ref, _module.Bot.Repr))); +} + + + +procedure {:verboseName "ArmyRepr3 (call)"} Call$$_module.__default.ArmyRepr3(army#0: Seq Box + where $Is(army#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(army#0, TSeq(Tclass._module.Bot()), $Heap)); + // user-defined preconditions + requires Seq#Length(army#0) == LitInt(3); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.ArmyRepr#canCall($Heap, army#0); + ensures Set#Equal(_module.__default.ArmyRepr($Heap, army#0), + Set#Union(Set#Union(read($Heap, $Unbox(Seq#Index(army#0, LitInt(0))): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(army#0, LitInt(1))): ref, _module.Bot.Repr)), + read($Heap, $Unbox(Seq#Index(army#0, LitInt(2))): ref, _module.Bot.Repr))); + // frame condition + free ensures old($Heap) == $Heap; + + + +procedure {:verboseName "ArmyRepr3 (correctness)"} Impl$$_module.__default.ArmyRepr3(army#0: Seq Box + where $Is(army#0, TSeq(Tclass._module.Bot())) + && $IsAlloc(army#0, TSeq(Tclass._module.Bot()), $Heap)) + returns ($_reverifyPost: bool); + free requires 2 == $FunctionContextHeight; + // user-defined preconditions + requires Seq#Length(army#0) == LitInt(3); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.ArmyRepr#canCall($Heap, army#0); + ensures Set#Equal(_module.__default.ArmyRepr($Heap, army#0), + Set#Union(Set#Union(read($Heap, $Unbox(Seq#Index(army#0, LitInt(0))): ref, _module.Bot.Repr), + read($Heap, $Unbox(Seq#Index(army#0, LitInt(1))): ref, _module.Bot.Repr)), + read($Heap, $Unbox(Seq#Index(army#0, LitInt(2))): ref, _module.Bot.Repr))); + // frame condition + free ensures old($Heap) == $Heap; + + + +implementation {:verboseName "ArmyRepr3 (correctness)"} Impl$$_module.__default.ArmyRepr3(army#0: Seq Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + + // AddMethodImpl: ArmyRepr3, Impl$$_module.__default.ArmyRepr3 + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; +} + + + +procedure {:verboseName "Main (well-formedness)"} CheckWellFormed$$_module.__default.Main(); + free requires 9 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Main (call)"} Call$$_module.__default.Main(); + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Main (correctness)"} Impl$$_module.__default.Main() returns ($_reverifyPost: bool); + free requires 9 == $FunctionContextHeight; + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Main (correctness)"} Impl$$_module.__default.Main() returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var defass#b0#0: bool; + var b0#0: ref + where defass#b0#0 + ==> $Is(b0#0, Tclass._module.Bot()) && $IsAlloc(b0#0, Tclass._module.Bot(), $Heap); + var $nw: ref; + var defass#b1#0: bool; + var b1#0: ref + where defass#b1#0 + ==> $Is(b1#0, Tclass._module.Bot()) && $IsAlloc(b1#0, Tclass._module.Bot(), $Heap); + var b0##0: ref; + var b1##0: ref; + var b0##1: ref; + var b1##1: ref; + var b0##2: ref; + var b1##2: ref; + var defass#b2#0: bool; + var b2#0: ref + where defass#b2#0 + ==> $Is(b2#0, Tclass._module.Bot()) && $IsAlloc(b2#0, Tclass._module.Bot(), $Heap); + var b0##3: ref; + var b1##3: ref; + var b2##0: ref; + var b0##4: ref; + var b1##4: ref; + var b2##1: ref; + + // AddMethodImpl: Main, Impl$$_module.__default.Main + // initialize fuel constant + assume AsFuelBottom(StartFuel__module.Bot.Valid) == StartFuel__module.Bot.Valid; + assume AsFuelBottom(StartFuelAssert__module.Bot.Valid) + == StartFuelAssert__module.Bot.Valid; + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(271,10) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(271,13) + // TrCallStmt: Before ProcessCallStmt + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Bot.__ctor(); + // TrCallStmt: After ProcessCallStmt + b0#0 := $nw; + defass#b0#0 := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(272,10) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(272,13) + // TrCallStmt: Before ProcessCallStmt + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Bot.__ctor(); + // TrCallStmt: After ProcessCallStmt + b1#0 := $nw; + defass#b1#0 := true; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(273,12) + // TrCallStmt: Before ProcessCallStmt + assert defass#b0#0; + assume true; + // ProcessCallStmt: CheckSubrange + b0##0 := b0#0; + assert defass#b1#0; + assume true; + // ProcessCallStmt: CheckSubrange + b1##0 := b1#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && (read($Heap, b0##0, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1##0, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyRobots(b0##0, b1##0); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(274,12) + // TrCallStmt: Before ProcessCallStmt + assert defass#b0#0; + assume true; + // ProcessCallStmt: CheckSubrange + b0##1 := b0#0; + assert defass#b1#0; + assume true; + // ProcessCallStmt: CheckSubrange + b1##1 := b1#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && (read($Heap, b0##1, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1##1, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyRobots(b0##1, b1##1); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(275,12) + // TrCallStmt: Before ProcessCallStmt + assert defass#b1#0; + assume true; + // ProcessCallStmt: CheckSubrange + b0##2 := b1#0; + assert defass#b0#0; + assume true; + // ProcessCallStmt: CheckSubrange + b1##2 := b0#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && (read($Heap, b0##2, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1##2, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FlyRobots(b0##2, b1##2); + // TrCallStmt: After ProcessCallStmt + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(277,10) + assume true; + // ----- init call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(277,13) + // TrCallStmt: Before ProcessCallStmt + // ProcessCallStmt: Make the call + call $nw := Call$$_module.Bot.__ctor(); + // TrCallStmt: After ProcessCallStmt + b2#0 := $nw; + defass#b2#0 := true; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(278,11) + // TrCallStmt: Before ProcessCallStmt + assert defass#b0#0; + assume true; + // ProcessCallStmt: CheckSubrange + b0##3 := b0#0; + assert defass#b1#0; + assume true; + // ProcessCallStmt: CheckSubrange + b1##3 := b1#0; + assert defass#b2#0; + assume true; + // ProcessCallStmt: CheckSubrange + b2##0 := b2#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ( + read($Heap, b0##3, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1##3, _module.Bot.Repr)[$Box($o)] + || read($Heap, b2##0, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FormArmy(b0##3, b1##3, b2##0); + // TrCallStmt: After ProcessCallStmt + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\FlyingRobots.dfy(279,11) + // TrCallStmt: Before ProcessCallStmt + assert defass#b2#0; + assume true; + // ProcessCallStmt: CheckSubrange + b0##4 := b2#0; + assert defass#b0#0; + assume true; + // ProcessCallStmt: CheckSubrange + b1##4 := b0#0; + assert defass#b1#0; + assume true; + // ProcessCallStmt: CheckSubrange + b2##1 := b1#0; + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ( + read($Heap, b0##4, _module.Bot.Repr)[$Box($o)] + || read($Heap, b1##4, _module.Bot.Repr)[$Box($o)] + || read($Heap, b2##1, _module.Bot.Repr)[$Box($o)]) + ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.FormArmy(b0##4, b1##4, b2##1); + // TrCallStmt: After ProcessCallStmt +} + + + +const unique tytagFamily$nat: TyTagFamily; + +const unique tytagFamily$object: TyTagFamily; + +const unique tytagFamily$array: TyTagFamily; + +const unique tytagFamily$_#Func1: TyTagFamily; + +const unique tytagFamily$_#PartialFunc1: TyTagFamily; + +const unique tytagFamily$_#TotalFunc1: TyTagFamily; + +const unique tytagFamily$_#Func0: TyTagFamily; + +const unique tytagFamily$_#PartialFunc0: TyTagFamily; + +const unique tytagFamily$_#TotalFunc0: TyTagFamily; + +const unique tytagFamily$_tuple#3: TyTagFamily; + +const unique tytagFamily$_tuple#2: TyTagFamily; + +const unique tytagFamily$_tuple#0: TyTagFamily; + +const unique tytagFamily$Cell: TyTagFamily; + +const unique tytagFamily$Point: TyTagFamily; + +const unique tytagFamily$Arm: TyTagFamily; + +const unique tytagFamily$Bot: TyTagFamily; + +const unique tytagFamily$_default: TyTagFamily; + +const unique field$val: NameFamily; + +const unique field$Value: NameFamily; + +const unique field$Repr: NameFamily; + +const unique field$x: NameFamily; + +const unique field$y: NameFamily; + +const unique field$z: NameFamily; + +const unique field$polar: NameFamily; + +const unique field$azim: NameFamily; + +const unique field$pos: NameFamily; + +const unique field$left: NameFamily; + +const unique field$right: NameFamily; diff --git a/Test/monomorphize/dafny/Problem1.dfy.bpl b/Test/monomorphize/dafny/Problem1.dfy.bpl new file mode 100644 index 000000000..9c4ceca0b --- /dev/null +++ b/Test/monomorphize/dafny/Problem1.dfy.bpl @@ -0,0 +1,6969 @@ +// Dafny 3.7.3.40719 +// Command Line Options: /compile:0 /print:Problem1.dfy.bpl +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +type Ty; + +type TyTag; + +type TyTagFamily; + +type char; + +type ref; + +type Box; + +type ClassName; + +type HandleType; + +type DatatypeType; + +type DtCtorId; + +type LayerType; + +type Field _; + +type NameFamily; + +type TickType; + +type Seq _; + +type Map _ _; + +type IMap _ _; + +const $$Language$Dafny: bool; + +axiom $$Language$Dafny; + +type Bv0 = int; + +const unique TBool: Ty; + +axiom Tag(TBool) == TagBool; + +const unique TChar: Ty; + +axiom Tag(TChar) == TagChar; + +const unique TInt: Ty; + +axiom Tag(TInt) == TagInt; + +const unique TReal: Ty; + +axiom Tag(TReal) == TagReal; + +const unique TORDINAL: Ty; + +axiom Tag(TORDINAL) == TagORDINAL; + +axiom (forall w: int :: { TBitvector(w) } Inv0_TBitvector(TBitvector(w)) == w); + +function TBitvector(int) : Ty; + +axiom (forall t: Ty :: { TSet(t) } Inv0_TSet(TSet(t)) == t); + +axiom (forall t: Ty :: { TSet(t) } Tag(TSet(t)) == TagSet); + +function TSet(Ty) : Ty; + +axiom (forall t: Ty :: { TISet(t) } Inv0_TISet(TISet(t)) == t); + +axiom (forall t: Ty :: { TISet(t) } Tag(TISet(t)) == TagISet); + +function TISet(Ty) : Ty; + +axiom (forall t: Ty :: { TMultiSet(t) } Inv0_TMultiSet(TMultiSet(t)) == t); + +axiom (forall t: Ty :: { TMultiSet(t) } Tag(TMultiSet(t)) == TagMultiSet); + +function TMultiSet(Ty) : Ty; + +axiom (forall t: Ty :: { TSeq(t) } Inv0_TSeq(TSeq(t)) == t); + +axiom (forall t: Ty :: { TSeq(t) } Tag(TSeq(t)) == TagSeq); + +function TSeq(Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv0_TMap(TMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv1_TMap(TMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Tag(TMap(t, u)) == TagMap); + +function TMap(Ty, Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv0_TIMap(TIMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv1_TIMap(TIMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Tag(TIMap(t, u)) == TagIMap); + +function TIMap(Ty, Ty) : Ty; + +function Inv0_TBitvector(Ty) : int; + +function Inv0_TSet(Ty) : Ty; + +function Inv0_TISet(Ty) : Ty; + +function Inv0_TSeq(Ty) : Ty; + +function Inv0_TMultiSet(Ty) : Ty; + +function Inv0_TMap(Ty) : Ty; + +function Inv1_TMap(Ty) : Ty; + +function Inv0_TIMap(Ty) : Ty; + +function Inv1_TIMap(Ty) : Ty; + +function Tag(Ty) : TyTag; + +const unique TagBool: TyTag; + +const unique TagChar: TyTag; + +const unique TagInt: TyTag; + +const unique TagReal: TyTag; + +const unique TagORDINAL: TyTag; + +const unique TagSet: TyTag; + +const unique TagISet: TyTag; + +const unique TagMultiSet: TyTag; + +const unique TagSeq: TyTag; + +const unique TagMap: TyTag; + +const unique TagIMap: TyTag; + +const unique TagClass: TyTag; + +function TagFamily(Ty) : TyTagFamily; + +axiom (forall x: T :: { $Box(Lit(x)) } $Box(Lit(x)) == Lit($Box(x))); + +function {:identity} Lit(x: T) : T; + +axiom (forall x: T :: {:identity} { Lit(x): T } Lit(x): T == x); + +axiom (forall x: int :: { $Box(LitInt(x)) } $Box(LitInt(x)) == Lit($Box(x))); + +function {:identity} LitInt(x: int) : int; + +axiom (forall x: int :: {:identity} { LitInt(x): int } LitInt(x): int == x); + +axiom (forall x: real :: { $Box(LitReal(x)) } $Box(LitReal(x)) == Lit($Box(x))); + +function {:identity} LitReal(x: real) : real; + +axiom (forall x: real :: {:identity} { LitReal(x): real } LitReal(x): real == x); + +axiom (forall n: int :: + { char#FromInt(n) } + 0 <= n && n < 65536 ==> char#ToInt(char#FromInt(n)) == n); + +function char#FromInt(int) : char; + +axiom (forall ch: char :: + { char#ToInt(ch) } + char#FromInt(char#ToInt(ch)) == ch + && 0 <= char#ToInt(ch) + && char#ToInt(ch) < 65536); + +function char#ToInt(char) : int; + +axiom (forall a: char, b: char :: + { char#Plus(a, b) } + char#Plus(a, b) == char#FromInt(char#ToInt(a) + char#ToInt(b))); + +function char#Plus(char, char) : char; + +axiom (forall a: char, b: char :: + { char#Minus(a, b) } + char#Minus(a, b) == char#FromInt(char#ToInt(a) - char#ToInt(b))); + +function char#Minus(char, char) : char; + +const null: ref; + +const $ArbitraryBoxValue: Box; + +axiom (forall x: T :: { $Box(x) } $Unbox($Box(x)) == x); + +function $Box(T) : Box; + +function $Unbox(Box) : T; + +function $IsBox(T, Ty) : bool; + +function $IsAllocBox(T, Ty, Heap) : bool; + +axiom (forall bx: Box :: + { $IsBox(bx, TInt) } + $IsBox(bx, TInt) ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, TInt)); + +axiom (forall bx: Box :: + { $IsBox(bx, TReal) } + $IsBox(bx, TReal) + ==> $Box($Unbox(bx): real) == bx && $Is($Unbox(bx): real, TReal)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBool) } + $IsBox(bx, TBool) + ==> $Box($Unbox(bx): bool) == bx && $Is($Unbox(bx): bool, TBool)); + +axiom (forall bx: Box :: + { $IsBox(bx, TChar) } + $IsBox(bx, TChar) + ==> $Box($Unbox(bx): char) == bx && $Is($Unbox(bx): char, TChar)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBitvector(0)) } + $IsBox(bx, TBitvector(0)) + ==> $Box($Unbox(bx): Bv0) == bx && $Is($Unbox(bx): Set Box, TBitvector(0))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSet(t)) } + $IsBox(bx, TSet(t)) + ==> $Box($Unbox(bx): Set Box) == bx && $Is($Unbox(bx): Set Box, TSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TISet(t)) } + $IsBox(bx, TISet(t)) + ==> $Box($Unbox(bx): ISet Box) == bx && $Is($Unbox(bx): ISet Box, TISet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TMultiSet(t)) } + $IsBox(bx, TMultiSet(t)) + ==> $Box($Unbox(bx): MultiSet Box) == bx + && $Is($Unbox(bx): MultiSet Box, TMultiSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSeq(t)) } + $IsBox(bx, TSeq(t)) + ==> $Box($Unbox(bx): Seq Box) == bx && $Is($Unbox(bx): Seq Box, TSeq(t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TMap(s, t)) } + $IsBox(bx, TMap(s, t)) + ==> $Box($Unbox(bx): Map Box Box) == bx && $Is($Unbox(bx): Map Box Box, TMap(s, t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TIMap(s, t)) } + $IsBox(bx, TIMap(s, t)) + ==> $Box($Unbox(bx): IMap Box Box) == bx + && $Is($Unbox(bx): IMap Box Box, TIMap(s, t))); + +axiom (forall v: T, t: Ty :: + { $IsBox($Box(v), t) } + $IsBox($Box(v), t) <==> $Is(v, t)); + +axiom (forall v: T, t: Ty, h: Heap :: + { $IsAllocBox($Box(v), t, h) } + $IsAllocBox($Box(v), t, h) <==> $IsAlloc(v, t, h)); + +axiom (forall v: int :: { $Is(v, TInt) } $Is(v, TInt)); + +axiom (forall v: real :: { $Is(v, TReal) } $Is(v, TReal)); + +axiom (forall v: bool :: { $Is(v, TBool) } $Is(v, TBool)); + +axiom (forall v: char :: { $Is(v, TChar) } $Is(v, TChar)); + +axiom (forall v: ORDINAL :: { $Is(v, TORDINAL) } $Is(v, TORDINAL)); + +axiom (forall v: Bv0 :: { $Is(v, TBitvector(0)) } $Is(v, TBitvector(0))); + +axiom (forall v: Set Box, t0: Ty :: + { $Is(v, TSet(t0)) } + $Is(v, TSet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: ISet Box, t0: Ty :: + { $Is(v, TISet(t0)) } + $Is(v, TISet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) ==> $IsGoodMultiSet(v)); + +axiom (forall v: Seq Box, t0: Ty :: + { $Is(v, TSeq(t0)) } + $Is(v, TSeq(t0)) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsBox(Seq#Index(v, i), t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] ==> $IsBox(Map#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + ==> $Is(Map#Domain(v), TSet(t0)) + && $Is(Map#Values(v), TSet(t1)) + && $Is(Map#Items(v), TSet(Tclass._System.Tuple2(t0, t1)))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] ==> $IsBox(IMap#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + ==> $Is(IMap#Domain(v), TISet(t0)) + && $Is(IMap#Values(v), TISet(t1)) + && $Is(IMap#Items(v), TISet(Tclass._System.Tuple2(t0, t1)))); + +function $Is(T, Ty) : bool; + +axiom (forall h: Heap, v: int :: { $IsAlloc(v, TInt, h) } $IsAlloc(v, TInt, h)); + +axiom (forall h: Heap, v: real :: { $IsAlloc(v, TReal, h) } $IsAlloc(v, TReal, h)); + +axiom (forall h: Heap, v: bool :: { $IsAlloc(v, TBool, h) } $IsAlloc(v, TBool, h)); + +axiom (forall h: Heap, v: char :: { $IsAlloc(v, TChar, h) } $IsAlloc(v, TChar, h)); + +axiom (forall h: Heap, v: ORDINAL :: + { $IsAlloc(v, TORDINAL, h) } + $IsAlloc(v, TORDINAL, h)); + +axiom (forall v: Bv0, h: Heap :: + { $IsAlloc(v, TBitvector(0), h) } + $IsAlloc(v, TBitvector(0), h)); + +axiom (forall v: Set Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSet(t0), h) } + $IsAlloc(v, TSet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: ISet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TISet(t0), h) } + $IsAlloc(v, TISet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: MultiSet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TMultiSet(t0), h) } + $IsAlloc(v, TMultiSet(t0), h) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: Seq Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSeq(t0), h) } + $IsAlloc(v, TSeq(t0), h) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsAllocBox(Seq#Index(v, i), t0, h))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TMap(t0, t1), h) } + $IsAlloc(v, TMap(t0, t1), h) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] + ==> $IsAllocBox(Map#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TIMap(t0, t1), h) } + $IsAlloc(v, TIMap(t0, t1), h) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] + ==> $IsAllocBox(IMap#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +function $IsAlloc(T, Ty, Heap) : bool; + +axiom (forall ty: Ty :: + { $AlwaysAllocated(ty) } + $AlwaysAllocated(ty) + ==> (forall h: Heap, v: Box :: + { $IsAllocBox(v, ty, h) } + $IsBox(v, ty) ==> $IsAllocBox(v, ty, h))); + +function $AlwaysAllocated(Ty) : bool; + +function $OlderTag(Heap) : bool; + +const unique class._System.int: ClassName; + +const unique class._System.bool: ClassName; + +const unique class._System.set: ClassName; + +const unique class._System.seq: ClassName; + +const unique class._System.multiset: ClassName; + +function Tclass._System.object?() : Ty; + +function Tclass._System.Tuple2(Ty, Ty) : Ty; + +function dtype(ref) : Ty; + +function TypeTuple(a: ClassName, b: ClassName) : ClassName; + +function TypeTupleCar(ClassName) : ClassName; + +function TypeTupleCdr(ClassName) : ClassName; + +axiom (forall a: ClassName, b: ClassName :: + { TypeTuple(a, b) } + TypeTupleCar(TypeTuple(a, b)) == a && TypeTupleCdr(TypeTuple(a, b)) == b); + +function SetRef_to_SetBox(s: [ref]bool) : Set Box; + +axiom (forall s: [ref]bool, bx: Box :: + { SetRef_to_SetBox(s)[bx] } + SetRef_to_SetBox(s)[bx] == s[$Unbox(bx): ref]); + +axiom (forall s: [ref]bool :: + { SetRef_to_SetBox(s) } + $Is(SetRef_to_SetBox(s), TSet(Tclass._System.object?()))); + +function Apply1(Ty, Ty, Heap, HandleType, Box) : Box; + +function DatatypeCtorId(DatatypeType) : DtCtorId; + +function DtRank(DatatypeType) : int; + +function BoxRank(Box) : int; + +axiom (forall d: DatatypeType :: { BoxRank($Box(d)) } BoxRank($Box(d)) == DtRank(d)); + +type ORDINAL = Box; + +function ORD#IsNat(ORDINAL) : bool; + +function ORD#Offset(ORDINAL) : int; + +axiom (forall o: ORDINAL :: { ORD#Offset(o) } 0 <= ORD#Offset(o)); + +function {:inline} ORD#IsLimit(o: ORDINAL) : bool +{ + ORD#Offset(o) == 0 +} + +function {:inline} ORD#IsSucc(o: ORDINAL) : bool +{ + 0 < ORD#Offset(o) +} + +function ORD#FromNat(int) : ORDINAL; + +axiom (forall n: int :: + { ORD#FromNat(n) } + 0 <= n ==> ORD#IsNat(ORD#FromNat(n)) && ORD#Offset(ORD#FromNat(n)) == n); + +axiom (forall o: ORDINAL :: + { ORD#Offset(o) } { ORD#IsNat(o) } + ORD#IsNat(o) ==> o == ORD#FromNat(ORD#Offset(o))); + +function ORD#Less(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p) } + (ORD#Less(o, p) ==> o != p) + && (ORD#IsNat(o) && !ORD#IsNat(p) ==> ORD#Less(o, p)) + && (ORD#IsNat(o) && ORD#IsNat(p) + ==> ORD#Less(o, p) == (ORD#Offset(o) < ORD#Offset(p))) + && (ORD#Less(o, p) && ORD#IsNat(p) ==> ORD#IsNat(o))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, o) } + ORD#Less(o, p) || o == p || ORD#Less(p, o)); + +axiom (forall o: ORDINAL, p: ORDINAL, r: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, r) } { ORD#Less(o, p), ORD#Less(o, r) } + ORD#Less(o, p) && ORD#Less(p, r) ==> ORD#Less(o, r)); + +function ORD#LessThanLimit(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#LessThanLimit(o, p) } + ORD#LessThanLimit(o, p) == ORD#Less(o, p)); + +function ORD#Plus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (ORD#IsNat(ORD#Plus(o, p)) ==> ORD#IsNat(o) && ORD#IsNat(p)) + && (ORD#IsNat(p) + ==> ORD#IsNat(ORD#Plus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Plus(o, p)) == ORD#Offset(o) + ORD#Offset(p))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#Plus(o, p) || ORD#Less(o, ORD#Plus(o, p))) + && (p == ORD#Plus(o, p) || ORD#Less(p, ORD#Plus(o, p)))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#FromNat(0) ==> ORD#Plus(o, p) == p) + && (p == ORD#FromNat(0) ==> ORD#Plus(o, p) == o)); + +function ORD#Minus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> ORD#IsNat(ORD#Minus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Minus(o, p)) == ORD#Offset(o) - ORD#Offset(p)); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> (p == ORD#FromNat(0) && ORD#Minus(o, p) == o) + || (p != ORD#FromNat(0) && ORD#Less(ORD#Minus(o, p), o))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n + ==> ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && m + n <= ORD#Offset(o) + ==> ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(n - m)))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(n - m)))); + +const $ModuleContextHeight: int; + +const $FunctionContextHeight: int; + +const $LZ: LayerType; + +function $LS(LayerType) : LayerType; + +function AsFuelBottom(LayerType) : LayerType; + +function AtLayer([LayerType]A, LayerType) : A; + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, ly) } + AtLayer(f, ly) == f[ly]); + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, $LS(ly)) } + AtLayer(f, $LS(ly)) == AtLayer(f, ly)); + +axiom FDim(alloc) == 0; + +function FDim(Field T) : int; + +function IndexField(int) : Field Box; + +axiom (forall i: int :: { IndexField(i) } FDim(IndexField(i)) == 1); + +function IndexField_Inverse(Field T) : int; + +axiom (forall i: int :: { IndexField(i) } IndexField_Inverse(IndexField(i)) == i); + +function MultiIndexField(Field Box, int) : Field Box; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + FDim(MultiIndexField(f, i)) == FDim(f) + 1); + +function MultiIndexField_Inverse0(Field T) : Field T; + +function MultiIndexField_Inverse1(Field T) : int; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + MultiIndexField_Inverse0(MultiIndexField(f, i)) == f + && MultiIndexField_Inverse1(MultiIndexField(f, i)) == i); + +function DeclType(Field T) : ClassName; + +axiom DeclName(alloc) == allocName; + +function DeclName(Field T) : NameFamily; + +function FieldOfDecl(ClassName, NameFamily) : Field alpha; + +axiom (forall cl: ClassName, nm: NameFamily :: + { FieldOfDecl(cl, nm): Field T } + DeclType(FieldOfDecl(cl, nm): Field T) == cl + && DeclName(FieldOfDecl(cl, nm): Field T) == nm); + +axiom $IsGhostField(alloc); + +axiom (forall h: Heap, k: Heap :: + { $HeapSuccGhost(h, k) } + $HeapSuccGhost(h, k) + ==> $HeapSucc(h, k) + && (forall o: ref, f: Field alpha :: + { read(k, o, f) } + !$IsGhostField(f) ==> read(h, o, f) == read(k, o, f))); + +function $IsGhostField(Field T) : bool; + +axiom (forall h: Heap, k: Heap, v: T, t: Ty :: + { $HeapSucc(h, k), $IsAlloc(v, t, h) } + $HeapSucc(h, k) ==> $IsAlloc(v, t, h) ==> $IsAlloc(v, t, k)); + +axiom (forall h: Heap, k: Heap, bx: Box, t: Ty :: + { $HeapSucc(h, k), $IsAllocBox(bx, t, h) } + $HeapSucc(h, k) ==> $IsAllocBox(bx, t, h) ==> $IsAllocBox(bx, t, k)); + +const unique alloc: Field bool; + +const unique allocName: NameFamily; + +axiom (forall o: ref :: 0 <= _System.array.Length(o)); + +function _System.array.Length(a: ref) : int; + +function Int(x: real) : int; + +axiom (forall x: real :: { Int(x): int } Int(x): int == int(x)); + +function Real(x: int) : real; + +axiom (forall x: int :: { Real(x): real } Real(x): real == real(x)); + +axiom (forall i: int :: { Int(Real(i)) } Int(Real(i)) == i); + +function {:inline} _System.real.Floor(x: real) : int +{ + Int(x) +} + +type Heap = [ref][Field alpha]alpha; + +function {:inline} read(H: Heap, r: ref, f: Field alpha) : alpha +{ + H[r][f] +} + +function {:inline} update(H: Heap, r: ref, f: Field alpha, v: alpha) : Heap +{ + H[r := H[r][f := v]] +} + +function $IsGoodHeap(Heap) : bool; + +function $IsHeapAnchor(Heap) : bool; + +var $Heap: Heap where $IsGoodHeap($Heap) && $IsHeapAnchor($Heap); + +const $OneHeap: Heap; + +axiom $IsGoodHeap($OneHeap); + +function $HeapSucc(Heap, Heap) : bool; + +axiom (forall h: Heap, r: ref, f: Field alpha, x: alpha :: + { update(h, r, f, x) } + $IsGoodHeap(update(h, r, f, x)) ==> $HeapSucc(h, update(h, r, f, x))); + +axiom (forall a: Heap, b: Heap, c: Heap :: + { $HeapSucc(a, b), $HeapSucc(b, c) } + a != c ==> $HeapSucc(a, b) && $HeapSucc(b, c) ==> $HeapSucc(a, c)); + +axiom (forall h: Heap, k: Heap :: + { $HeapSucc(h, k) } + $HeapSucc(h, k) + ==> (forall o: ref :: { read(k, o, alloc) } read(h, o, alloc) ==> read(k, o, alloc))); + +function $HeapSuccGhost(Heap, Heap) : bool; + +var $Tick: TickType; + +procedure $YieldHavoc(this: ref, rds: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + $o == this || rds[$Box($o)] || nw[$Box($o)] + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc0(this: ref, rds: Set Box, modi: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + rds[$Box($o)] && !modi[$Box($o)] && $o != this + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc1(this: ref, modi: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f) + || $o == this + || modi[$Box($o)] + || nw[$Box($o)]); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterCollectNewObjects(prevHeap: Heap, newHeap: Heap, this: ref, NW: Field (Set Box)) + returns (s: Set Box); + ensures (forall bx: Box :: + { s[bx] } + s[bx] + <==> read(newHeap, this, NW)[bx] + || ( + $Unbox(bx) != null + && !read(prevHeap, $Unbox(bx): ref, alloc) + && read(newHeap, $Unbox(bx): ref, alloc))); + + + +type Set T = [T]bool; + +function Set#Card(Set T) : int; + +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty() : Set T; + +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); + +axiom (forall s: Set T :: + { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) + && (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T) : Set T; + +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); + +axiom (forall r: T, o: T :: + { Set#Singleton(r)[o] } + Set#Singleton(r)[o] <==> r == o); + +axiom (forall r: T :: + { Set#Card(Set#Singleton(r)) } + Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T) : Set T; + +axiom (forall a: Set T, x: T, o: T :: + { Set#UnionOne(a, x)[o] } + Set#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } Set#UnionOne(a, x)[x]); + +axiom (forall a: Set T, x: T, y: T :: + { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Union(a, b)[o] } + Set#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, b) } + Set#Disjoint(a, b) + ==> Set#Difference(Set#Union(a, b), a) == b + && Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Intersection(a, b)[o] } + Set#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Union(a, b)) } { Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) + == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Difference(a, b)[o] } + Set#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) + && Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Subset(a, b) } + Set#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function Set#Equal(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Equal(a, b) } + Set#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: Set T, b: Set T :: { Set#Equal(a, b) } Set#Equal(a, b) ==> a == b); + +function Set#Disjoint(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Disjoint(a, b) } + Set#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +type ISet T = [T]bool; + +function ISet#Empty() : Set T; + +axiom (forall o: T :: { ISet#Empty()[o] } !ISet#Empty()[o]); + +function ISet#UnionOne(ISet T, T) : ISet T; + +axiom (forall a: ISet T, x: T, o: T :: + { ISet#UnionOne(a, x)[o] } + ISet#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: ISet T, x: T :: { ISet#UnionOne(a, x) } ISet#UnionOne(a, x)[x]); + +axiom (forall a: ISet T, x: T, y: T :: + { ISet#UnionOne(a, x), a[y] } + a[y] ==> ISet#UnionOne(a, x)[y]); + +function ISet#Union(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Union(a, b)[o] } + ISet#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Union(a, b), a[y] } + a[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { ISet#Union(a, b), b[y] } + b[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(a, b) } + ISet#Disjoint(a, b) + ==> ISet#Difference(ISet#Union(a, b), a) == b + && ISet#Difference(ISet#Union(a, b), b) == a); + +function ISet#Intersection(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Intersection(a, b)[o] } + ISet#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(ISet#Union(a, b), b) } + ISet#Union(ISet#Union(a, b), b) == ISet#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { ISet#Union(a, ISet#Union(a, b)) } + ISet#Union(a, ISet#Union(a, b)) == ISet#Union(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(ISet#Intersection(a, b), b) } + ISet#Intersection(ISet#Intersection(a, b), b) == ISet#Intersection(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(a, ISet#Intersection(a, b)) } + ISet#Intersection(a, ISet#Intersection(a, b)) == ISet#Intersection(a, b)); + +function ISet#Difference(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Difference(a, b)[o] } + ISet#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Difference(a, b), b[y] } + b[y] ==> !ISet#Difference(a, b)[y]); + +function ISet#Subset(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Subset(a, b) } + ISet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function ISet#Equal(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) ==> a == b); + +function ISet#Disjoint(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Disjoint(a, b) } + ISet#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +function Math#min(a: int, b: int) : int; + +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); + +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); + +axiom (forall a: int, b: int :: + { Math#min(a, b) } + Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int) : int; + +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); + +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T = [T]int; + +function $IsGoodMultiSet(ms: MultiSet T) : bool; + +axiom (forall ms: MultiSet T :: + { $IsGoodMultiSet(ms) } + $IsGoodMultiSet(ms) + <==> (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +function MultiSet#Card(MultiSet T) : int; + +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); + +axiom (forall s: MultiSet T, x: T, n: int :: + { MultiSet#Card(s[x := n]) } + 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); + +function MultiSet#Empty() : MultiSet T; + +axiom (forall o: T :: { MultiSet#Empty()[o] } MultiSet#Empty()[o] == 0); + +axiom (forall s: MultiSet T :: + { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) + && (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < s[x]))); + +function MultiSet#Singleton(T) : MultiSet T; + +axiom (forall r: T, o: T :: + { MultiSet#Singleton(r)[o] } + (MultiSet#Singleton(r)[o] == 1 <==> r == o) + && (MultiSet#Singleton(r)[o] == 0 <==> r != o)); + +axiom (forall r: T :: + { MultiSet#Singleton(r) } + MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); + +function MultiSet#UnionOne(MultiSet T, T) : MultiSet T; + +axiom (forall a: MultiSet T, x: T, o: T :: + { MultiSet#UnionOne(a, x)[o] } + 0 < MultiSet#UnionOne(a, x)[o] <==> o == x || 0 < a[o]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#UnionOne(a, x) } + MultiSet#UnionOne(a, x)[x] == a[x] + 1); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + 0 < a[y] ==> 0 < MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + x != y ==> a[y] == MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#Card(MultiSet#UnionOne(a, x)) } + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); + +function MultiSet#Union(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Union(a, b)[o] } + MultiSet#Union(a, b)[o] == a[o] + b[o]); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Union(a, b)) } + MultiSet#Card(MultiSet#Union(a, b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Intersection(a, b)[o] } + MultiSet#Intersection(a, b)[o] == Math#min(a[o], b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) + == MultiSet#Intersection(a, b)); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) + == MultiSet#Intersection(a, b)); + +function MultiSet#Difference(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Difference(a, b)[o] } + MultiSet#Difference(a, b)[o] == Math#clip(a[o] - b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T, y: T :: + { MultiSet#Difference(a, b), b[y], a[y] } + a[y] <= b[y] ==> MultiSet#Difference(a, b)[y] == 0); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) + && MultiSet#Card(MultiSet#Difference(a, b)) + == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +function MultiSet#Subset(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Subset(a, b) } + MultiSet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <= b[o])); + +function MultiSet#Equal(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] == b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Disjoint(a, b) } + MultiSet#Disjoint(a, b) + <==> (forall o: T :: { a[o] } { b[o] } a[o] == 0 || b[o] == 0)); + +function MultiSet#FromSet(Set T) : MultiSet T; + +axiom (forall s: Set T, a: T :: + { MultiSet#FromSet(s)[a] } + (MultiSet#FromSet(s)[a] == 0 <==> !s[a]) + && (MultiSet#FromSet(s)[a] == 1 <==> s[a])); + +axiom (forall s: Set T :: + { MultiSet#Card(MultiSet#FromSet(s)) } + MultiSet#Card(MultiSet#FromSet(s)) == Set#Card(s)); + +axiom (forall :: + MultiSet#FromSeq(Seq#Empty(): Seq T) == MultiSet#Empty(): MultiSet T); + +function MultiSet#FromSeq(Seq T) : MultiSet T; + +axiom (forall s: Seq T :: + { MultiSet#FromSeq(s) } + $IsGoodMultiSet(MultiSet#FromSeq(s))); + +axiom (forall s: Seq T :: + { MultiSet#Card(MultiSet#FromSeq(s)) } + MultiSet#Card(MultiSet#FromSeq(s)) == Seq#Length(s)); + +axiom (forall s: Seq T, v: T :: + { MultiSet#FromSeq(Seq#Build(s, v)) } + MultiSet#FromSeq(Seq#Build(s, v)) == MultiSet#UnionOne(MultiSet#FromSeq(s), v)); + +axiom (forall a: Seq T, b: Seq T :: + { MultiSet#FromSeq(Seq#Append(a, b)) } + MultiSet#FromSeq(Seq#Append(a, b)) + == MultiSet#Union(MultiSet#FromSeq(a), MultiSet#FromSeq(b))); + +axiom (forall s: Seq T, i: int, v: T, x: T :: + { MultiSet#FromSeq(Seq#Update(s, i, v))[x] } + 0 <= i && i < Seq#Length(s) + ==> MultiSet#FromSeq(Seq#Update(s, i, v))[x] + == MultiSet#Union(MultiSet#Difference(MultiSet#FromSeq(s), MultiSet#Singleton(Seq#Index(s, i))), + MultiSet#Singleton(v))[x]); + +axiom (forall s: Seq T, x: T :: + { MultiSet#FromSeq(s)[x] } + (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && x == Seq#Index(s, i)) + <==> 0 < MultiSet#FromSeq(s)[x]); + +function Seq#Length(Seq T) : int; + +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty() : Seq T; + +axiom (forall :: { Seq#Empty(): Seq T } Seq#Length(Seq#Empty(): Seq T) == 0); + +axiom (forall s: Seq T :: + { Seq#Length(s) } + Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T) : Seq T; + +axiom (forall t: T :: + { Seq#Length(Seq#Singleton(t)) } + Seq#Length(Seq#Singleton(t)) == 1); + +function Seq#Build(s: Seq T, val: T) : Seq T; + +function Seq#Build_inv0(s: Seq T) : Seq T; + +function Seq#Build_inv1(s: Seq T) : T; + +axiom (forall s: Seq T, val: T :: + { Seq#Build(s, val) } + Seq#Build_inv0(Seq#Build(s, val)) == s + && Seq#Build_inv1(Seq#Build(s, val)) == val); + +axiom (forall s: Seq T, v: T :: + { Seq#Build(s, v) } + Seq#Length(Seq#Build(s, v)) == 1 + Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Index(Seq#Build(s, v), i) } + (i == Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == v) + && (i != Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == Seq#Index(s, i))); + +axiom (forall s: Seq Box, bx: Box, t: Ty :: + { $Is(Seq#Build(s, bx), TSeq(t)) } + $Is(s, TSeq(t)) && $IsBox(bx, t) ==> $Is(Seq#Build(s, bx), TSeq(t))); + +function Seq#Create(ty: Ty, heap: Heap, len: int, init: HandleType) : Seq Box; + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType :: + { Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) } + $IsGoodHeap(heap) && 0 <= len + ==> Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) == len); + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType, i: int :: + { Seq#Index(Seq#Create(ty, heap, len, init), i) } + $IsGoodHeap(heap) && 0 <= i && i < len + ==> Seq#Index(Seq#Create(ty, heap, len, init), i) + == Apply1(TInt, TSeq(ty), heap, init, $Box(i))); + +function Seq#Append(Seq T, Seq T) : Seq T; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Length(Seq#Append(s0, s1)) } + Seq#Length(Seq#Append(s0, s1)) == Seq#Length(s0) + Seq#Length(s1)); + +function Seq#Index(Seq T, int) : T; + +axiom (forall t: T :: + { Seq#Index(Seq#Singleton(t), 0) } + Seq#Index(Seq#Singleton(t), 0) == t); + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#Index(Seq#Append(s0, s1), n) } + (n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s0, n)) + && (Seq#Length(s0) <= n + ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s1, n - Seq#Length(s0)))); + +function Seq#Update(Seq T, int, T) : Seq T; + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Length(Seq#Update(s, i, v)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s, i, v)) == Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Index(Seq#Update(s, i, v), n) } + 0 <= n && n < Seq#Length(s) + ==> (i == n ==> Seq#Index(Seq#Update(s, i, v), n) == v) + && (i != n ==> Seq#Index(Seq#Update(s, i, v), n) == Seq#Index(s, n))); + +function Seq#Contains(Seq T, T) : bool; + +axiom (forall s: Seq T, x: T :: + { Seq#Contains(s, x) } + Seq#Contains(s, x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) + <==> Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, v: T, x: T :: + { Seq#Contains(Seq#Build(s, v), x) } + Seq#Contains(Seq#Build(s, v), x) <==> v == x || Seq#Contains(s, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +function Seq#Equal(Seq T, Seq T) : bool; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Equal(s0, s1) } + Seq#Equal(s0, s1) + <==> Seq#Length(s0) == Seq#Length(s1) + && (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a, b) } Seq#Equal(a, b) ==> a == b); + +function Seq#SameUntil(Seq T, Seq T, int) : bool; + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#SameUntil(s0, s1, n) } + Seq#SameUntil(s0, s1, n) + <==> (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < n ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +function Seq#Take(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Take(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s, n)) == n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Take(s, n), j) } { Seq#Index(s, j), Seq#Take(s, n) } + 0 <= j && j < n && j < Seq#Length(s) + ==> Seq#Index(Seq#Take(s, n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Drop(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s, n)) == Seq#Length(s) - n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Drop(s, n), j) } + 0 <= n && 0 <= j && j < Seq#Length(s) - n + ==> Seq#Index(Seq#Drop(s, n), j) == Seq#Index(s, j + n)); + +axiom (forall s: Seq T, n: int, k: int :: + {:weight 25} { Seq#Index(s, k), Seq#Drop(s, n) } + 0 <= n && n <= k && k < Seq#Length(s) + ==> Seq#Index(Seq#Drop(s, n), k - n) == Seq#Index(s, k)); + +axiom (forall s: Seq T, t: Seq T, n: int :: + { Seq#Take(Seq#Append(s, t), n) } { Seq#Drop(Seq#Append(s, t), n) } + n == Seq#Length(s) + ==> Seq#Take(Seq#Append(s, t), n) == s && Seq#Drop(Seq#Append(s, t), n) == t); + +function Seq#FromArray(h: Heap, a: ref) : Seq Box; + +axiom (forall h: Heap, a: ref :: + { Seq#Length(Seq#FromArray(h, a)) } + Seq#Length(Seq#FromArray(h, a)) == _System.array.Length(a)); + +axiom (forall h: Heap, a: ref :: + { Seq#FromArray(h, a) } + (forall i: int :: + { read(h, a, IndexField(i)) } { Seq#Index(Seq#FromArray(h, a): Seq Box, i) } + 0 <= i && i < Seq#Length(Seq#FromArray(h, a)) + ==> Seq#Index(Seq#FromArray(h, a), i) == read(h, a, IndexField(i)))); + +axiom (forall h0: Heap, h1: Heap, a: ref :: + { Seq#FromArray(h1, a), $HeapSucc(h0, h1) } + $IsGoodHeap(h0) && $IsGoodHeap(h1) && $HeapSucc(h0, h1) && h0[a] == h1[a] + ==> Seq#FromArray(h0, a) == Seq#FromArray(h1, a)); + +axiom (forall h: Heap, i: int, v: Box, a: ref :: + { Seq#FromArray(update(h, a, IndexField(i), v), a) } + 0 <= i && i < _System.array.Length(a) + ==> Seq#FromArray(update(h, a, IndexField(i), v), a) + == Seq#Update(Seq#FromArray(h, a), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= n && n <= i && i < Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i - n, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + +axiom (forall h: Heap, a: ref, n0: int, n1: int :: + { Seq#Take(Seq#FromArray(h, a), n0), Seq#Take(Seq#FromArray(h, a), n1) } + n0 + 1 == n1 && 0 <= n0 && n1 <= _System.array.Length(a) + ==> Seq#Take(Seq#FromArray(h, a), n1) + == Seq#Build(Seq#Take(Seq#FromArray(h, a), n0), read(h, a, IndexField(n0): Field Box))); + +axiom (forall s: Seq T, v: T, n: int :: + { Seq#Drop(Seq#Build(s, v), n) } + 0 <= n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Build(s, v), n) == Seq#Build(Seq#Drop(s, n), v)); + +function Seq#Rank(Seq T) : int; + +axiom (forall s: Seq Box, i: int :: + { DtRank($Unbox(Seq#Index(s, i)): DatatypeType) } + 0 <= i && i < Seq#Length(s) + ==> DtRank($Unbox(Seq#Index(s, i)): DatatypeType) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Drop(s, i)) } + 0 < i && i <= Seq#Length(s) ==> Seq#Rank(Seq#Drop(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Take(s, i)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Rank(Seq#Take(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int, j: int :: + { Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) } + 0 <= i && i < j && j <= Seq#Length(s) + ==> Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) < Seq#Rank(s)); + +axiom (forall s: Seq T, n: int :: + { Seq#Drop(s, n) } + n == 0 ==> Seq#Drop(s, n) == s); + +axiom (forall s: Seq T, n: int :: + { Seq#Take(s, n) } + n == 0 ==> Seq#Take(s, n) == Seq#Empty()); + +axiom (forall s: Seq T, m: int, n: int :: + { Seq#Drop(Seq#Drop(s, m), n) } + 0 <= m && 0 <= n && m + n <= Seq#Length(s) + ==> Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, m + n)); + +function Map#Domain(Map U V) : Set U; + +function Map#Elements(Map U V) : [U]V; + +function Map#Card(Map U V) : int; + +axiom (forall m: Map U V :: { Map#Card(m) } 0 <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Map#Card(m) } + Map#Card(m) == 0 <==> m == Map#Empty()); + +axiom (forall m: Map U V :: + { Map#Domain(m) } + m == Map#Empty() || (exists k: U :: Map#Domain(m)[k])); + +axiom (forall m: Map U V :: + { Map#Values(m) } + m == Map#Empty() || (exists v: V :: Map#Values(m)[v])); + +axiom (forall m: Map U V :: + { Map#Items(m) } + m == Map#Empty() + || (exists k: Box, v: Box :: Map#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: Map U V :: + { Set#Card(Map#Domain(m)) } + Set#Card(Map#Domain(m)) == Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Values(m)) } + Set#Card(Map#Values(m)) <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Items(m)) } + Set#Card(Map#Items(m)) == Map#Card(m)); + +function Map#Values(Map U V) : Set V; + +axiom (forall m: Map U V, v: V :: + { Map#Values(m)[v] } + Map#Values(m)[v] + == (exists u: U :: + { Map#Domain(m)[u] } { Map#Elements(m)[u] } + Map#Domain(m)[u] && v == Map#Elements(m)[u])); + +function Map#Items(Map U V) : Set Box; + +function #_System._tuple#2._#Make2(Box, Box) : DatatypeType; + +function _System.Tuple2._0(DatatypeType) : Box; + +function _System.Tuple2._1(DatatypeType) : Box; + +axiom (forall m: Map Box Box, item: Box :: + { Map#Items(m)[item] } + Map#Items(m)[item] + <==> Map#Domain(m)[_System.Tuple2._0($Unbox(item))] + && Map#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function Map#Empty() : Map U V; + +axiom (forall u: U :: + { Map#Domain(Map#Empty(): Map U V)[u] } + !Map#Domain(Map#Empty(): Map U V)[u]); + +function Map#Glue([U]bool, [U]V, Ty) : Map U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Domain(Map#Glue(a, b, t)) } + Map#Domain(Map#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Elements(Map#Glue(a, b, t)) } + Map#Elements(Map#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { Map#Glue(a, b, TMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TMap(t0, t1)), TMap(t0, t1))); + +function Map#Build(Map U V, U, V) : Map U V; + +axiom (forall m: Map U V, u: U, u': U, v: V :: + { Map#Domain(Map#Build(m, u, v))[u'] } { Map#Elements(Map#Build(m, u, v))[u'] } + (u' == u + ==> Map#Domain(Map#Build(m, u, v))[u'] && Map#Elements(Map#Build(m, u, v))[u'] == v) + && (u' != u + ==> Map#Domain(Map#Build(m, u, v))[u'] == Map#Domain(m)[u'] + && Map#Elements(Map#Build(m, u, v))[u'] == Map#Elements(m)[u'])); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m)); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + !Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m) + 1); + +function Map#Merge(Map U V, Map U V) : Map U V; + +axiom (forall m: Map U V, n: Map U V :: + { Map#Domain(Map#Merge(m, n)) } + Map#Domain(Map#Merge(m, n)) == Set#Union(Map#Domain(m), Map#Domain(n))); + +axiom (forall m: Map U V, n: Map U V, u: U :: + { Map#Elements(Map#Merge(m, n))[u] } + Map#Domain(Map#Merge(m, n))[u] + ==> (!Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(m)[u]) + && (Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(n)[u])); + +function Map#Subtract(Map U V, Set U) : Map U V; + +axiom (forall m: Map U V, s: Set U :: + { Map#Domain(Map#Subtract(m, s)) } + Map#Domain(Map#Subtract(m, s)) == Set#Difference(Map#Domain(m), s)); + +axiom (forall m: Map U V, s: Set U, u: U :: + { Map#Elements(Map#Subtract(m, s))[u] } + Map#Domain(Map#Subtract(m, s))[u] + ==> Map#Elements(Map#Subtract(m, s))[u] == Map#Elements(m)[u]); + +function Map#Equal(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') + <==> (forall u: U :: Map#Domain(m)[u] == Map#Domain(m')[u]) + && (forall u: U :: Map#Domain(m)[u] ==> Map#Elements(m)[u] == Map#Elements(m')[u])); + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') ==> m == m'); + +function Map#Disjoint(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Disjoint(m, m') } + Map#Disjoint(m, m') + <==> (forall o: U :: + { Map#Domain(m)[o] } { Map#Domain(m')[o] } + !Map#Domain(m)[o] || !Map#Domain(m')[o])); + +function IMap#Domain(IMap U V) : Set U; + +function IMap#Elements(IMap U V) : [U]V; + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() || (exists k: U :: IMap#Domain(m)[k])); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() || (exists v: V :: IMap#Values(m)[v])); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() + || (exists k: Box, v: Box :: IMap#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() <==> IMap#Domain(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() <==> IMap#Values(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() <==> IMap#Items(m) == ISet#Empty()); + +function IMap#Values(IMap U V) : Set V; + +axiom (forall m: IMap U V, v: V :: + { IMap#Values(m)[v] } + IMap#Values(m)[v] + == (exists u: U :: + { IMap#Domain(m)[u] } { IMap#Elements(m)[u] } + IMap#Domain(m)[u] && v == IMap#Elements(m)[u])); + +function IMap#Items(IMap U V) : Set Box; + +axiom (forall m: IMap Box Box, item: Box :: + { IMap#Items(m)[item] } + IMap#Items(m)[item] + <==> IMap#Domain(m)[_System.Tuple2._0($Unbox(item))] + && IMap#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function IMap#Empty() : IMap U V; + +axiom (forall u: U :: + { IMap#Domain(IMap#Empty(): IMap U V)[u] } + !IMap#Domain(IMap#Empty(): IMap U V)[u]); + +function IMap#Glue([U]bool, [U]V, Ty) : IMap U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Domain(IMap#Glue(a, b, t)) } + IMap#Domain(IMap#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Elements(IMap#Glue(a, b, t)) } + IMap#Elements(IMap#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { IMap#Glue(a, b, TIMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TIMap(t0, t1)), TIMap(t0, t1))); + +function IMap#Build(IMap U V, U, V) : IMap U V; + +axiom (forall m: IMap U V, u: U, u': U, v: V :: + { IMap#Domain(IMap#Build(m, u, v))[u'] } + { IMap#Elements(IMap#Build(m, u, v))[u'] } + (u' == u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == v) + && (u' != u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] == IMap#Domain(m)[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == IMap#Elements(m)[u'])); + +function IMap#Equal(IMap U V, IMap U V) : bool; + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') + <==> (forall u: U :: IMap#Domain(m)[u] == IMap#Domain(m')[u]) + && (forall u: U :: + IMap#Domain(m)[u] ==> IMap#Elements(m)[u] == IMap#Elements(m')[u])); + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') ==> m == m'); + +function IMap#Merge(IMap U V, IMap U V) : IMap U V; + +axiom (forall m: IMap U V, n: IMap U V :: + { IMap#Domain(IMap#Merge(m, n)) } + IMap#Domain(IMap#Merge(m, n)) == Set#Union(IMap#Domain(m), IMap#Domain(n))); + +axiom (forall m: IMap U V, n: IMap U V, u: U :: + { IMap#Elements(IMap#Merge(m, n))[u] } + IMap#Domain(IMap#Merge(m, n))[u] + ==> (!IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(m)[u]) + && (IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(n)[u])); + +function IMap#Subtract(IMap U V, Set U) : IMap U V; + +axiom (forall m: IMap U V, s: Set U :: + { IMap#Domain(IMap#Subtract(m, s)) } + IMap#Domain(IMap#Subtract(m, s)) == Set#Difference(IMap#Domain(m), s)); + +axiom (forall m: IMap U V, s: Set U, u: U :: + { IMap#Elements(IMap#Subtract(m, s))[u] } + IMap#Domain(IMap#Subtract(m, s))[u] + ==> IMap#Elements(IMap#Subtract(m, s))[u] == IMap#Elements(m)[u]); + +function INTERNAL_add_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_add_boogie(x, y): int } + INTERNAL_add_boogie(x, y): int == x + y); + +function INTERNAL_sub_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_sub_boogie(x, y): int } + INTERNAL_sub_boogie(x, y): int == x - y); + +function INTERNAL_mul_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mul_boogie(x, y): int } + INTERNAL_mul_boogie(x, y): int == x * y); + +function INTERNAL_div_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_div_boogie(x, y): int } + INTERNAL_div_boogie(x, y): int == x div y); + +function INTERNAL_mod_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mod_boogie(x, y): int } + INTERNAL_mod_boogie(x, y): int == x mod y); + +function {:never_pattern true} INTERNAL_lt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_lt_boogie(x, y): bool } + INTERNAL_lt_boogie(x, y): bool == (x < y)); + +function {:never_pattern true} INTERNAL_le_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_le_boogie(x, y): bool } + INTERNAL_le_boogie(x, y): bool == (x <= y)); + +function {:never_pattern true} INTERNAL_gt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_gt_boogie(x, y): bool } + INTERNAL_gt_boogie(x, y): bool == (x > y)); + +function {:never_pattern true} INTERNAL_ge_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_ge_boogie(x, y): bool } + INTERNAL_ge_boogie(x, y): bool == (x >= y)); + +function Mul(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mul(x, y): int } Mul(x, y): int == x * y); + +function Div(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Div(x, y): int } Div(x, y): int == x div y); + +function Mod(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mod(x, y): int } Mod(x, y): int == x mod y); + +function Add(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Add(x, y): int } Add(x, y): int == x + y); + +function Sub(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Sub(x, y): int } Sub(x, y): int == x - y); + +function Tclass._System.nat() : Ty; + +const unique Tagclass._System.nat: TyTag; + +// Tclass._System.nat Tag +axiom Tag(Tclass._System.nat()) == Tagclass._System.nat + && TagFamily(Tclass._System.nat()) == tytagFamily$nat; + +// Box/unbox axiom for Tclass._System.nat +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.nat()) } + $IsBox(bx, Tclass._System.nat()) + ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, Tclass._System.nat())); + +// _System.nat: subset type $Is +axiom (forall x#0: int :: + { $Is(x#0, Tclass._System.nat()) } + $Is(x#0, Tclass._System.nat()) <==> LitInt(0) <= x#0); + +// _System.nat: subset type $IsAlloc +axiom (forall x#0: int, $h: Heap :: + { $IsAlloc(x#0, Tclass._System.nat(), $h) } + $IsAlloc(x#0, Tclass._System.nat(), $h)); + +const unique class._System.object?: ClassName; + +const unique Tagclass._System.object?: TyTag; + +// Tclass._System.object? Tag +axiom Tag(Tclass._System.object?()) == Tagclass._System.object? + && TagFamily(Tclass._System.object?()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object?()) } + $IsBox(bx, Tclass._System.object?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object?())); + +// object: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._System.object?()) } + $Is($o, Tclass._System.object?())); + +// object: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.object?(), $h) } + $IsAlloc($o, Tclass._System.object?(), $h) + <==> $o == null || read($h, $o, alloc)); + +function implements$_System.object(ty: Ty) : bool; + +function Tclass._System.object() : Ty; + +const unique Tagclass._System.object: TyTag; + +// Tclass._System.object Tag +axiom Tag(Tclass._System.object()) == Tagclass._System.object + && TagFamily(Tclass._System.object()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object()) } + $IsBox(bx, Tclass._System.object()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object())); + +// _System.object: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._System.object()) } + $Is(c#0, Tclass._System.object()) + <==> $Is(c#0, Tclass._System.object?()) && c#0 != null); + +// _System.object: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.object(), $h) } + $IsAlloc(c#0, Tclass._System.object(), $h) + <==> $IsAlloc(c#0, Tclass._System.object?(), $h)); + +const unique class._System.array?: ClassName; + +function Tclass._System.array?(Ty) : Ty; + +const unique Tagclass._System.array?: TyTag; + +// Tclass._System.array? Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tag(Tclass._System.array?(_System.array$arg)) == Tagclass._System.array? + && TagFamily(Tclass._System.array?(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array?_0(Ty) : Ty; + +// Tclass._System.array? injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tclass._System.array?_0(Tclass._System.array?(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array? +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array?(_System.array$arg)) } + $IsBox(bx, Tclass._System.array?(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array?(_System.array$arg))); + +// array.: Type axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + ==> $IsBox(read($h, $o, IndexField($i0)), _System.array$arg)); + +// array.: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + && read($h, $o, alloc) + ==> $IsAllocBox(read($h, $o, IndexField($i0)), _System.array$arg, $h)); + +// array: Class $Is +axiom (forall _System.array$arg: Ty, $o: ref :: + { $Is($o, Tclass._System.array?(_System.array$arg)) } + $Is($o, Tclass._System.array?(_System.array$arg)) + <==> $o == null || dtype($o) == Tclass._System.array?(_System.array$arg)); + +// array: Class $IsAlloc +axiom (forall _System.array$arg: Ty, $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) } + $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) + <==> $o == null || read($h, $o, alloc)); + +// array.Length: Type axiom +axiom (forall _System.array$arg: Ty, $o: ref :: + { _System.array.Length($o), Tclass._System.array?(_System.array$arg) } + $o != null && dtype($o) == Tclass._System.array?(_System.array$arg) + ==> $Is(_System.array.Length($o), TInt)); + +// array.Length: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref :: + { _System.array.Length($o), read($h, $o, alloc), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && read($h, $o, alloc) + ==> $IsAlloc(_System.array.Length($o), TInt, $h)); + +function Tclass._System.array(Ty) : Ty; + +const unique Tagclass._System.array: TyTag; + +// Tclass._System.array Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tag(Tclass._System.array(_System.array$arg)) == Tagclass._System.array + && TagFamily(Tclass._System.array(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array_0(Ty) : Ty; + +// Tclass._System.array injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tclass._System.array_0(Tclass._System.array(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array(_System.array$arg)) } + $IsBox(bx, Tclass._System.array(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array(_System.array$arg))); + +// _System.array: non-null type $Is +axiom (forall _System.array$arg: Ty, c#0: ref :: + { $Is(c#0, Tclass._System.array(_System.array$arg)) } + $Is(c#0, Tclass._System.array(_System.array$arg)) + <==> $Is(c#0, Tclass._System.array?(_System.array$arg)) && c#0 != null); + +// _System.array: non-null type $IsAlloc +axiom (forall _System.array$arg: Ty, c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) } + $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) + <==> $IsAlloc(c#0, Tclass._System.array?(_System.array$arg), $h)); + +function Tclass._System.___hFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc1: TyTag; + +// Tclass._System.___hFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tag(Tclass._System.___hFunc1(#$T0, #$R)) == Tagclass._System.___hFunc1 + && TagFamily(Tclass._System.___hFunc1(#$T0, #$R)) == tytagFamily$_#Func1); + +function Tclass._System.___hFunc1_0(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_0(Tclass._System.___hFunc1(#$T0, #$R)) == #$T0); + +function Tclass._System.___hFunc1_1(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_1(Tclass._System.___hFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc1(#$T0, #$R))); + +function Handle1([Heap,Box]Box, [Heap,Box]bool, [Heap,Box]Set Box) : HandleType; + +function Requires1(Ty, Ty, Heap, HandleType, Box) : bool; + +function Reads1(Ty, Ty, Heap, HandleType, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) } + Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) == h[heap, bx0]); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Requires1(t0, t1, heap, Handle1(h, r, rd), bx0) } + r[heap, bx0] ==> Requires1(t0, t1, heap, Handle1(h, r, rd), bx0)); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box, + bx: Box :: + { Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] } + Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] == rd[heap, bx0][bx]); + +function {:inline} Requires1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +function {:inline} Reads1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// empty-reads property for Reads1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Reads1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Reads1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) && $IsBox(bx0, t0) && $Is(f, Tclass._System.___hFunc1(t0, t1)) + ==> (Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + <==> Set#Equal(Reads1(t0, t1, heap, f, bx0), Set#Empty(): Set Box))); + +// empty-reads property for Requires1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Requires1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Requires1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + ==> Requires1(t0, t1, $OneHeap, f, bx0) == Requires1(t0, t1, heap, f, bx0)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + <==> (forall h: Heap, bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsGoodHeap(h) && $IsBox(bx0, t0) && Requires1(t0, t1, h, f, bx0) + ==> $IsBox(Apply1(t0, t1, h, f, bx0), t1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, u0: Ty, u1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)), $Is(f, Tclass._System.___hFunc1(u0, u1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, t1) } { $IsBox(bx, u1) } + $IsBox(bx, t1) ==> $IsBox(bx, u1)) + ==> $Is(f, Tclass._System.___hFunc1(u0, u1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + <==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } { Reads1(t0, t1, h, f, bx0) } + $IsBox(bx0, t0) && $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> (forall r: ref :: + { Reads1(t0, t1, h, f, bx0)[$Box(r)] } + r != null && Reads1(t0, t1, h, f, bx0)[$Box(r)] ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + ==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> $IsAllocBox(Apply1(t0, t1, h, f, bx0), t1, h))); + +function Tclass._System.___hPartialFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc1: TyTag; + +// Tclass._System.___hPartialFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tag(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == Tagclass._System.___hPartialFunc1 + && TagFamily(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == tytagFamily$_#PartialFunc1); + +function Tclass._System.___hPartialFunc1_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_0(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc1_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_1(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc1(#$T0, #$R))); + +// _System._#PartialFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) + ==> Set#Equal(Reads1(#$T0, #$R, $OneHeap, f#0, x0#0), Set#Empty(): Set Box))); + +// _System._#PartialFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hTotalFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc1: TyTag; + +// Tclass._System.___hTotalFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tag(Tclass._System.___hTotalFunc1(#$T0, #$R)) == Tagclass._System.___hTotalFunc1 + && TagFamily(Tclass._System.___hTotalFunc1(#$T0, #$R)) == tytagFamily$_#TotalFunc1); + +function Tclass._System.___hTotalFunc1_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_0(Tclass._System.___hTotalFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc1_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_1(Tclass._System.___hTotalFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc1(#$T0, #$R))); + +// _System._#TotalFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) ==> Requires1(#$T0, #$R, $OneHeap, f#0, x0#0))); + +// _System._#TotalFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hFunc0(Ty) : Ty; + +const unique Tagclass._System.___hFunc0: TyTag; + +// Tclass._System.___hFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tag(Tclass._System.___hFunc0(#$R)) == Tagclass._System.___hFunc0 + && TagFamily(Tclass._System.___hFunc0(#$R)) == tytagFamily$_#Func0); + +function Tclass._System.___hFunc0_0(Ty) : Ty; + +// Tclass._System.___hFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tclass._System.___hFunc0_0(Tclass._System.___hFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc0(#$R))); + +function Handle0([Heap]Box, [Heap]bool, [Heap]Set Box) : HandleType; + +function Apply0(Ty, Heap, HandleType) : Box; + +function Requires0(Ty, Heap, HandleType) : bool; + +function Reads0(Ty, Heap, HandleType) : Set Box; + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Apply0(t0, heap, Handle0(h, r, rd)) } + Apply0(t0, heap, Handle0(h, r, rd)) == h[heap]); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Requires0(t0, heap, Handle0(h, r, rd)) } + r[heap] ==> Requires0(t0, heap, Handle0(h, r, rd))); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box, bx: Box :: + { Reads0(t0, heap, Handle0(h, r, rd))[bx] } + Reads0(t0, heap, Handle0(h, r, rd))[bx] == rd[heap][bx]); + +function {:inline} Requires0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +function {:inline} Reads0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// empty-reads property for Reads0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Reads0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Reads0(t0, heap, f) } + $IsGoodHeap(heap) && $Is(f, Tclass._System.___hFunc0(t0)) + ==> (Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + <==> Set#Equal(Reads0(t0, heap, f), Set#Empty(): Set Box))); + +// empty-reads property for Requires0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Requires0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Requires0(t0, heap, f) } + $IsGoodHeap(heap) + && $Is(f, Tclass._System.___hFunc0(t0)) + && Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + ==> Requires0(t0, $OneHeap, f) == Requires0(t0, heap, f)); + +axiom (forall f: HandleType, t0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + <==> (forall h: Heap :: + { Apply0(t0, h, f) } + $IsGoodHeap(h) && Requires0(t0, h, f) ==> $IsBox(Apply0(t0, h, f), t0))); + +axiom (forall f: HandleType, t0: Ty, u0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)), $Is(f, Tclass._System.___hFunc0(u0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + && (forall bx: Box :: + { $IsBox(bx, t0) } { $IsBox(bx, u0) } + $IsBox(bx, t0) ==> $IsBox(bx, u0)) + ==> $Is(f, Tclass._System.___hFunc0(u0))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc0(t0), h) + <==> Requires0(t0, h, f) + ==> (forall r: ref :: + { Reads0(t0, h, f)[$Box(r)] } + r != null && Reads0(t0, h, f)[$Box(r)] ==> read(h, r, alloc)))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc0(t0), h) + ==> + Requires0(t0, h, f) + ==> $IsAllocBox(Apply0(t0, h, f), t0, h)); + +function Tclass._System.___hPartialFunc0(Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc0: TyTag; + +// Tclass._System.___hPartialFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tag(Tclass._System.___hPartialFunc0(#$R)) == Tagclass._System.___hPartialFunc0 + && TagFamily(Tclass._System.___hPartialFunc0(#$R)) == tytagFamily$_#PartialFunc0); + +function Tclass._System.___hPartialFunc0_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tclass._System.___hPartialFunc0_0(Tclass._System.___hPartialFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc0(#$R))); + +// _System._#PartialFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) } + $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hFunc0(#$R)) + && Set#Equal(Reads0(#$R, $OneHeap, f#0), Set#Empty(): Set Box)); + +// _System._#PartialFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc0(#$R), $h)); + +function Tclass._System.___hTotalFunc0(Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc0: TyTag; + +// Tclass._System.___hTotalFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tag(Tclass._System.___hTotalFunc0(#$R)) == Tagclass._System.___hTotalFunc0 + && TagFamily(Tclass._System.___hTotalFunc0(#$R)) == tytagFamily$_#TotalFunc0); + +function Tclass._System.___hTotalFunc0_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tclass._System.___hTotalFunc0_0(Tclass._System.___hTotalFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc0(#$R))); + +// _System._#TotalFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) } + $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) && Requires0(#$R, $OneHeap, f#0)); + +// _System._#TotalFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h)); + +function Tclass._System.___hFunc2(Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc2: TyTag; + +// Tclass._System.___hFunc2 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hFunc2(#$T0, #$T1, #$R) } + Tag(Tclass._System.___hFunc2(#$T0, #$T1, #$R)) == Tagclass._System.___hFunc2 + && TagFamily(Tclass._System.___hFunc2(#$T0, #$T1, #$R)) == tytagFamily$_#Func2); + +function Tclass._System.___hFunc2_0(Ty) : Ty; + +// Tclass._System.___hFunc2 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hFunc2_0(Tclass._System.___hFunc2(#$T0, #$T1, #$R)) == #$T0); + +function Tclass._System.___hFunc2_1(Ty) : Ty; + +// Tclass._System.___hFunc2 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hFunc2_1(Tclass._System.___hFunc2(#$T0, #$T1, #$R)) == #$T1); + +function Tclass._System.___hFunc2_2(Ty) : Ty; + +// Tclass._System.___hFunc2 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hFunc2_2(Tclass._System.___hFunc2(#$T0, #$T1, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc2 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc2(#$T0, #$T1, #$R)) } + $IsBox(bx, Tclass._System.___hFunc2(#$T0, #$T1, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc2(#$T0, #$T1, #$R))); + +function Handle2([Heap,Box,Box]Box, [Heap,Box,Box]bool, [Heap,Box,Box]Set Box) : HandleType; + +function Apply2(Ty, Ty, Ty, Heap, HandleType, Box, Box) : Box; + +function Requires2(Ty, Ty, Ty, Heap, HandleType, Box, Box) : bool; + +function Reads2(Ty, Ty, Ty, Heap, HandleType, Box, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + heap: Heap, + h: [Heap,Box,Box]Box, + r: [Heap,Box,Box]bool, + rd: [Heap,Box,Box]Set Box, + bx0: Box, + bx1: Box :: + { Apply2(t0, t1, t2, heap, Handle2(h, r, rd), bx0, bx1) } + Apply2(t0, t1, t2, heap, Handle2(h, r, rd), bx0, bx1) == h[heap, bx0, bx1]); + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + heap: Heap, + h: [Heap,Box,Box]Box, + r: [Heap,Box,Box]bool, + rd: [Heap,Box,Box]Set Box, + bx0: Box, + bx1: Box :: + { Requires2(t0, t1, t2, heap, Handle2(h, r, rd), bx0, bx1) } + r[heap, bx0, bx1] ==> Requires2(t0, t1, t2, heap, Handle2(h, r, rd), bx0, bx1)); + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + heap: Heap, + h: [Heap,Box,Box]Box, + r: [Heap,Box,Box]bool, + rd: [Heap,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx: Box :: + { Reads2(t0, t1, t2, heap, Handle2(h, r, rd), bx0, bx1)[bx] } + Reads2(t0, t1, t2, heap, Handle2(h, r, rd), bx0, bx1)[bx] + == rd[heap, bx0, bx1][bx]); + +function {:inline} Requires2#canCall(t0: Ty, t1: Ty, t2: Ty, heap: Heap, f: HandleType, bx0: Box, bx1: Box) : bool +{ + true +} + +function {:inline} Reads2#canCall(t0: Ty, t1: Ty, t2: Ty, heap: Heap, f: HandleType, bx0: Box, bx1: Box) : bool +{ + true +} + +// frame axiom for Reads2 +axiom (forall t0: Ty, t1: Ty, t2: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box, bx1: Box :: + { $HeapSucc(h0, h1), Reads2(t0, t1, t2, h1, f, bx0, bx1) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + && (forall o: ref, fld: Field a :: + o != null && Reads2(t0, t1, t2, h0, f, bx0, bx1)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads2(t0, t1, t2, h0, f, bx0, bx1) == Reads2(t0, t1, t2, h1, f, bx0, bx1)); + +// frame axiom for Reads2 +axiom (forall t0: Ty, t1: Ty, t2: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box, bx1: Box :: + { $HeapSucc(h0, h1), Reads2(t0, t1, t2, h1, f, bx0, bx1) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + && (forall o: ref, fld: Field a :: + o != null && Reads2(t0, t1, t2, h1, f, bx0, bx1)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads2(t0, t1, t2, h0, f, bx0, bx1) == Reads2(t0, t1, t2, h1, f, bx0, bx1)); + +// frame axiom for Requires2 +axiom (forall t0: Ty, t1: Ty, t2: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box, bx1: Box :: + { $HeapSucc(h0, h1), Requires2(t0, t1, t2, h1, f, bx0, bx1) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + && (forall o: ref, fld: Field a :: + o != null && Reads2(t0, t1, t2, h0, f, bx0, bx1)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires2(t0, t1, t2, h0, f, bx0, bx1) == Requires2(t0, t1, t2, h1, f, bx0, bx1)); + +// frame axiom for Requires2 +axiom (forall t0: Ty, t1: Ty, t2: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box, bx1: Box :: + { $HeapSucc(h0, h1), Requires2(t0, t1, t2, h1, f, bx0, bx1) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + && (forall o: ref, fld: Field a :: + o != null && Reads2(t0, t1, t2, h1, f, bx0, bx1)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires2(t0, t1, t2, h0, f, bx0, bx1) == Requires2(t0, t1, t2, h1, f, bx0, bx1)); + +// frame axiom for Apply2 +axiom (forall t0: Ty, t1: Ty, t2: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box, bx1: Box :: + { $HeapSucc(h0, h1), Apply2(t0, t1, t2, h1, f, bx0, bx1) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + && (forall o: ref, fld: Field a :: + o != null && Reads2(t0, t1, t2, h0, f, bx0, bx1)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply2(t0, t1, t2, h0, f, bx0, bx1) == Apply2(t0, t1, t2, h1, f, bx0, bx1)); + +// frame axiom for Apply2 +axiom (forall t0: Ty, t1: Ty, t2: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box, bx1: Box :: + { $HeapSucc(h0, h1), Apply2(t0, t1, t2, h1, f, bx0, bx1) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + && (forall o: ref, fld: Field a :: + o != null && Reads2(t0, t1, t2, h1, f, bx0, bx1)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply2(t0, t1, t2, h0, f, bx0, bx1) == Apply2(t0, t1, t2, h1, f, bx0, bx1)); + +// empty-reads property for Reads2 +axiom (forall t0: Ty, t1: Ty, t2: Ty, heap: Heap, f: HandleType, bx0: Box, bx1: Box :: + { Reads2(t0, t1, t2, $OneHeap, f, bx0, bx1), $IsGoodHeap(heap) } + { Reads2(t0, t1, t2, heap, f, bx0, bx1) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + ==> (Set#Equal(Reads2(t0, t1, t2, $OneHeap, f, bx0, bx1), Set#Empty(): Set Box) + <==> Set#Equal(Reads2(t0, t1, t2, heap, f, bx0, bx1), Set#Empty(): Set Box))); + +// empty-reads property for Requires2 +axiom (forall t0: Ty, t1: Ty, t2: Ty, heap: Heap, f: HandleType, bx0: Box, bx1: Box :: + { Requires2(t0, t1, t2, $OneHeap, f, bx0, bx1), $IsGoodHeap(heap) } + { Requires2(t0, t1, t2, heap, f, bx0, bx1) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + && Set#Equal(Reads2(t0, t1, t2, $OneHeap, f, bx0, bx1), Set#Empty(): Set Box) + ==> Requires2(t0, t1, t2, $OneHeap, f, bx0, bx1) + == Requires2(t0, t1, t2, heap, f, bx0, bx1)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty :: + { $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) } + $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + <==> (forall h: Heap, bx0: Box, bx1: Box :: + { Apply2(t0, t1, t2, h, f, bx0, bx1) } + $IsGoodHeap(h) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && Requires2(t0, t1, t2, h, f, bx0, bx1) + ==> $IsBox(Apply2(t0, t1, t2, h, f, bx0, bx1), t2))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, u0: Ty, u1: Ty, u2: Ty :: + { $Is(f, Tclass._System.___hFunc2(t0, t1, t2)), $Is(f, Tclass._System.___hFunc2(u0, u1, u2)) } + $Is(f, Tclass._System.___hFunc2(t0, t1, t2)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, u1) } { $IsBox(bx, t1) } + $IsBox(bx, u1) ==> $IsBox(bx, t1)) + && (forall bx: Box :: + { $IsBox(bx, t2) } { $IsBox(bx, u2) } + $IsBox(bx, t2) ==> $IsBox(bx, u2)) + ==> $Is(f, Tclass._System.___hFunc2(u0, u1, u2))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc2(t0, t1, t2), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc2(t0, t1, t2), h) + <==> (forall bx0: Box, bx1: Box :: + { Apply2(t0, t1, t2, h, f, bx0, bx1) } { Reads2(t0, t1, t2, h, f, bx0, bx1) } + $IsBox(bx0, t0) + && $IsAllocBox(bx0, t0, h) + && + $IsBox(bx1, t1) + && $IsAllocBox(bx1, t1, h) + && Requires2(t0, t1, t2, h, f, bx0, bx1) + ==> (forall r: ref :: + { Reads2(t0, t1, t2, h, f, bx0, bx1)[$Box(r)] } + r != null && Reads2(t0, t1, t2, h, f, bx0, bx1)[$Box(r)] ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc2(t0, t1, t2), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc2(t0, t1, t2), h) + ==> (forall bx0: Box, bx1: Box :: + { Apply2(t0, t1, t2, h, f, bx0, bx1) } + $IsAllocBox(bx0, t0, h) + && $IsAllocBox(bx1, t1, h) + && Requires2(t0, t1, t2, h, f, bx0, bx1) + ==> $IsAllocBox(Apply2(t0, t1, t2, h, f, bx0, bx1), t2, h))); + +function Tclass._System.___hPartialFunc2(Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc2: TyTag; + +// Tclass._System.___hPartialFunc2 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R) } + Tag(Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) + == Tagclass._System.___hPartialFunc2 + && TagFamily(Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) + == tytagFamily$_#PartialFunc2); + +function Tclass._System.___hPartialFunc2_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc2 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hPartialFunc2_0(Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc2_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc2 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hPartialFunc2_1(Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) + == #$T1); + +function Tclass._System.___hPartialFunc2_2(Ty) : Ty; + +// Tclass._System.___hPartialFunc2 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hPartialFunc2_2(Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc2 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R))); + +// _System._#PartialFunc2: subset type $Is +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc2(#$T0, #$T1, #$R)) + && (forall x0#0: Box, x1#0: Box :: + $IsBox(x0#0, #$T0) && $IsBox(x1#0, #$T1) + ==> Set#Equal(Reads2(#$T0, #$T1, #$R, $OneHeap, f#0, x0#0, x1#0), Set#Empty(): Set Box))); + +// _System._#PartialFunc2: subset type $IsAlloc +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc2(#$T0, #$T1, #$R), $h)); + +function Tclass._System.___hTotalFunc2(Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc2: TyTag; + +// Tclass._System.___hTotalFunc2 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R) } + Tag(Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) + == Tagclass._System.___hTotalFunc2 + && TagFamily(Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) + == tytagFamily$_#TotalFunc2); + +function Tclass._System.___hTotalFunc2_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc2 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hTotalFunc2_0(Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc2_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc2 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hTotalFunc2_1(Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) + == #$T1); + +function Tclass._System.___hTotalFunc2_2(Ty) : Ty; + +// Tclass._System.___hTotalFunc2 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R) } + Tclass._System.___hTotalFunc2_2(Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc2 +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R))); + +// _System._#TotalFunc2: subset type $Is +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R)) + && (forall x0#0: Box, x1#0: Box :: + $IsBox(x0#0, #$T0) && $IsBox(x1#0, #$T1) + ==> Requires2(#$T0, #$T1, #$R, $OneHeap, f#0, x0#0, x1#0))); + +// _System._#TotalFunc2: subset type $IsAlloc +axiom (forall #$T0: Ty, #$T1: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc2(#$T0, #$T1, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc2(#$T0, #$T1, #$R), $h)); + +function Tclass._System.___hFunc3(Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc3: TyTag; + +// Tclass._System.___hFunc3 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tag(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == Tagclass._System.___hFunc3 + && TagFamily(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == tytagFamily$_#Func3); + +function Tclass._System.___hFunc3_0(Ty) : Ty; + +// Tclass._System.___hFunc3 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hFunc3_0(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T0); + +function Tclass._System.___hFunc3_1(Ty) : Ty; + +// Tclass._System.___hFunc3 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hFunc3_1(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T1); + +function Tclass._System.___hFunc3_2(Ty) : Ty; + +// Tclass._System.___hFunc3 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hFunc3_2(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T2); + +function Tclass._System.___hFunc3_3(Ty) : Ty; + +// Tclass._System.___hFunc3 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hFunc3_3(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) } + $IsBox(bx, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R))); + +function Handle3([Heap,Box,Box,Box]Box, [Heap,Box,Box,Box]bool, [Heap,Box,Box,Box]Set Box) + : HandleType; + +function Apply3(Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box) : Box; + +function Requires3(Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box) : bool; + +function Reads3(Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + h: [Heap,Box,Box,Box]Box, + r: [Heap,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box :: + { Apply3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2) } + Apply3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2) + == h[heap, bx0, bx1, bx2]); + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + h: [Heap,Box,Box,Box]Box, + r: [Heap,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box :: + { Requires3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2) } + r[heap, bx0, bx1, bx2] + ==> Requires3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2)); + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + h: [Heap,Box,Box,Box]Box, + r: [Heap,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box, + bx: Box :: + { Reads3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2)[bx] } + Reads3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2)[bx] + == rd[heap, bx0, bx1, bx2][bx]); + +function {:inline} Requires3#canCall(t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box) + : bool +{ + true +} + +function {:inline} Reads3#canCall(t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box) + : bool +{ + true +} + +// frame axiom for Reads3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Reads3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Requires3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Requires3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Requires3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Requires3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Requires3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Requires3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Apply3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Apply3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Apply3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Apply3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Apply3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Apply3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// empty-reads property for Reads3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { Reads3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2), $IsGoodHeap(heap) } + { Reads3(t0, t1, t2, t3, heap, f, bx0, bx1, bx2) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + ==> (Set#Equal(Reads3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2), Set#Empty(): Set Box) + <==> Set#Equal(Reads3(t0, t1, t2, t3, heap, f, bx0, bx1, bx2), Set#Empty(): Set Box))); + +// empty-reads property for Requires3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { Requires3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2), $IsGoodHeap(heap) } + { Requires3(t0, t1, t2, t3, heap, f, bx0, bx1, bx2) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && Set#Equal(Reads3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2), Set#Empty(): Set Box) + ==> Requires3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2) + == Requires3(t0, t1, t2, t3, heap, f, bx0, bx1, bx2)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty :: + { $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) } + $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + <==> (forall h: Heap, bx0: Box, bx1: Box, bx2: Box :: + { Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) } + $IsGoodHeap(h) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && Requires3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) + ==> $IsBox(Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2), t3))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, u0: Ty, u1: Ty, u2: Ty, u3: Ty :: + { $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)), $Is(f, Tclass._System.___hFunc3(u0, u1, u2, u3)) } + $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, u1) } { $IsBox(bx, t1) } + $IsBox(bx, u1) ==> $IsBox(bx, t1)) + && (forall bx: Box :: + { $IsBox(bx, u2) } { $IsBox(bx, t2) } + $IsBox(bx, u2) ==> $IsBox(bx, t2)) + && (forall bx: Box :: + { $IsBox(bx, t3) } { $IsBox(bx, u3) } + $IsBox(bx, t3) ==> $IsBox(bx, u3)) + ==> $Is(f, Tclass._System.___hFunc3(u0, u1, u2, u3))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc3(t0, t1, t2, t3), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc3(t0, t1, t2, t3), h) + <==> (forall bx0: Box, bx1: Box, bx2: Box :: + { Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) } + { Reads3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) } + $IsBox(bx0, t0) + && $IsAllocBox(bx0, t0, h) + && + $IsBox(bx1, t1) + && $IsAllocBox(bx1, t1, h) + && + $IsBox(bx2, t2) + && $IsAllocBox(bx2, t2, h) + && Requires3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) + ==> (forall r: ref :: + { Reads3(t0, t1, t2, t3, h, f, bx0, bx1, bx2)[$Box(r)] } + r != null && Reads3(t0, t1, t2, t3, h, f, bx0, bx1, bx2)[$Box(r)] + ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc3(t0, t1, t2, t3), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc3(t0, t1, t2, t3), h) + ==> (forall bx0: Box, bx1: Box, bx2: Box :: + { Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) } + $IsAllocBox(bx0, t0, h) + && $IsAllocBox(bx1, t1, h) + && $IsAllocBox(bx2, t2, h) + && Requires3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) + ==> $IsAllocBox(Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2), t3, h))); + +function Tclass._System.___hPartialFunc3(Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc3: TyTag; + +// Tclass._System.___hPartialFunc3 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tag(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == Tagclass._System.___hPartialFunc3 + && TagFamily(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == tytagFamily$_#PartialFunc3); + +function Tclass._System.___hPartialFunc3_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc3 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hPartialFunc3_0(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc3_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc3 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hPartialFunc3_1(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T1); + +function Tclass._System.___hPartialFunc3_2(Ty) : Ty; + +// Tclass._System.___hPartialFunc3 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hPartialFunc3_2(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T2); + +function Tclass._System.___hPartialFunc3_3(Ty) : Ty; + +// Tclass._System.___hPartialFunc3 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hPartialFunc3_3(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R))); + +// _System._#PartialFunc3: subset type $Is +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + && (forall x0#0: Box, x1#0: Box, x2#0: Box :: + $IsBox(x0#0, #$T0) && $IsBox(x1#0, #$T1) && $IsBox(x2#0, #$T2) + ==> Set#Equal(Reads3(#$T0, #$T1, #$T2, #$R, $OneHeap, f#0, x0#0, x1#0, x2#0), + Set#Empty(): Set Box))); + +// _System._#PartialFunc3: subset type $IsAlloc +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R), $h)); + +function Tclass._System.___hTotalFunc3(Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc3: TyTag; + +// Tclass._System.___hTotalFunc3 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tag(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == Tagclass._System.___hTotalFunc3 + && TagFamily(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == tytagFamily$_#TotalFunc3); + +function Tclass._System.___hTotalFunc3_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc3 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hTotalFunc3_0(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc3_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc3 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hTotalFunc3_1(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T1); + +function Tclass._System.___hTotalFunc3_2(Ty) : Ty; + +// Tclass._System.___hTotalFunc3 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hTotalFunc3_2(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T2); + +function Tclass._System.___hTotalFunc3_3(Ty) : Ty; + +// Tclass._System.___hTotalFunc3 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hTotalFunc3_3(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R))); + +// _System._#TotalFunc3: subset type $Is +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + && (forall x0#0: Box, x1#0: Box, x2#0: Box :: + $IsBox(x0#0, #$T0) && $IsBox(x1#0, #$T1) && $IsBox(x2#0, #$T2) + ==> Requires3(#$T0, #$T1, #$T2, #$R, $OneHeap, f#0, x0#0, x1#0, x2#0))); + +// _System._#TotalFunc3: subset type $IsAlloc +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R), $h)); + +// Constructor identifier +axiom (forall a#0#0#0: Box, a#0#1#0: Box :: + { #_System._tuple#2._#Make2(a#0#0#0, a#0#1#0) } + DatatypeCtorId(#_System._tuple#2._#Make2(a#0#0#0, a#0#1#0)) + == ##_System._tuple#2._#Make2); + +const unique ##_System._tuple#2._#Make2: DtCtorId; + +function _System.Tuple2.___hMake2_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#2._#Make2); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + ==> (exists a#1#0#0: Box, a#1#1#0: Box :: + d == #_System._tuple#2._#Make2(a#1#0#0, a#1#1#0))); + +const unique Tagclass._System.Tuple2: TyTag; + +// Tclass._System.Tuple2 Tag +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tag(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == Tagclass._System.Tuple2 + && TagFamily(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == tytagFamily$_tuple#2); + +function Tclass._System.Tuple2_0(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 0 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_0(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T0); + +function Tclass._System.Tuple2_1(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 1 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_1(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T1); + +// Box/unbox axiom for Tclass._System.Tuple2 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1))); + +// Constructor $Is +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, a#2#0#0: Box, a#2#1#0: Box :: + { $Is(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + <==> $IsBox(a#2#0#0, _System._tuple#2$T0) && $IsBox(a#2#1#0, _System._tuple#2$T1)); + +// Constructor $IsAlloc +axiom (forall _System._tuple#2$T0: Ty, + _System._tuple#2$T1: Ty, + a#2#0#0: Box, + a#2#1#0: Box, + $h: Heap :: + { $IsAlloc(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) } + $IsGoodHeap($h) + ==> ($IsAlloc(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) + <==> $IsAllocBox(a#2#0#0, _System._tuple#2$T0, $h) + && $IsAllocBox(a#2#1#0, _System._tuple#2$T1, $h))); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T0: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T1: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h)); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T1: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T0: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h)); + +// Constructor literal +axiom (forall a#3#0#0: Box, a#3#1#0: Box :: + { #_System._tuple#2._#Make2(Lit(a#3#0#0), Lit(a#3#1#0)) } + #_System._tuple#2._#Make2(Lit(a#3#0#0), Lit(a#3#1#0)) + == Lit(#_System._tuple#2._#Make2(a#3#0#0, a#3#1#0))); + +// Constructor injectivity +axiom (forall a#4#0#0: Box, a#4#1#0: Box :: + { #_System._tuple#2._#Make2(a#4#0#0, a#4#1#0) } + _System.Tuple2._0(#_System._tuple#2._#Make2(a#4#0#0, a#4#1#0)) == a#4#0#0); + +// Inductive rank +axiom (forall a#5#0#0: Box, a#5#1#0: Box :: + { #_System._tuple#2._#Make2(a#5#0#0, a#5#1#0) } + BoxRank(a#5#0#0) < DtRank(#_System._tuple#2._#Make2(a#5#0#0, a#5#1#0))); + +// Constructor injectivity +axiom (forall a#6#0#0: Box, a#6#1#0: Box :: + { #_System._tuple#2._#Make2(a#6#0#0, a#6#1#0) } + _System.Tuple2._1(#_System._tuple#2._#Make2(a#6#0#0, a#6#1#0)) == a#6#1#0); + +// Inductive rank +axiom (forall a#7#0#0: Box, a#7#1#0: Box :: + { #_System._tuple#2._#Make2(a#7#0#0, a#7#1#0) } + BoxRank(a#7#1#0) < DtRank(#_System._tuple#2._#Make2(a#7#0#0, a#7#1#0))); + +// Depth-one case-split function +function $IsA#_System.Tuple2(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple2(d) } + $IsA#_System.Tuple2(d) ==> _System.Tuple2.___hMake2_q(d)); + +// Questionmark data type disjunctivity +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d), $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> _System.Tuple2.___hMake2_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple2#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#2._#Make2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + true + ==> (_System.Tuple2#Equal(a, b) + <==> _System.Tuple2._0(a) == _System.Tuple2._0(b) + && _System.Tuple2._1(a) == _System.Tuple2._1(b))); + +// Datatype extensionality axiom: _System._tuple#2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + _System.Tuple2#Equal(a, b) <==> a == b); + +const unique class._System.Tuple2: ClassName; + +// Constructor function declaration +function #_System._tuple#0._#Make0() : DatatypeType; + +// Constructor identifier +axiom DatatypeCtorId(#_System._tuple#0._#Make0()) == ##_System._tuple#0._#Make0; + +const unique ##_System._tuple#0._#Make0: DtCtorId; + +function _System.Tuple0.___hMake0_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#0._#Make0); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) ==> d == #_System._tuple#0._#Make0()); + +function Tclass._System.Tuple0() : Ty; + +const unique Tagclass._System.Tuple0: TyTag; + +// Tclass._System.Tuple0 Tag +axiom Tag(Tclass._System.Tuple0()) == Tagclass._System.Tuple0 + && TagFamily(Tclass._System.Tuple0()) == tytagFamily$_tuple#0; + +// Box/unbox axiom for Tclass._System.Tuple0 +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.Tuple0()) } + $IsBox(bx, Tclass._System.Tuple0()) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, Tclass._System.Tuple0())); + +// Constructor $Is +axiom $Is(#_System._tuple#0._#Make0(), Tclass._System.Tuple0()); + +// Constructor $IsAlloc +axiom (forall $h: Heap :: + { $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h) } + $IsGoodHeap($h) + ==> $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h)); + +// Constructor literal +axiom #_System._tuple#0._#Make0() == Lit(#_System._tuple#0._#Make0()); + +// Depth-one case-split function +function $IsA#_System.Tuple0(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple0(d) } + $IsA#_System.Tuple0(d) ==> _System.Tuple0.___hMake0_q(d)); + +// Questionmark data type disjunctivity +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d), $Is(d, Tclass._System.Tuple0()) } + $Is(d, Tclass._System.Tuple0()) ==> _System.Tuple0.___hMake0_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple0#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#0._#Make0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + true ==> (_System.Tuple0#Equal(a, b) <==> true)); + +// Datatype extensionality axiom: _System._tuple#0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + _System.Tuple0#Equal(a, b) <==> a == b); + +const unique class._System.Tuple0: ClassName; + +const unique class._module.__default: ClassName; + +function Tclass._module.__default() : Ty; + +const unique Tagclass._module.__default: TyTag; + +// Tclass._module.__default Tag +axiom Tag(Tclass._module.__default()) == Tagclass._module.__default + && TagFamily(Tclass._module.__default()) == tytagFamily$_default; + +// Box/unbox axiom for Tclass._module.__default +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.__default()) } + $IsBox(bx, Tclass._module.__default()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.__default())); + +// _default: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.__default()) } + $Is($o, Tclass._module.__default()) + <==> $o == null || dtype($o) == Tclass._module.__default()); + +// _default: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.__default(), $h) } + $IsAlloc($o, Tclass._module.__default(), $h) + <==> $o == null || read($h, $o, alloc)); + +// function declaration for _module._default.IsRelaxedPrefix +function _module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T: Ty, pat#0: Seq Box, a#0: Seq Box) : bool; + +function _module.__default.IsRelaxedPrefix#canCall(_module._default.IsRelaxedPrefix$T: Ty, pat#0: Seq Box, a#0: Seq Box) : bool; + +// consequence axiom for _module.__default.IsRelaxedPrefix +axiom 2 <= $FunctionContextHeight + ==> (forall _module._default.IsRelaxedPrefix$T: Ty, pat#0: Seq Box, a#0: Seq Box :: + { _module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T, pat#0, a#0) } + _module.__default.IsRelaxedPrefix#canCall(_module._default.IsRelaxedPrefix$T, pat#0, a#0) + || (2 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IsRelaxedPrefix$T)) + && $Is(a#0, TSeq(_module._default.IsRelaxedPrefix$T))) + ==> true); + +function _module.__default.IsRelaxedPrefix#requires(Ty, Seq Box, Seq Box) : bool; + +// #requires axiom for _module.__default.IsRelaxedPrefix +axiom (forall _module._default.IsRelaxedPrefix$T: Ty, pat#0: Seq Box, a#0: Seq Box :: + { _module.__default.IsRelaxedPrefix#requires(_module._default.IsRelaxedPrefix$T, pat#0, a#0) } + $Is(pat#0, TSeq(_module._default.IsRelaxedPrefix$T)) + && $Is(a#0, TSeq(_module._default.IsRelaxedPrefix$T)) + ==> _module.__default.IsRelaxedPrefix#requires(_module._default.IsRelaxedPrefix$T, pat#0, a#0) + == true); + +// definition axiom for _module.__default.IsRelaxedPrefix (revealed) +axiom 2 <= $FunctionContextHeight + ==> (forall _module._default.IsRelaxedPrefix$T: Ty, pat#0: Seq Box, a#0: Seq Box :: + { _module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T, pat#0, a#0) } + _module.__default.IsRelaxedPrefix#canCall(_module._default.IsRelaxedPrefix$T, pat#0, a#0) + || (2 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IsRelaxedPrefix$T)) + && $Is(a#0, TSeq(_module._default.IsRelaxedPrefix$T))) + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefix$T, pat#0, a#0, LitInt(1)) + && _module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T, pat#0, a#0) + == _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefix$T, $LS($LZ), pat#0, a#0, LitInt(1))); + +// definition axiom for _module.__default.IsRelaxedPrefix for all literals (revealed) +axiom 2 <= $FunctionContextHeight + ==> (forall _module._default.IsRelaxedPrefix$T: Ty, pat#0: Seq Box, a#0: Seq Box :: + {:weight 3} { _module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T, Lit(pat#0), Lit(a#0)) } + _module.__default.IsRelaxedPrefix#canCall(_module._default.IsRelaxedPrefix$T, Lit(pat#0), Lit(a#0)) + || (2 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IsRelaxedPrefix$T)) + && $Is(a#0, TSeq(_module._default.IsRelaxedPrefix$T))) + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefix$T, Lit(pat#0), Lit(a#0), LitInt(1)) + && _module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T, Lit(pat#0), Lit(a#0)) + == Lit(_module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefix$T, $LS($LZ), Lit(pat#0), Lit(a#0), LitInt(1)))); + +procedure {:verboseName "IsRelaxedPrefix (well-formedness)"} CheckWellformed$$_module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T: Ty, + pat#0: Seq Box where $Is(pat#0, TSeq(_module._default.IsRelaxedPrefix$T)), + a#0: Seq Box where $Is(a#0, TSeq(_module._default.IsRelaxedPrefix$T))); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "IsRelaxedPrefix (well-formedness)"} CheckWellformed$$_module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T: Ty, pat#0: Seq Box, a#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#0: Seq Box; + var ##a#0: Seq Box; + var ##slack#0: int; + + + // AddWellformednessCheck for function IsRelaxedPrefix + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + ##pat#0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0, TSeq(_module._default.IsRelaxedPrefix$T), $Heap); + ##a#0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0, TSeq(_module._default.IsRelaxedPrefix$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#0 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefix$T, pat#0, a#0, LitInt(1)); + assume _module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T, pat#0, a#0) + == _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefix$T, $LS($LZ), pat#0, a#0, LitInt(1)); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefix$T, pat#0, a#0, LitInt(1)); + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.IsRelaxedPrefix(_module._default.IsRelaxedPrefix$T, pat#0, a#0), + TBool); + } +} + + + +// function declaration for _module._default.IsRelaxedPrefixAux +function _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T: Ty, + $ly: LayerType, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int) + : bool; + +function _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T: Ty, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int) + : bool; + +// layer synonym axiom +axiom (forall _module._default.IsRelaxedPrefixAux$T: Ty, + $ly: LayerType, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int :: + { _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($ly), pat#0, a#0, slack#0) } + _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($ly), pat#0, a#0, slack#0) + == _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $ly, pat#0, a#0, slack#0)); + +// fuel synonym axiom +axiom (forall _module._default.IsRelaxedPrefixAux$T: Ty, + $ly: LayerType, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int :: + { _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, AsFuelBottom($ly), pat#0, a#0, slack#0) } + _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $ly, pat#0, a#0, slack#0) + == _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LZ, pat#0, a#0, slack#0)); + +// consequence axiom for _module.__default.IsRelaxedPrefixAux +axiom 1 <= $FunctionContextHeight + ==> (forall _module._default.IsRelaxedPrefixAux$T: Ty, + $ly: LayerType, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int :: + { _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $ly, pat#0, a#0, slack#0) } + _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, pat#0, a#0, slack#0) + || (1 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IsRelaxedPrefixAux$T)) + && $Is(a#0, TSeq(_module._default.IsRelaxedPrefixAux$T)) + && LitInt(0) <= slack#0) + ==> true); + +function _module.__default.IsRelaxedPrefixAux#requires(Ty, LayerType, Seq Box, Seq Box, int) : bool; + +// #requires axiom for _module.__default.IsRelaxedPrefixAux +axiom (forall _module._default.IsRelaxedPrefixAux$T: Ty, + $ly: LayerType, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int :: + { _module.__default.IsRelaxedPrefixAux#requires(_module._default.IsRelaxedPrefixAux$T, $ly, pat#0, a#0, slack#0) } + $Is(pat#0, TSeq(_module._default.IsRelaxedPrefixAux$T)) + && $Is(a#0, TSeq(_module._default.IsRelaxedPrefixAux$T)) + && LitInt(0) <= slack#0 + ==> _module.__default.IsRelaxedPrefixAux#requires(_module._default.IsRelaxedPrefixAux$T, $ly, pat#0, a#0, slack#0) + == true); + +// definition axiom for _module.__default.IsRelaxedPrefixAux (revealed) +axiom 1 <= $FunctionContextHeight + ==> (forall _module._default.IsRelaxedPrefixAux$T: Ty, + $ly: LayerType, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int :: + { _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($ly), pat#0, a#0, slack#0) } + _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, pat#0, a#0, slack#0) + || (1 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IsRelaxedPrefixAux$T)) + && $Is(a#0, TSeq(_module._default.IsRelaxedPrefixAux$T)) + && LitInt(0) <= slack#0) + ==> (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> (!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + slack#0)) + && (!(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> + slack#0 > 0 + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, + Seq#Drop(pat#0, LitInt(1)), + a#0, + slack#0 - 1))) + && _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($ly), pat#0, a#0, slack#0) + == (if Seq#Equal(pat#0, Seq#Empty(): Seq Box) + then true + else (if !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + then _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, + $ly, + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + slack#0) + else slack#0 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, + $ly, + Seq#Drop(pat#0, LitInt(1)), + a#0, + slack#0 - 1)))); + +// definition axiom for _module.__default.IsRelaxedPrefixAux for all literals (revealed) +axiom 1 <= $FunctionContextHeight + ==> (forall _module._default.IsRelaxedPrefixAux$T: Ty, + $ly: LayerType, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int :: + {:weight 3} { _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, + $LS($ly), + Lit(pat#0), + Lit(a#0), + LitInt(slack#0)) } + _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, Lit(pat#0), Lit(a#0), LitInt(slack#0)) + || (1 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IsRelaxedPrefixAux$T)) + && $Is(a#0, TSeq(_module._default.IsRelaxedPrefixAux$T)) + && LitInt(0) <= slack#0) + ==> (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> (!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(Lit(pat#0), LitInt(0)) == Seq#Index(Lit(a#0), LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, + Lit(Seq#Drop(Lit(pat#0), LitInt(1))), + Lit(Seq#Drop(Lit(a#0), LitInt(1))), + LitInt(slack#0))) + && (!(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(Lit(pat#0), LitInt(0)) == Seq#Index(Lit(a#0), LitInt(0))) + ==> + Lit(slack#0 > 0) + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, + Lit(Seq#Drop(Lit(pat#0), LitInt(1))), + Lit(a#0), + LitInt(slack#0 - 1)))) + && _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, + $LS($ly), + Lit(pat#0), + Lit(a#0), + LitInt(slack#0)) + == (if Seq#Equal(pat#0, Seq#Empty(): Seq Box) + then true + else (if !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(Lit(pat#0), LitInt(0)) == Seq#Index(Lit(a#0), LitInt(0)) + then _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, + $LS($ly), + Lit(Seq#Drop(Lit(pat#0), LitInt(1))), + Lit(Seq#Drop(Lit(a#0), LitInt(1))), + LitInt(slack#0)) + else slack#0 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, + $LS($ly), + Lit(Seq#Drop(Lit(pat#0), LitInt(1))), + Lit(a#0), + LitInt(slack#0 - 1))))); + +procedure {:verboseName "IsRelaxedPrefixAux (well-formedness)"} CheckWellformed$$_module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T: Ty, + pat#0: Seq Box where $Is(pat#0, TSeq(_module._default.IsRelaxedPrefixAux$T)), + a#0: Seq Box where $Is(a#0, TSeq(_module._default.IsRelaxedPrefixAux$T)), + slack#0: int where LitInt(0) <= slack#0); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "IsRelaxedPrefixAux (well-formedness)"} CheckWellformed$$_module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T: Ty, + pat#0: Seq Box, + a#0: Seq Box, + slack#0: int) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#0: Seq Box; + var ##a#0: Seq Box; + var ##slack#0: int; + var ##pat#1: Seq Box; + var ##a#1: Seq Box; + var ##slack#1: int; + + + // AddWellformednessCheck for function IsRelaxedPrefixAux + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + if (Seq#Equal(pat#0, Seq#Empty(): Seq Box)) + { + assume _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($LZ), pat#0, a#0, slack#0) + == Lit(true); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($LZ), pat#0, a#0, slack#0), + TBool); + } + else + { + if (!Seq#Equal(a#0, Seq#Empty(): Seq Box)) + { + assert 0 <= LitInt(0) && LitInt(0) < Seq#Length(pat#0); + assert 0 <= LitInt(0) && LitInt(0) < Seq#Length(a#0); + } + + if (!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + { + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + ##pat#0 := Seq#Drop(pat#0, LitInt(1)); + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0, TSeq(_module._default.IsRelaxedPrefixAux$T), $Heap); + ##a#0 := Seq#Drop(a#0, LitInt(1)); + // assume allocatedness for argument to function + assume $IsAlloc(##a#0, TSeq(_module._default.IsRelaxedPrefixAux$T), $Heap); + ##slack#0 := slack#0; + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assert 0 <= slack#0 + || Seq#Rank(##pat#0) < Seq#Rank(pat#0) + || Seq#Rank(##a#0) < Seq#Rank(a#0) + || ##slack#0 == slack#0; + assert Seq#Rank(##pat#0) < Seq#Rank(pat#0) + || (Seq#Rank(##pat#0) == Seq#Rank(pat#0) + && (Seq#Rank(##a#0) < Seq#Rank(a#0) + || (Seq#Rank(##a#0) == Seq#Rank(a#0) && ##slack#0 < slack#0))); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + slack#0); + assume _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($LZ), pat#0, a#0, slack#0) + == _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + slack#0); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + slack#0); + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($LZ), pat#0, a#0, slack#0), + TBool); + } + else + { + if (slack#0 > 0) + { + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + ##pat#1 := Seq#Drop(pat#0, LitInt(1)); + // assume allocatedness for argument to function + assume $IsAlloc(##pat#1, TSeq(_module._default.IsRelaxedPrefixAux$T), $Heap); + ##a#1 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#1, TSeq(_module._default.IsRelaxedPrefixAux$T), $Heap); + assert $Is(slack#0 - 1, Tclass._System.nat()); + ##slack#1 := slack#0 - 1; + // assume allocatedness for argument to function + assume $IsAlloc(##slack#1, Tclass._System.nat(), $Heap); + assert 0 <= slack#0 + || Seq#Rank(##pat#1) < Seq#Rank(pat#0) + || Seq#Rank(##a#1) < Seq#Rank(a#0) + || ##slack#1 == slack#0; + assert Seq#Rank(##pat#1) < Seq#Rank(pat#0) + || (Seq#Rank(##pat#1) == Seq#Rank(pat#0) + && (Seq#Rank(##a#1) < Seq#Rank(a#0) + || (Seq#Rank(##a#1) == Seq#Rank(a#0) && ##slack#1 < slack#0))); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, + Seq#Drop(pat#0, LitInt(1)), + a#0, + slack#0 - 1); + } + + assume _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($LZ), pat#0, a#0, slack#0) + == (slack#0 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + a#0, + slack#0 - 1)); + assume slack#0 > 0 + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.IsRelaxedPrefixAux$T, + Seq#Drop(pat#0, LitInt(1)), + a#0, + slack#0 - 1); + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.IsRelaxedPrefixAux(_module._default.IsRelaxedPrefixAux$T, $LS($LZ), pat#0, a#0, slack#0), + TBool); + } + } + } +} + + + +procedure {:verboseName "ComputeIsRelaxedPrefix (well-formedness)"} CheckWellFormed$$_module.__default.ComputeIsRelaxedPrefix(_module._default.ComputeIsRelaxedPrefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap)) + returns (b#0: bool); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "ComputeIsRelaxedPrefix (call)"} Call$$_module.__default.ComputeIsRelaxedPrefix(_module._default.ComputeIsRelaxedPrefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap)) + returns (b#0: bool); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefix#canCall(_module._default.ComputeIsRelaxedPrefix$T, pat#0, a#0); + ensures b#0 + == _module.__default.IsRelaxedPrefix(_module._default.ComputeIsRelaxedPrefix$T, pat#0, a#0); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "ComputeIsRelaxedPrefix (correctness)"} Impl$$_module.__default.ComputeIsRelaxedPrefix(_module._default.ComputeIsRelaxedPrefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap)) + returns (b#0: bool, $_reverifyPost: bool); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefix#canCall(_module._default.ComputeIsRelaxedPrefix$T, pat#0, a#0); + ensures b#0 + == _module.__default.IsRelaxedPrefix(_module._default.ComputeIsRelaxedPrefix$T, pat#0, a#0); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "ComputeIsRelaxedPrefix (correctness)"} Impl$$_module.__default.ComputeIsRelaxedPrefix(_module._default.ComputeIsRelaxedPrefix$T: Ty, pat#0: Seq Box, a#0: Seq Box) + returns (b#0: bool, $_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var B#0: bool; + var ##pat#1: Seq Box; + var ##a#1: Seq Box; + var ##slack#0: int; + var shift#0: int; + var i#0: int; + var $rhs#0: int; + var $rhs#1: int; + var $PreLoopHeap$loop#0: Heap; + var $decr_init$loop#00: int; + var $decr_init$loop#01: int; + var $w$loop#0: bool; + var ##pat#2: Seq Box; + var ##a#2: Seq Box; + var ##slack#1: int; + var $decr$loop#00: int; + var $decr$loop#01: int; + + // AddMethodImpl: ComputeIsRelaxedPrefix, Impl$$_module.__default.ComputeIsRelaxedPrefix + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(43,15) + assume true; + ##pat#1 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#1, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap); + ##a#1 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#1, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#0 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.ComputeIsRelaxedPrefix$T, pat#0, a#0, LitInt(1)); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.ComputeIsRelaxedPrefix$T, pat#0, a#0, LitInt(1)); + B#0 := _module.__default.IsRelaxedPrefixAux(_module._default.ComputeIsRelaxedPrefix$T, $LS($LZ), pat#0, a#0, LitInt(1)); + // ----- update statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(44,16) + assume true; + assume true; + assume true; + $rhs#0 := LitInt(0); + assume true; + $rhs#1 := LitInt(0); + shift#0 := $rhs#0; + i#0 := $rhs#1; + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(45,3) + // Assume Fuel Constant + $PreLoopHeap$loop#0 := $Heap; + $decr_init$loop#00 := Seq#Length(pat#0) - i#0; + $decr_init$loop#01 := (if i#0 < Seq#Length(pat#0) then Seq#Length(a#0) - (i#0 - shift#0) else 0 - 1); + havoc $w$loop#0; + while (true) + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 ==> LitInt(0) <= i#0; + invariant $w$loop#0 ==> i#0 <= Seq#Length(pat#0); + invariant $w$loop#0 ==> i#0 - shift#0 <= Seq#Length(a#0); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 ==> LitInt(0) <= shift#0; + invariant $w$loop#0 ==> shift#0 <= i#0; + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 ==> shift#0 == LitInt(0) || shift#0 == LitInt(1); + free invariant $w$loop#0 + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.ComputeIsRelaxedPrefix$T, + Seq#Drop(pat#0, i#0), + Seq#Drop(a#0, i#0 - shift#0), + 1 - shift#0); + invariant $w$loop#0 + ==> _module.__default.IsRelaxedPrefixAux(_module._default.ComputeIsRelaxedPrefix$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, i#0), + Seq#Drop(a#0, i#0 - shift#0), + 1 - shift#0) + == B#0; + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#0[$o]); + free invariant $HeapSucc($PreLoopHeap$loop#0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0, $o, $f) || $_Frame[$o, $f]); + free invariant Seq#Length(pat#0) - i#0 <= $decr_init$loop#00 + && (Seq#Length(pat#0) - i#0 == $decr_init$loop#00 + ==> (if i#0 < Seq#Length(pat#0) then Seq#Length(a#0) - (i#0 - shift#0) else 0 - 1) + <= $decr_init$loop#01 + && ((if i#0 < Seq#Length(pat#0) then Seq#Length(a#0) - (i#0 - shift#0) else 0 - 1) + == $decr_init$loop#01 + ==> true)); + { + if (!$w$loop#0) + { + if (LitInt(0) <= i#0) + { + } + + if (LitInt(0) <= i#0 && i#0 <= Seq#Length(pat#0)) + { + } + + assume true; + assume LitInt(0) <= i#0 && i#0 <= Seq#Length(pat#0) && i#0 - shift#0 <= Seq#Length(a#0); + if (LitInt(0) <= shift#0) + { + } + + assume true; + assume LitInt(0) <= shift#0 && shift#0 <= i#0; + if (shift#0 != LitInt(0)) + { + } + + assume true; + assume shift#0 == LitInt(0) || shift#0 == LitInt(1); + assert {:subsumption 0} 0 <= i#0 && i#0 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= i#0 - shift#0 && i#0 - shift#0 <= Seq#Length(a#0); + ##pat#2 := Seq#Drop(pat#0, i#0); + // assume allocatedness for argument to function + assume $IsAlloc(##pat#2, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap); + ##a#2 := Seq#Drop(a#0, i#0 - shift#0); + // assume allocatedness for argument to function + assume $IsAlloc(##a#2, TSeq(_module._default.ComputeIsRelaxedPrefix$T), $Heap); + assert $Is(1 - shift#0, Tclass._System.nat()); + ##slack#1 := 1 - shift#0; + // assume allocatedness for argument to function + assume $IsAlloc(##slack#1, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.ComputeIsRelaxedPrefix$T, + Seq#Drop(pat#0, i#0), + Seq#Drop(a#0, i#0 - shift#0), + 1 - shift#0); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.ComputeIsRelaxedPrefix$T, + Seq#Drop(pat#0, i#0), + Seq#Drop(a#0, i#0 - shift#0), + 1 - shift#0); + assume _module.__default.IsRelaxedPrefixAux(_module._default.ComputeIsRelaxedPrefix$T, + $LS($LZ), + Seq#Drop(pat#0, i#0), + Seq#Drop(a#0, i#0 - shift#0), + 1 - shift#0) + == B#0; + assume true; + if (i#0 < Seq#Length(pat#0)) + { + } + else + { + } + + assume true; + assume false; + } + + if (i#0 < Seq#Length(pat#0)) + { + } + + assume true; + if (!(i#0 < Seq#Length(pat#0) && i#0 - shift#0 < Seq#Length(a#0))) + { + break; + } + + $decr$loop#00 := Seq#Length(pat#0) - i#0; + $decr$loop#01 := (if i#0 < Seq#Length(pat#0) then Seq#Length(a#0) - (i#0 - shift#0) else 0 - 1); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(51,5) + assert 0 <= i#0 && i#0 < Seq#Length(pat#0); + assert 0 <= i#0 - shift#0 && i#0 - shift#0 < Seq#Length(a#0); + assume true; + if (Seq#Index(pat#0, i#0) != Seq#Index(a#0, i#0 - shift#0)) + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(52,7) + assume true; + if (shift#0 == LitInt(0)) + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(53,15) + assume true; + assume true; + shift#0 := LitInt(1); + } + else + { + // ----- return statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(55,9) + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(55,9) + assume true; + assume true; + b#0 := Lit(false); + return; + } + } + else + { + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(58,7) + assume true; + assume true; + i#0 := i#0 + 1; + // ----- loop termination check ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(45,3) + assert 0 <= $decr$loop#00 || Seq#Length(pat#0) - i#0 == $decr$loop#00; + assert 0 <= $decr$loop#01 + || Seq#Length(pat#0) - i#0 < $decr$loop#00 + || (if i#0 < Seq#Length(pat#0) then Seq#Length(a#0) - (i#0 - shift#0) else 0 - 1) + == $decr$loop#01; + assert Seq#Length(pat#0) - i#0 < $decr$loop#00 + || (Seq#Length(pat#0) - i#0 == $decr$loop#00 + && (if i#0 < Seq#Length(pat#0) then Seq#Length(a#0) - (i#0 - shift#0) else 0 - 1) + < $decr$loop#01); + assume LitInt(0) <= i#0 && i#0 <= Seq#Length(pat#0) + ==> + i#0 - shift#0 <= Seq#Length(a#0) + ==> + LitInt(0) <= shift#0 && shift#0 <= i#0 + ==> + shift#0 == LitInt(0) || shift#0 == LitInt(1) + ==> _module.__default.IsRelaxedPrefixAux#canCall(_module._default.ComputeIsRelaxedPrefix$T, + Seq#Drop(pat#0, i#0), + Seq#Drop(a#0, i#0 - shift#0), + 1 - shift#0); + } + + // ----- return statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(60,3) + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(60,3) + assume true; + if (i#0 - shift#0 <= Seq#Length(pat#0)) + { + } + + assume true; + b#0 := i#0 - shift#0 <= Seq#Length(pat#0) && Seq#Length(pat#0) <= i#0 - shift#0 + 1; + return; +} + + + +procedure {:verboseName "Main (well-formedness)"} CheckWellFormed$$_module.__default.Main(); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Main (call)"} Call$$_module.__default.Main(); + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Main (correctness)"} Impl$$_module.__default.Main() returns ($_reverifyPost: bool); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) ==> $Heap[$o] == old($Heap)[$o]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Main (correctness)"} Impl$$_module.__default.Main() returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var a#0: Seq Box where $Is(a#0, TSeq(TInt)) && $IsAlloc(a#0, TSeq(TInt), $Heap); + var b#0: bool; + var $rhs##0: bool; + var pat##0: Seq Box; + var a##0: Seq Box; + var $rhs##1: bool; + var pat##1: Seq Box; + var a##1: Seq Box; + var $rhs##2: bool; + var pat##2: Seq Box; + var a##2: Seq Box; + + // AddMethodImpl: Main, Impl$$_module.__default.Main + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(65,9) + assume true; + assume true; + a#0 := Lit(Seq#Build(Seq#Build(Seq#Build(Seq#Build(Seq#Empty(): Seq Box, $Box(LitInt(1))), $Box(LitInt(3))), + $Box(LitInt(2))), + $Box(LitInt(3)))); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(66,34) + assume true; + // TrCallStmt: Adding lhs with type bool + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + pat##0 := Lit(Seq#Build(Seq#Build(Seq#Empty(): Seq Box, $Box(LitInt(1))), $Box(LitInt(3)))); + assume true; + // ProcessCallStmt: CheckSubrange + a##0 := a#0; + // ProcessCallStmt: Make the call + call $rhs##0 := Call$$_module.__default.ComputeIsRelaxedPrefix(TInt, pat##0, a##0); + // TrCallStmt: After ProcessCallStmt + b#0 := $rhs##0; + // ----- print statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(67,3) + assume true; + assume true; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(68,30) + assume true; + // TrCallStmt: Adding lhs with type bool + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + pat##1 := Lit(Seq#Build(Seq#Build(Seq#Build(Seq#Empty(): Seq Box, $Box(LitInt(1))), $Box(LitInt(2))), + $Box(LitInt(3)))); + assume true; + // ProcessCallStmt: CheckSubrange + a##1 := a#0; + // ProcessCallStmt: Make the call + call $rhs##1 := Call$$_module.__default.ComputeIsRelaxedPrefix(TInt, pat##1, a##1); + // TrCallStmt: After ProcessCallStmt + b#0 := $rhs##1; + // ----- print statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(69,3) + assume true; + assume true; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(70,30) + assume true; + // TrCallStmt: Adding lhs with type bool + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + pat##2 := Lit(Seq#Build(Seq#Build(Seq#Build(Seq#Empty(): Seq Box, $Box(LitInt(1))), $Box(LitInt(2))), + $Box(LitInt(4)))); + assume true; + // ProcessCallStmt: CheckSubrange + a##2 := a#0; + // ProcessCallStmt: Make the call + call $rhs##2 := Call$$_module.__default.ComputeIsRelaxedPrefix(TInt, pat##2, a##2); + // TrCallStmt: After ProcessCallStmt + b#0 := $rhs##2; + // ----- print statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(71,3) + assume true; + assume true; +} + + + +// function declaration for _module._default.IRP_Alt +function _module.__default.IRP__Alt(_module._default.IRP_Alt$T: Ty, pat#0: Seq Box, a#0: Seq Box) : bool; + +function _module.__default.IRP__Alt#canCall(_module._default.IRP_Alt$T: Ty, pat#0: Seq Box, a#0: Seq Box) : bool; + +// consequence axiom for _module.__default.IRP__Alt +axiom 0 <= $FunctionContextHeight + ==> (forall _module._default.IRP_Alt$T: Ty, pat#0: Seq Box, a#0: Seq Box :: + { _module.__default.IRP__Alt(_module._default.IRP_Alt$T, pat#0, a#0) } + _module.__default.IRP__Alt#canCall(_module._default.IRP_Alt$T, pat#0, a#0) + || (0 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IRP_Alt$T)) + && $Is(a#0, TSeq(_module._default.IRP_Alt$T))) + ==> true); + +function _module.__default.IRP__Alt#requires(Ty, Seq Box, Seq Box) : bool; + +// #requires axiom for _module.__default.IRP__Alt +axiom (forall _module._default.IRP_Alt$T: Ty, pat#0: Seq Box, a#0: Seq Box :: + { _module.__default.IRP__Alt#requires(_module._default.IRP_Alt$T, pat#0, a#0) } + $Is(pat#0, TSeq(_module._default.IRP_Alt$T)) + && $Is(a#0, TSeq(_module._default.IRP_Alt$T)) + ==> _module.__default.IRP__Alt#requires(_module._default.IRP_Alt$T, pat#0, a#0) + == true); + +// definition axiom for _module.__default.IRP__Alt (revealed) +axiom 0 <= $FunctionContextHeight + ==> (forall _module._default.IRP_Alt$T: Ty, pat#0: Seq Box, a#0: Seq Box :: + { _module.__default.IRP__Alt(_module._default.IRP_Alt$T, pat#0, a#0) } + _module.__default.IRP__Alt#canCall(_module._default.IRP_Alt$T, pat#0, a#0) + || (0 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IRP_Alt$T)) + && $Is(a#0, TSeq(_module._default.IRP_Alt$T))) + ==> _module.__default.IRP__Alt(_module._default.IRP_Alt$T, pat#0, a#0) + == ((Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0))) + || (exists k#0: int :: + { Seq#Take(pat#0, k#0) } + LitInt(0) <= k#0 + && k#0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))))))); + +// definition axiom for _module.__default.IRP__Alt for all literals (revealed) +axiom 0 <= $FunctionContextHeight + ==> (forall _module._default.IRP_Alt$T: Ty, pat#0: Seq Box, a#0: Seq Box :: + {:weight 3} { _module.__default.IRP__Alt(_module._default.IRP_Alt$T, Lit(pat#0), Lit(a#0)) } + _module.__default.IRP__Alt#canCall(_module._default.IRP_Alt$T, Lit(pat#0), Lit(a#0)) + || (0 != $FunctionContextHeight + && + $Is(pat#0, TSeq(_module._default.IRP_Alt$T)) + && $Is(a#0, TSeq(_module._default.IRP_Alt$T))) + ==> _module.__default.IRP__Alt(_module._default.IRP_Alt$T, Lit(pat#0), Lit(a#0)) + == ((Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0))) + || (exists k#1: int :: + { Seq#Take(pat#0, k#1) } + LitInt(0) <= k#1 + && k#1 < Seq#Length(Lit(pat#0)) + && + Seq#Length(Seq#Append(Seq#Take(Lit(pat#0), k#1), Seq#Drop(Lit(pat#0), k#1 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(Lit(pat#0), k#1), Seq#Drop(Lit(pat#0), k#1 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(Lit(pat#0), k#1), Seq#Drop(Lit(pat#0), k#1 + 1))))))); + +procedure {:verboseName "IRP_Alt (well-formedness)"} CheckWellformed$$_module.__default.IRP__Alt(_module._default.IRP_Alt$T: Ty, + pat#0: Seq Box where $Is(pat#0, TSeq(_module._default.IRP_Alt$T)), + a#0: Seq Box where $Is(a#0, TSeq(_module._default.IRP_Alt$T))); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "IRP_Alt (well-formedness)"} CheckWellformed$$_module.__default.IRP__Alt(_module._default.IRP_Alt$T: Ty, pat#0: Seq Box, a#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var k#2: int; + + + // AddWellformednessCheck for function IRP_Alt + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + if (!(Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)))) + { + // Begin Comprehension WF check + havoc k#2; + if (true) + { + if (LitInt(0) <= k#2) + { + } + + if (LitInt(0) <= k#2 && k#2 < Seq#Length(pat#0)) + { + assert 0 <= k#2 && k#2 <= Seq#Length(pat#0); + assert 0 <= k#2 + 1 && k#2 + 1 <= Seq#Length(pat#0); + } + } + + // End Comprehension WF check + } + + assume _module.__default.IRP__Alt(_module._default.IRP_Alt$T, pat#0, a#0) + == ((Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0))) + || (exists k#3: int :: + { Seq#Take(pat#0, k#3) } + LitInt(0) <= k#3 + && k#3 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, k#3), Seq#Drop(pat#0, k#3 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#3), Seq#Drop(pat#0, k#3 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#3), Seq#Drop(pat#0, k#3 + 1)))))); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.IRP__Alt(_module._default.IRP_Alt$T, pat#0, a#0), TBool); + } +} + + + +procedure {:verboseName "AreTheSame_Theorem (well-formedness)"} CheckWellFormed$$_module.__default.AreTheSame__Theorem(_module._default.AreTheSame_Theorem$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.AreTheSame_Theorem$T)) + && $IsAlloc(pat#0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.AreTheSame_Theorem$T)) + && $IsAlloc(a#0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap)); + free requires 5 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "AreTheSame_Theorem (call)"} Call$$_module.__default.AreTheSame__Theorem(_module._default.AreTheSame_Theorem$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.AreTheSame_Theorem$T)) + && $IsAlloc(pat#0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.AreTheSame_Theorem$T)) + && $IsAlloc(a#0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + && _module.__default.IRP__Alt#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + ensures _module.__default.IsRelaxedPrefix(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + == _module.__default.IRP__Alt(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + // frame condition + free ensures old($Heap) == $Heap; + + + +procedure {:verboseName "AreTheSame_Theorem (correctness)"} Impl$$_module.__default.AreTheSame__Theorem(_module._default.AreTheSame_Theorem$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.AreTheSame_Theorem$T)) + && $IsAlloc(pat#0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.AreTheSame_Theorem$T)) + && $IsAlloc(a#0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap)) + returns ($_reverifyPost: bool); + free requires 5 == $FunctionContextHeight; + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + && _module.__default.IRP__Alt#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + ensures _module.__default.IsRelaxedPrefix(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + == _module.__default.IRP__Alt(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + // frame condition + free ensures old($Heap) == $Heap; + + + +implementation {:verboseName "AreTheSame_Theorem (correctness)"} Impl$$_module.__default.AreTheSame__Theorem(_module._default.AreTheSame_Theorem$T: Ty, pat#0: Seq Box, a#0: Seq Box) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#2: Seq Box; + var ##a#2: Seq Box; + var pat##0_0_0: Seq Box; + var a##0_0_0: Seq Box; + var k#0_1_0: int; + var k#0_1_0_0: int; + var k#0_1_0_1: int; + var pat##0_1_0_0: Seq Box; + var a##0_1_0_0: Seq Box; + var k##0_1_0_0: int; + var ##pat#0_0: Seq Box; + var ##a#0_0: Seq Box; + var ##pat#3: Seq Box; + var ##a#3: Seq Box; + var pat##1_0: Seq Box; + var a##1_0: Seq Box; + var ##pat#1_0: Seq Box; + var ##a#1_0: Seq Box; + + // AddMethodImpl: AreTheSame_Theorem, Impl$$_module.__default.AreTheSame__Theorem + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $_reverifyPost := false; + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(91,3) + ##pat#2 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#2, TSeq(_module._default.AreTheSame_Theorem$T), $Heap); + ##a#2 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#2, TSeq(_module._default.AreTheSame_Theorem$T), $Heap); + assume _module.__default.IRP__Alt#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + assume _module.__default.IRP__Alt#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + if (_module.__default.IRP__Alt(_module._default.AreTheSame_Theorem$T, pat#0, a#0)) + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(92,5) + assume true; + if (Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0))) + { + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(93,12) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + pat##0_0_0 := pat#0; + assume true; + // ProcessCallStmt: CheckSubrange + a##0_0_0 := a#0; + // ProcessCallStmt: Make the call + call Call$$_module.__default.Same0(_module._default.AreTheSame_Theorem$T, pat##0_0_0, a##0_0_0); + // TrCallStmt: After ProcessCallStmt + } + else + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(94,12) + // Begin Comprehension WF check + havoc k#0_1_0; + if (true) + { + if (LitInt(0) <= k#0_1_0) + { + } + + if (LitInt(0) <= k#0_1_0 && k#0_1_0 < Seq#Length(pat#0)) + { + assert 0 <= k#0_1_0 && k#0_1_0 <= Seq#Length(pat#0); + assert 0 <= k#0_1_0 + 1 && k#0_1_0 + 1 <= Seq#Length(pat#0); + } + } + + // End Comprehension WF check + assume true; + if ((exists k#0_1_1: int :: + { Seq#Take(pat#0, k#0_1_1) } + LitInt(0) <= k#0_1_1 + && k#0_1_1 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0_1_1), Seq#Drop(pat#0, k#0_1_1 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0_1_1), Seq#Drop(pat#0, k#0_1_1 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0_1_1), Seq#Drop(pat#0, k#0_1_1 + 1)))))) + { + // ----- assign-such-that statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(95,13) + havoc k#0_1_0_1; + if (true) + { + if (LitInt(0) <= k#0_1_0_1) + { + } + + if (LitInt(0) <= k#0_1_0_1 && k#0_1_0_1 < Seq#Length(pat#0)) + { + assert {:subsumption 0} 0 <= k#0_1_0_1 && k#0_1_0_1 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0_1_0_1 + 1 && k#0_1_0_1 + 1 <= Seq#Length(pat#0); + } + + assume true; + } + + assert ($Is(Seq#Length(pat#0) - 1, TInt) + && + LitInt(0) <= Seq#Length(pat#0) - 1 + && Seq#Length(pat#0) - 1 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, Seq#Length(pat#0) - 1), + Seq#Drop(pat#0, Seq#Length(pat#0) - 1 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, Seq#Length(pat#0) - 1), + Seq#Drop(pat#0, Seq#Length(pat#0) - 1 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, Seq#Length(pat#0) - 1), + Seq#Drop(pat#0, Seq#Length(pat#0) - 1 + 1))))) + || + ($Is(LitInt(0), TInt) + && + LitInt(0) <= LitInt(0) + && 0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1)))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1))), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1)))))) + || + ($Is(LitInt(0), TInt) + && + LitInt(0) <= LitInt(0) + && 0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1)))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1))), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1)))))) + || (exists $as#k0_1_0_0#0_1_0_0: int :: + LitInt(0) <= $as#k0_1_0_0#0_1_0_0 + && $as#k0_1_0_0#0_1_0_0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, $as#k0_1_0_0#0_1_0_0), Seq#Drop(pat#0, $as#k0_1_0_0#0_1_0_0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, $as#k0_1_0_0#0_1_0_0), Seq#Drop(pat#0, $as#k0_1_0_0#0_1_0_0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, $as#k0_1_0_0#0_1_0_0), Seq#Drop(pat#0, $as#k0_1_0_0#0_1_0_0 + 1))))); + havoc k#0_1_0_0; + assume LitInt(0) <= k#0_1_0_0 + && k#0_1_0_0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0_1_0_0), Seq#Drop(pat#0, k#0_1_0_0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0_1_0_0), Seq#Drop(pat#0, k#0_1_0_0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0_1_0_0), Seq#Drop(pat#0, k#0_1_0_0 + 1)))); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(96,12) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + pat##0_1_0_0 := pat#0; + assume true; + // ProcessCallStmt: CheckSubrange + a##0_1_0_0 := a#0; + assume true; + // ProcessCallStmt: CheckSubrange + assert $Is(k#0_1_0_0, Tclass._System.nat()); + k##0_1_0_0 := k#0_1_0_0; + // ProcessCallStmt: Make the call + call Call$$_module.__default.Same1(_module._default.AreTheSame_Theorem$T, pat##0_1_0_0, a##0_1_0_0, k##0_1_0_0); + // TrCallStmt: After ProcessCallStmt + } + else + { + } + } + + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(98,5) + ##pat#0_0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0_0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap); + ##a#0_0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0_0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap); + assume _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + assume _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + assert {:subsumption 0} _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + ==> _module.__default.IsRelaxedPrefix(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + || (_module.__default.IsRelaxedPrefixAux#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.AreTheSame_Theorem$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (Seq#Equal(pat#0, Seq#Empty(): Seq Box) ==> Lit(true))); + assert {:subsumption 0} _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + ==> _module.__default.IsRelaxedPrefix(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + || (_module.__default.IsRelaxedPrefixAux#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.AreTheSame_Theorem$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.AreTheSame_Theorem$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)))); + assert {:subsumption 0} _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + ==> _module.__default.IsRelaxedPrefix(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + || (_module.__default.IsRelaxedPrefixAux#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.AreTheSame_Theorem$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> Lit(1 > 0))); + assert {:subsumption 0} _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + ==> _module.__default.IsRelaxedPrefix(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + || (_module.__default.IsRelaxedPrefixAux#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.AreTheSame_Theorem$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.AreTheSame_Theorem$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1)))); + assume _module.__default.IsRelaxedPrefix(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + } + else + { + } + + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(101,3) + ##pat#3 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#3, TSeq(_module._default.AreTheSame_Theorem$T), $Heap); + ##a#3 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#3, TSeq(_module._default.AreTheSame_Theorem$T), $Heap); + assume _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + assume _module.__default.IsRelaxedPrefix#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + if (_module.__default.IsRelaxedPrefix(_module._default.AreTheSame_Theorem$T, pat#0, a#0)) + { + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(102,10) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + pat##1_0 := pat#0; + assume true; + // ProcessCallStmt: CheckSubrange + a##1_0 := a#0; + // ProcessCallStmt: Make the call + call Call$$_module.__default.Same2(_module._default.AreTheSame_Theorem$T, pat##1_0, a##1_0); + // TrCallStmt: After ProcessCallStmt + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(103,5) + ##pat#1_0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#1_0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap); + ##a#1_0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#1_0, TSeq(_module._default.AreTheSame_Theorem$T), $Heap); + assume _module.__default.IRP__Alt#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + assume _module.__default.IRP__Alt#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + assert {:subsumption 0} _module.__default.IRP__Alt#canCall(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + ==> _module.__default.IRP__Alt(_module._default.AreTheSame_Theorem$T, pat#0, a#0) + || + (Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0))) + || (exists k#1_0: int :: + { Seq#Take(pat#0, k#1_0) } + LitInt(0) <= k#1_0 + && k#1_0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, k#1_0), Seq#Drop(pat#0, k#1_0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#1_0), Seq#Drop(pat#0, k#1_0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#1_0), Seq#Drop(pat#0, k#1_0 + 1))))); + assume _module.__default.IRP__Alt(_module._default.AreTheSame_Theorem$T, pat#0, a#0); + } + else + { + } +} + + + +procedure {:verboseName "Same0 (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same0(_module._default.Same0$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same0$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same0$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same0$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same0$T), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Same0 (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same0(_module._default.Same0$T: Ty, pat#0: Seq Box, a#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#0: Seq Box; + var ##a#0: Seq Box; + var ##slack#0: int; + + // AddMethodImpl: Same0, CheckWellFormed$$_module.__default.Same0 + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + assume Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); + havoc $Heap; + assume old($Heap) == $Heap; + ##pat#0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0, TSeq(_module._default.Same0$T), $Heap); + ##a#0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0, TSeq(_module._default.Same0$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#0 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same0$T, pat#0, a#0, LitInt(1)); + assume _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, $LS($LZ), pat#0, a#0, LitInt(1)); +} + + + +procedure {:verboseName "Same0 (call)"} {:_induction pat#0, a#0} Call$$_module.__default.Same0(_module._default.Same0$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same0$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same0$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same0$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same0$T), $Heap)); + // user-defined preconditions + requires Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same0$T, pat#0, a#0, LitInt(1)); + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same0$T, pat#0, a#0, LitInt(1)) + && + _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, $LS($LZ), pat#0, a#0, LitInt(1)) + && (if Seq#Equal(pat#0, Seq#Empty(): Seq Box) + then true + else (if !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + then _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)) + else 1 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1)))); + // frame condition + free ensures old($Heap) == $Heap; + + + +procedure {:verboseName "Same0 (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same0(_module._default.Same0$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same0$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same0$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same0$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same0$T), $Heap)) + returns ($_reverifyPost: bool); + free requires 2 == $FunctionContextHeight; + // user-defined preconditions + requires Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same0$T, pat#0, a#0, LitInt(1)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same0$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (Seq#Equal(pat#0, Seq#Empty(): Seq Box) ==> Lit(true)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same0$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1))); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same0$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> Lit(1 > 0)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same0$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1))); + // frame condition + free ensures old($Heap) == $Heap; + + + +implementation {:verboseName "Same0 (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same0(_module._default.Same0$T: Ty, pat#0: Seq Box, a#0: Seq Box) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $initHeapForallStmt#0: Heap; + + // AddMethodImpl: Same0, Impl$$_module.__default.Same0 + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $initHeapForallStmt#0 := $Heap; + havoc $Heap, $Tick; + assume $initHeapForallStmt#0 == $Heap; + assume (forall $ih#pat0#0: Seq Box, $ih#a0#0: Seq Box :: + $Is($ih#pat0#0, TSeq(_module._default.Same0$T)) + && $Is($ih#a0#0, TSeq(_module._default.Same0$T)) + && + Seq#Length($ih#pat0#0) <= Seq#Length($ih#a0#0) + && Seq#SameUntil($ih#pat0#0, $ih#a0#0, Seq#Length($ih#pat0#0)) + && (Seq#Rank($ih#pat0#0) < Seq#Rank(pat#0) + || (Seq#Rank($ih#pat0#0) == Seq#Rank(pat#0) && Seq#Rank($ih#a0#0) < Seq#Rank(a#0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same0$T, $LS($LZ), $ih#pat0#0, $ih#a0#0, LitInt(1))); + $_reverifyPost := false; +} + + + +procedure {:verboseName "Same1 (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same1(_module._default.Same1$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same1$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same1$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same1$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same1$T), $Heap), + k#0: int where LitInt(0) <= k#0); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Same1 (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same1(_module._default.Same1$T: Ty, pat#0: Seq Box, a#0: Seq Box, k#0: int) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#0: Seq Box; + var ##a#0: Seq Box; + var ##slack#0: int; + + // AddMethodImpl: Same1, CheckWellFormed$$_module.__default.Same1 + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + if (LitInt(0) <= k#0) + { + } + + assume LitInt(0) <= k#0 && k#0 < Seq#Length(pat#0); + assert 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assert 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assume Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))); + havoc $Heap; + assume old($Heap) == $Heap; + ##pat#0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0, TSeq(_module._default.Same1$T), $Heap); + ##a#0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0, TSeq(_module._default.Same1$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#0 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1$T, pat#0, a#0, LitInt(1)); + assume _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, $LS($LZ), pat#0, a#0, LitInt(1)); +} + + + +procedure {:verboseName "Same1 (call)"} {:_induction pat#0, a#0} Call$$_module.__default.Same1(_module._default.Same1$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same1$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same1$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same1$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same1$T), $Heap), + k#0: int where LitInt(0) <= k#0); + // user-defined preconditions + requires LitInt(0) <= k#0; + requires k#0 < Seq#Length(pat#0); + requires Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1$T, pat#0, a#0, LitInt(1)); + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1$T, pat#0, a#0, LitInt(1)) + && + _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, $LS($LZ), pat#0, a#0, LitInt(1)) + && (if Seq#Equal(pat#0, Seq#Empty(): Seq Box) + then true + else (if !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + then _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)) + else 1 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1)))); + // frame condition + free ensures old($Heap) == $Heap; + + + +procedure {:verboseName "Same1 (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same1(_module._default.Same1$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same1$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same1$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same1$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same1$T), $Heap), + k#0: int where LitInt(0) <= k#0) + returns ($_reverifyPost: bool); + free requires 4 == $FunctionContextHeight; + // user-defined preconditions + requires LitInt(0) <= k#0; + requires k#0 < Seq#Length(pat#0); + requires Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1$T, pat#0, a#0, LitInt(1)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (Seq#Equal(pat#0, Seq#Empty(): Seq Box) ==> Lit(true)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1))); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> Lit(1 > 0)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1))); + // frame condition + free ensures old($Heap) == $Heap; + + + +implementation {:verboseName "Same1 (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same1(_module._default.Same1$T: Ty, pat#0: Seq Box, a#0: Seq Box, k#0: int) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $initHeapForallStmt#0: Heap; + var d#0: int; + var $PreLoopHeap$loop#0: Heap; + var $decr_init$loop#00: int; + var $w$loop#0: bool; + var $decr$loop#00: int; + var pat##0: Seq Box; + var a##0: Seq Box; + var k##0: int; + + // AddMethodImpl: Same1, Impl$$_module.__default.Same1 + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $initHeapForallStmt#0 := $Heap; + havoc $Heap, $Tick; + assume $initHeapForallStmt#0 == $Heap; + assume (forall $ih#pat0#0: Seq Box, $ih#a0#0: Seq Box :: + $Is($ih#pat0#0, TSeq(_module._default.Same1$T)) + && $Is($ih#a0#0, TSeq(_module._default.Same1$T)) + && + LitInt(0) <= k#0 + && k#0 < Seq#Length($ih#pat0#0) + && + Seq#Length(Seq#Append(Seq#Take($ih#pat0#0, k#0), Seq#Drop($ih#pat0#0, k#0 + 1))) + <= Seq#Length($ih#a0#0) + && Seq#SameUntil(Seq#Append(Seq#Take($ih#pat0#0, k#0), Seq#Drop($ih#pat0#0, k#0 + 1)), + $ih#a0#0, + Seq#Length(Seq#Append(Seq#Take($ih#pat0#0, k#0), Seq#Drop($ih#pat0#0, k#0 + 1)))) + && (Seq#Rank($ih#pat0#0) < Seq#Rank(pat#0) + || (Seq#Rank($ih#pat0#0) == Seq#Rank(pat#0) + && (Seq#Rank($ih#a0#0) < Seq#Rank(a#0) + || (Seq#Rank($ih#a0#0) == Seq#Rank(a#0) && 0 <= k#0 && k#0 < k#0)))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1$T, $LS($LZ), $ih#pat0#0, $ih#a0#0, LitInt(1))); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(116,9) + assume true; + assume true; + d#0 := k#0; + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(117,3) + // Assume Fuel Constant + $PreLoopHeap$loop#0 := $Heap; + $decr_init$loop#00 := Seq#Length(pat#0) - (d#0 + 1); + havoc $w$loop#0; + while (true) + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 ==> LitInt(0) <= d#0; + invariant $w$loop#0 ==> d#0 < Seq#Length(pat#0); + invariant $w$loop#0 + ==> Seq#Length(Seq#Append(Seq#Take(pat#0, d#0), Seq#Drop(pat#0, d#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, d#0), Seq#Drop(pat#0, d#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, d#0), Seq#Drop(pat#0, d#0 + 1)))); + free invariant $PreLoopHeap$loop#0 == $Heap; + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0, $o, $f) || $_Frame[$o, $f]); + free invariant Seq#Length(pat#0) - (d#0 + 1) <= $decr_init$loop#00 + && (Seq#Length(pat#0) - (d#0 + 1) == $decr_init$loop#00 ==> true); + { + if (!$w$loop#0) + { + if (LitInt(0) <= d#0) + { + } + + if (LitInt(0) <= d#0 && d#0 < Seq#Length(pat#0)) + { + assert {:subsumption 0} 0 <= d#0 && d#0 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= d#0 + 1 && d#0 + 1 <= Seq#Length(pat#0); + } + + assume true; + assume LitInt(0) <= d#0 + && d#0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, d#0), Seq#Drop(pat#0, d#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, d#0), Seq#Drop(pat#0, d#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, d#0), Seq#Drop(pat#0, d#0 + 1)))); + assume true; + assume false; + } + + if (d#0 + 1 < Seq#Length(pat#0)) + { + assert 0 <= d#0 && d#0 < Seq#Length(pat#0); + assert 0 <= d#0 + 1 && d#0 + 1 < Seq#Length(pat#0); + } + + assume true; + if (!(d#0 + 1 < Seq#Length(pat#0) + && Seq#Index(pat#0, d#0) == Seq#Index(pat#0, d#0 + 1))) + { + break; + } + + $decr$loop#00 := Seq#Length(pat#0) - (d#0 + 1); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(120,7) + assume true; + assume true; + d#0 := d#0 + 1; + // ----- loop termination check ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(117,3) + assert 0 <= $decr$loop#00 || Seq#Length(pat#0) - (d#0 + 1) == $decr$loop#00; + assert Seq#Length(pat#0) - (d#0 + 1) < $decr$loop#00; + assume true; + } + + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(122,12) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + pat##0 := pat#0; + assume true; + // ProcessCallStmt: CheckSubrange + a##0 := a#0; + assume true; + // ProcessCallStmt: CheckSubrange + assert $Is(d#0, Tclass._System.nat()); + k##0 := d#0; + // ProcessCallStmt: Make the call + call Call$$_module.__default.Same1__Aux(_module._default.Same1$T, pat##0, a##0, k##0); + // TrCallStmt: After ProcessCallStmt +} + + + +procedure {:verboseName "Same1_Aux (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same1__Aux(_module._default.Same1_Aux$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same1_Aux$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same1_Aux$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same1_Aux$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same1_Aux$T), $Heap), + k#0: int where LitInt(0) <= k#0); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Same1_Aux (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same1__Aux(_module._default.Same1_Aux$T: Ty, pat#0: Seq Box, a#0: Seq Box, k#0: int) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#0: Seq Box; + var ##a#0: Seq Box; + var ##slack#0: int; + + // AddMethodImpl: Same1_Aux, CheckWellFormed$$_module.__default.Same1__Aux + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + if (LitInt(0) <= k#0) + { + } + + assume LitInt(0) <= k#0 && k#0 < Seq#Length(pat#0); + assert 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assert 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assume Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))); + if (k#0 + 1 != Seq#Length(pat#0)) + { + assert 0 <= k#0 && k#0 < Seq#Length(pat#0); + assert 0 <= k#0 + 1 && k#0 + 1 < Seq#Length(pat#0); + } + + assume k#0 + 1 == Seq#Length(pat#0) + || Seq#Index(pat#0, k#0) != Seq#Index(pat#0, k#0 + 1); + havoc $Heap; + assume old($Heap) == $Heap; + ##pat#0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0, TSeq(_module._default.Same1_Aux$T), $Heap); + ##a#0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0, TSeq(_module._default.Same1_Aux$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#0 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)); + assume _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), pat#0, a#0, LitInt(1)); +} + + + +procedure {:verboseName "Same1_Aux (call)"} {:_induction pat#0, a#0} Call$$_module.__default.Same1__Aux(_module._default.Same1_Aux$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same1_Aux$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same1_Aux$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same1_Aux$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same1_Aux$T), $Heap), + k#0: int where LitInt(0) <= k#0); + // user-defined preconditions + requires LitInt(0) <= k#0; + requires k#0 < Seq#Length(pat#0); + requires Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))); + requires k#0 + 1 == Seq#Length(pat#0) + || Seq#Index(pat#0, k#0) != Seq#Index(pat#0, k#0 + 1); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)); + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)) + && + _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), pat#0, a#0, LitInt(1)) + && (if Seq#Equal(pat#0, Seq#Empty(): Seq Box) + then true + else (if !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + then _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)) + else 1 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1)))); + // frame condition + free ensures old($Heap) == $Heap; + + + +procedure {:verboseName "Same1_Aux (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same1__Aux(_module._default.Same1_Aux$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same1_Aux$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same1_Aux$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same1_Aux$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same1_Aux$T), $Heap), + k#0: int where LitInt(0) <= k#0) + returns ($_reverifyPost: bool); + free requires 3 == $FunctionContextHeight; + // user-defined preconditions + requires LitInt(0) <= k#0; + requires k#0 < Seq#Length(pat#0); + requires Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))); + requires k#0 + 1 == Seq#Length(pat#0) + || Seq#Index(pat#0, k#0) != Seq#Index(pat#0, k#0 + 1); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (Seq#Equal(pat#0, Seq#Empty(): Seq Box) ==> Lit(true)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1))); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> Lit(1 > 0)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1))); + // frame condition + free ensures old($Heap) == $Heap; + + + +implementation {:verboseName "Same1_Aux (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same1__Aux(_module._default.Same1_Aux$T: Ty, pat#0: Seq Box, a#0: Seq Box, k#0: int) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $initHeapForallStmt#0: Heap; + var ##pat#0_1_0: Seq Box; + var ##a#0_1_0: Seq Box; + var ##slack#0_1_0: int; + var ##pat#0_1_1: Seq Box; + var ##a#0_1_1: Seq Box; + var ##slack#0_1_1: int; + var pat##0_1_0: Seq Box; + var a##0_1_0: Seq Box; + var k##0_1_0: int; + var ##pat#1_0_0: Seq Box; + var ##a#1_0_0: Seq Box; + var ##slack#1_0_0: int; + var ##pat#1_0_1: Seq Box; + var ##a#1_0_1: Seq Box; + var ##slack#1_0_1: int; + var pat##1_0_0: Seq Box; + var a##1_0_0: Seq Box; + var pat##1_1_0: Seq Box; + var a##1_1_0: Seq Box; + var k##1_1_0: int; + + // AddMethodImpl: Same1_Aux, Impl$$_module.__default.Same1__Aux + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $initHeapForallStmt#0 := $Heap; + havoc $Heap, $Tick; + assume $initHeapForallStmt#0 == $Heap; + assume (forall $ih#pat0#0: Seq Box, $ih#a0#0: Seq Box :: + $Is($ih#pat0#0, TSeq(_module._default.Same1_Aux$T)) + && $Is($ih#a0#0, TSeq(_module._default.Same1_Aux$T)) + && + LitInt(0) <= k#0 + && k#0 < Seq#Length($ih#pat0#0) + && + Seq#Length(Seq#Append(Seq#Take($ih#pat0#0, k#0), Seq#Drop($ih#pat0#0, k#0 + 1))) + <= Seq#Length($ih#a0#0) + && Seq#SameUntil(Seq#Append(Seq#Take($ih#pat0#0, k#0), Seq#Drop($ih#pat0#0, k#0 + 1)), + $ih#a0#0, + Seq#Length(Seq#Append(Seq#Take($ih#pat0#0, k#0), Seq#Drop($ih#pat0#0, k#0 + 1)))) + && (k#0 + 1 == Seq#Length($ih#pat0#0) + || Seq#Index($ih#pat0#0, k#0) != Seq#Index($ih#pat0#0, k#0 + 1)) + && (Seq#Rank($ih#pat0#0) < Seq#Rank(pat#0) + || (Seq#Rank($ih#pat0#0) == Seq#Rank(pat#0) + && (Seq#Rank($ih#a0#0) < Seq#Rank(a#0) + || (Seq#Rank($ih#a0#0) == Seq#Rank(a#0) && 0 <= k#0 && k#0 < k#0)))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), $ih#pat0#0, $ih#a0#0, LitInt(1))); + $_reverifyPost := false; + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(128,3) + assume true; + if (k#0 + 1 == Seq#Length(pat#0)) + { + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(129,5) + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + if (Seq#Equal(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), Seq#Take(pat#0, k#0))) + { + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + } + + assume true; + assert {:subsumption 0} Seq#Equal(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), Seq#Take(pat#0, k#0)); + assert {:subsumption 0} Seq#Length(Seq#Take(pat#0, k#0)) <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Take(pat#0, k#0), a#0, Seq#Length(Seq#Take(pat#0, k#0))); + assume Seq#Equal(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), Seq#Take(pat#0, k#0)) + && + Seq#Length(Seq#Take(pat#0, k#0)) <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Take(pat#0, k#0), a#0, Seq#Length(Seq#Take(pat#0, k#0))); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(130,5) + assume true; + if (k#0 == LitInt(0)) + { + } + else + { + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(132,7) + ##pat#0_1_0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0_1_0, TSeq(_module._default.Same1_Aux$T), $Heap); + ##a#0_1_0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0_1_0, TSeq(_module._default.Same1_Aux$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#0_1_0 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0_1_0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + ##pat#0_1_1 := Seq#Drop(pat#0, LitInt(1)); + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0_1_1, TSeq(_module._default.Same1_Aux$T), $Heap); + ##a#0_1_1 := Seq#Drop(a#0, LitInt(1)); + // assume allocatedness for argument to function + assume $IsAlloc(##a#0_1_1, TSeq(_module._default.Same1_Aux$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#0_1_1 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0_1_1, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)) + && _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)); + assert {:subsumption 0} _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LS($LZ)), pat#0, a#0, LitInt(1)) + == _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)); + assume _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), pat#0, a#0, LitInt(1)) + == _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(133,16) + // TrCallStmt: Before ProcessCallStmt + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume true; + // ProcessCallStmt: CheckSubrange + pat##0_1_0 := Seq#Drop(pat#0, LitInt(1)); + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ProcessCallStmt: CheckSubrange + a##0_1_0 := Seq#Drop(a#0, LitInt(1)); + assume true; + // ProcessCallStmt: CheckSubrange + assert $Is(k#0 - 1, Tclass._System.nat()); + k##0_1_0 := k#0 - 1; + assert 0 <= k#0 + || Seq#Rank(pat##0_1_0) < Seq#Rank(pat#0) + || Seq#Rank(a##0_1_0) < Seq#Rank(a#0) + || k##0_1_0 == k#0; + assert Seq#Rank(pat##0_1_0) < Seq#Rank(pat#0) + || (Seq#Rank(pat##0_1_0) == Seq#Rank(pat#0) + && (Seq#Rank(a##0_1_0) < Seq#Rank(a#0) + || (Seq#Rank(a##0_1_0) == Seq#Rank(a#0) && k##0_1_0 < k#0))); + // ProcessCallStmt: Make the call + call Call$$_module.__default.Same1__Aux(_module._default.Same1_Aux$T, pat##0_1_0, a##0_1_0, k##0_1_0); + // TrCallStmt: After ProcessCallStmt + } + } + else + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(135,10) + assume true; + if (k#0 == LitInt(0)) + { + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(136,5) + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume true; + assert Seq#Equal(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(1))), + Seq#Drop(pat#0, LitInt(1))); + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(137,5) + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) < Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) < Seq#Length(a#0); + assume true; + assert Seq#Index(pat#0, LitInt(1)) == Seq#Index(a#0, LitInt(0)); + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(138,5) + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) < Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) < Seq#Length(pat#0); + assume true; + assert Seq#Index(pat#0, LitInt(0)) != Seq#Index(pat#0, LitInt(1)); + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(139,5) + ##pat#1_0_0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#1_0_0, TSeq(_module._default.Same1_Aux$T), $Heap); + ##a#1_0_0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#1_0_0, TSeq(_module._default.Same1_Aux$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#1_0_0 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#1_0_0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + ##pat#1_0_1 := Seq#Drop(pat#0, LitInt(1)); + // assume allocatedness for argument to function + assume $IsAlloc(##pat#1_0_1, TSeq(_module._default.Same1_Aux$T), $Heap); + ##a#1_0_1 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#1_0_1, TSeq(_module._default.Same1_Aux$T), $Heap); + assert $Is(LitInt(0), Tclass._System.nat()); + ##slack#1_0_1 := LitInt(0); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#1_0_1, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, Seq#Drop(pat#0, LitInt(1)), a#0, LitInt(0)); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, pat#0, a#0, LitInt(1)) + && _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same1_Aux$T, Seq#Drop(pat#0, LitInt(1)), a#0, LitInt(0)); + assert {:subsumption 0} _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LS($LZ)), pat#0, a#0, LitInt(1)) + == _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(0)); + assume _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, $LS($LZ), pat#0, a#0, LitInt(1)) + == _module.__default.IsRelaxedPrefixAux(_module._default.Same1_Aux$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(0)); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(140,11) + // TrCallStmt: Before ProcessCallStmt + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume true; + // ProcessCallStmt: CheckSubrange + pat##1_0_0 := Seq#Drop(pat#0, LitInt(1)); + assume true; + // ProcessCallStmt: CheckSubrange + a##1_0_0 := a#0; + // ProcessCallStmt: Make the call + call Call$$_module.__default.Prefix(_module._default.Same1_Aux$T, pat##1_0_0, a##1_0_0); + // TrCallStmt: After ProcessCallStmt + } + else + { + // ----- calc statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + // Assume Fuel Constant + if (*) + { + // ----- assert wf[initial] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume true; + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume true; + // ----- assume lhs ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume true; + // ----- Hint0 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assume true; + // ----- assert line0 ==> line1 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} Lit(true) + ==> Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))); + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assume true; + // ----- assume lhs ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))); + // ----- Hint1 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) + && LitInt(1) + <= Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assert line1 ==> line2 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))) + ==> Seq#Length(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1)))); + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= LitInt(1) + && LitInt(1) + <= Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))); + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assume lhs ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume Seq#Length(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1)))); + // ----- Hint2 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(Seq#Take(pat#0, k#0)); + assert {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assert line2 ==> line3 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} Seq#Length(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Drop(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), LitInt(1)))) + ==> Seq#Length(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1)))); + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(Seq#Take(pat#0, k#0)); + assume {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assume lhs ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume Seq#Length(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1)))); + // ----- Hint3 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(147,9) + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(Seq#Take(pat#0, k#0)); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 - 1 && k#0 - 1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assume true; + assert Seq#Equal(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), + Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1)); + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 - 1 && k#0 - 1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assert line3 ==> line4 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} Seq#Length(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Drop(Seq#Take(pat#0, k#0), LitInt(1)), Seq#Drop(pat#0, k#0 + 1)))) + ==> Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1)))); + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= k#0 - 1 && k#0 - 1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assume {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assume lhs ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assume Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1)))); + // ----- Hint4 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(149,9) + assert {:subsumption 0} 0 <= k#0 + 1 && k#0 + 1 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assume true; + assert Seq#Equal(Seq#Drop(pat#0, k#0 + 1), Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#0)); + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 - 1 && k#0 - 1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#0 && k#0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assert line4 ==> line5 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(142,5) + assert {:subsumption 0} Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), Seq#Drop(pat#0, k#0 + 1)))) + ==> Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#0))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#0)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#0)))); + assume false; + } + + assume true + ==> Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#0))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#0)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#0 - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#0)))); + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(152,14) + // TrCallStmt: Before ProcessCallStmt + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume true; + // ProcessCallStmt: CheckSubrange + pat##1_1_0 := Seq#Drop(pat#0, LitInt(1)); + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ProcessCallStmt: CheckSubrange + a##1_1_0 := Seq#Drop(a#0, LitInt(1)); + assume true; + // ProcessCallStmt: CheckSubrange + assert $Is(k#0 - 1, Tclass._System.nat()); + k##1_1_0 := k#0 - 1; + assert 0 <= k#0 + || Seq#Rank(pat##1_1_0) < Seq#Rank(pat#0) + || Seq#Rank(a##1_1_0) < Seq#Rank(a#0) + || k##1_1_0 == k#0; + assert Seq#Rank(pat##1_1_0) < Seq#Rank(pat#0) + || (Seq#Rank(pat##1_1_0) == Seq#Rank(pat#0) + && (Seq#Rank(a##1_1_0) < Seq#Rank(a#0) + || (Seq#Rank(a##1_1_0) == Seq#Rank(a#0) && k##1_1_0 < k#0))); + // ProcessCallStmt: Make the call + call Call$$_module.__default.Same1__Aux(_module._default.Same1_Aux$T, pat##1_1_0, a##1_1_0, k##1_1_0); + // TrCallStmt: After ProcessCallStmt + } + } +} + + + +procedure {:verboseName "Prefix (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Prefix(_module._default.Prefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Prefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Prefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Prefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.Prefix$T), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Prefix (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Prefix(_module._default.Prefix$T: Ty, pat#0: Seq Box, a#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#0: Seq Box; + var ##a#0: Seq Box; + var ##slack#0: int; + + // AddMethodImpl: Prefix, CheckWellFormed$$_module.__default.Prefix + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + assume Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); + havoc $Heap; + assume old($Heap) == $Heap; + ##pat#0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0, TSeq(_module._default.Prefix$T), $Heap); + ##a#0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0, TSeq(_module._default.Prefix$T), $Heap); + assert $Is(LitInt(0), Tclass._System.nat()); + ##slack#0 := LitInt(0); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Prefix$T, pat#0, a#0, LitInt(0)); + assume _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)); +} + + + +procedure {:verboseName "Prefix (call)"} {:_induction pat#0, a#0} Call$$_module.__default.Prefix(_module._default.Prefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Prefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Prefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Prefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.Prefix$T), $Heap)); + // user-defined preconditions + requires Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Prefix$T, pat#0, a#0, LitInt(0)); + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Prefix$T, pat#0, a#0, LitInt(0)) + && + _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + && (if Seq#Equal(pat#0, Seq#Empty(): Seq Box) + then true + else (if !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + then _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(0)) + else 0 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(0 - 1)))); + // frame condition + free ensures old($Heap) == $Heap; + + + +procedure {:verboseName "Prefix (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Prefix(_module._default.Prefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Prefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Prefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Prefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.Prefix$T), $Heap)) + returns ($_reverifyPost: bool); + free requires 2 == $FunctionContextHeight; + // user-defined preconditions + requires Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Prefix$T, pat#0, a#0, LitInt(0)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Prefix$T, pat#0, a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + || (Seq#Equal(pat#0, Seq#Empty(): Seq Box) ==> Lit(true)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Prefix$T, pat#0, a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(0))); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Prefix$T, pat#0, a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> Lit(0 > 0)); + ensures _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Prefix$T, pat#0, a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(0 - 1))); + // frame condition + free ensures old($Heap) == $Heap; + + + +implementation {:verboseName "Prefix (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Prefix(_module._default.Prefix$T: Ty, pat#0: Seq Box, a#0: Seq Box) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $initHeapForallStmt#0: Heap; + + // AddMethodImpl: Prefix, Impl$$_module.__default.Prefix + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $initHeapForallStmt#0 := $Heap; + havoc $Heap, $Tick; + assume $initHeapForallStmt#0 == $Heap; + assume (forall $ih#pat0#0: Seq Box, $ih#a0#0: Seq Box :: + $Is($ih#pat0#0, TSeq(_module._default.Prefix$T)) + && $Is($ih#a0#0, TSeq(_module._default.Prefix$T)) + && + Seq#Length($ih#pat0#0) <= Seq#Length($ih#a0#0) + && Seq#SameUntil($ih#pat0#0, $ih#a0#0, Seq#Length($ih#pat0#0)) + && (Seq#Rank($ih#pat0#0) < Seq#Rank(pat#0) + || (Seq#Rank($ih#pat0#0) == Seq#Rank(pat#0) && Seq#Rank($ih#a0#0) < Seq#Rank(a#0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Prefix$T, $LS($LZ), $ih#pat0#0, $ih#a0#0, LitInt(0))); + $_reverifyPost := false; +} + + + +procedure {:verboseName "Same2 (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same2(_module._default.Same2$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same2$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same2$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same2$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same2$T), $Heap)); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Same2 (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same2(_module._default.Same2$T: Ty, pat#0: Seq Box, a#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#0: Seq Box; + var ##a#0: Seq Box; + var ##slack#0: int; + var ##pat#1: Seq Box; + var ##a#1: Seq Box; + + // AddMethodImpl: Same2, CheckWellFormed$$_module.__default.Same2 + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + ##pat#0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0, TSeq(_module._default.Same2$T), $Heap); + ##a#0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0, TSeq(_module._default.Same2$T), $Heap); + assert $Is(LitInt(1), Tclass._System.nat()); + ##slack#0 := LitInt(1); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2$T, pat#0, a#0, LitInt(1)); + assume _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, $LS($LZ), pat#0, a#0, LitInt(1)); + havoc $Heap; + assume old($Heap) == $Heap; + ##pat#1 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#1, TSeq(_module._default.Same2$T), $Heap); + ##a#1 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#1, TSeq(_module._default.Same2$T), $Heap); + assume _module.__default.IRP__Alt#canCall(_module._default.Same2$T, pat#0, a#0); + assume _module.__default.IRP__Alt(_module._default.Same2$T, pat#0, a#0); +} + + + +procedure {:verboseName "Same2 (call)"} {:_induction pat#0, a#0} Call$$_module.__default.Same2(_module._default.Same2$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same2$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same2$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same2$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same2$T), $Heap)); + // user-defined preconditions + requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (Seq#Equal(pat#0, Seq#Empty(): Seq Box) ==> Lit(true)); + requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1))); + requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> Lit(1 > 0)); + requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2$T, pat#0, a#0, LitInt(1)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, $LS($LZ), pat#0, a#0, LitInt(1)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IRP__Alt#canCall(_module._default.Same2$T, pat#0, a#0); + free ensures _module.__default.IRP__Alt#canCall(_module._default.Same2$T, pat#0, a#0) + && + _module.__default.IRP__Alt(_module._default.Same2$T, pat#0, a#0) + && ((Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0))) + || (exists k#0: int :: + { Seq#Take(pat#0, k#0) } + LitInt(0) <= k#0 + && k#0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#0), Seq#Drop(pat#0, k#0 + 1)))))); + // frame condition + free ensures old($Heap) == $Heap; + + + +procedure {:verboseName "Same2 (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same2(_module._default.Same2$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same2$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same2$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same2$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same2$T), $Heap)) + returns ($_reverifyPost: bool); + free requires 3 == $FunctionContextHeight; + // user-defined preconditions + free requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2$T, pat#0, a#0, LitInt(1)) + && + _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, $LS($LZ), pat#0, a#0, LitInt(1)) + && (if Seq#Equal(pat#0, Seq#Empty(): Seq Box) + then true + else (if !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + then _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(1)) + else 1 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(1 - 1)))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures _module.__default.IRP__Alt#canCall(_module._default.Same2$T, pat#0, a#0); + ensures _module.__default.IRP__Alt#canCall(_module._default.Same2$T, pat#0, a#0) + ==> _module.__default.IRP__Alt(_module._default.Same2$T, pat#0, a#0) + || + (Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0))) + || (exists k#1: int :: + { Seq#Take(pat#0, k#1) } + LitInt(0) <= k#1 + && k#1 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, k#1), Seq#Drop(pat#0, k#1 + 1))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#1), Seq#Drop(pat#0, k#1 + 1)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#1), Seq#Drop(pat#0, k#1 + 1))))); + // frame condition + free ensures old($Heap) == $Heap; + + + +implementation {:verboseName "Same2 (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same2(_module._default.Same2$T: Ty, pat#0: Seq Box, a#0: Seq Box) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $initHeapForallStmt#0: Heap; + var defass#x#1_0_1_0: bool; + var x#1_0_1_0: Box + where defass#x#1_0_1_0 + ==> $IsBox(x#1_0_1_0, _module._default.Same2$T) + && $IsAllocBox(x#1_0_1_0, _module._default.Same2$T, $Heap); + var k#1_0_1_0: int; + var k#1_0_1_1: int; + var pat##1_1_0: Seq Box; + var a##1_1_0: Seq Box; + + // AddMethodImpl: Same2, Impl$$_module.__default.Same2 + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $initHeapForallStmt#0 := $Heap; + havoc $Heap, $Tick; + assume $initHeapForallStmt#0 == $Heap; + assume (forall $ih#pat0#0: Seq Box, $ih#a0#0: Seq Box :: + $Is($ih#pat0#0, TSeq(_module._default.Same2$T)) + && $Is($ih#a0#0, TSeq(_module._default.Same2$T)) + && _module.__default.IsRelaxedPrefixAux(_module._default.Same2$T, $LS($LZ), $ih#pat0#0, $ih#a0#0, LitInt(1)) + && (Seq#Rank($ih#pat0#0) < Seq#Rank(pat#0) + || (Seq#Rank($ih#pat0#0) == Seq#Rank(pat#0) && Seq#Rank($ih#a0#0) < Seq#Rank(a#0))) + ==> _module.__default.IRP__Alt(_module._default.Same2$T, $ih#pat0#0, $ih#a0#0)); + $_reverifyPost := false; + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(164,3) + assume true; + if (Seq#Equal(pat#0, Seq#Empty(): Seq Box)) + { + } + else + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(165,10) + if (!Seq#Equal(a#0, Seq#Empty(): Seq Box)) + { + assert 0 <= LitInt(0) && LitInt(0) < Seq#Length(pat#0); + assert 0 <= LitInt(0) && LitInt(0) < Seq#Length(a#0); + } + + assume true; + if (!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(166,5) + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + if (Seq#Length(Seq#Drop(pat#0, LitInt(1))) <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Drop(pat#0, LitInt(1))))) + { + } + else + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(168,13) + assume true; + assert 0 <= LitInt(0) && LitInt(0) < Seq#Length(a#0); + assume true; + x#1_0_1_0 := Seq#Index(a#0, LitInt(0)); + defass#x#1_0_1_0 := true; + // ----- assign-such-that statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(169,13) + havoc k#1_0_1_1; + if (true) + { + if (LitInt(0) <= k#1_0_1_1) + { + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + } + + if (LitInt(0) <= k#1_0_1_1 && k#1_0_1_1 < Seq#Length(Seq#Drop(pat#0, LitInt(1)))) + { + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_1 && k#1_0_1_1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_1 + 1 && k#1_0_1_1 + 1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + } + + assume true; + } + + assert ($Is(Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1, TInt) + && + LitInt(0) <= Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1 + && Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1 + < Seq#Length(Seq#Drop(pat#0, LitInt(1))) + && + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), Seq#Length(Seq#Drop(pat#0, LitInt(1))) - 1 + 1))))) + || + ($Is(LitInt(0), TInt) + && + LitInt(0) <= LitInt(0) + && 0 < Seq#Length(Seq#Drop(pat#0, LitInt(1))) + && + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), LitInt(0)), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), LitInt(0 + 1)))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), LitInt(0)), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), LitInt(0 + 1))), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), LitInt(0)), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), LitInt(0 + 1)))))) + || + ($Is(LitInt(0), TInt) + && + LitInt(0) <= LitInt(0) + && 0 < Seq#Length(Seq#Drop(pat#0, LitInt(1))) + && + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), LitInt(0)), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), LitInt(0 + 1)))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), LitInt(0)), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), LitInt(0 + 1))), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), LitInt(0)), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), LitInt(0 + 1)))))) + || (exists $as#k1_0_1_0#1_0_1_0: int :: + LitInt(0) <= $as#k1_0_1_0#1_0_1_0 + && $as#k1_0_1_0#1_0_1_0 < Seq#Length(Seq#Drop(pat#0, LitInt(1))) + && + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), $as#k1_0_1_0#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), $as#k1_0_1_0#1_0_1_0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), $as#k1_0_1_0#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), $as#k1_0_1_0#1_0_1_0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), $as#k1_0_1_0#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), $as#k1_0_1_0#1_0_1_0 + 1))))); + havoc k#1_0_1_0; + assume LitInt(0) <= k#1_0_1_0 + && k#1_0_1_0 < Seq#Length(Seq#Drop(pat#0, LitInt(1))) + && + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1)))); + // ----- calc statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + // Assume Fuel Constant + if (*) + { + // ----- assert wf[initial] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 1 && k#1_0_1_0 + 1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= k#1_0_1_0 + 1 && k#1_0_1_0 + 1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- Hint0 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(172,13) + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 1 && k#1_0_1_0 + 1 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assume true; + assert Seq#Equal(Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1), + Seq#Drop(pat#0, k#1_0_1_0 + 2)); + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assert line0 == line1 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert {:subsumption 0} (Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1))))) + == (Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))))); + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assume {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- Hint1 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert defass#x#1_0_1_0; + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assert defass#x#1_0_1_0; + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- assert line1 == line2 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert {:subsumption 0} (Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))))) + == (Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)))) + <= Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), Seq#Drop(a#0, LitInt(1)))) + && Seq#SameUntil(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))), + Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), Seq#Drop(a#0, LitInt(1))), + Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)))))); + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assume defass#x#1_0_1_0; + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assume {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assume defass#x#1_0_1_0; + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + // ----- Hint2 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(176,13) + assert defass#x#1_0_1_0; + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(a#0); + assume true; + assert Seq#Equal(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), Seq#Drop(a#0, LitInt(1))), + a#0); + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert defass#x#1_0_1_0; + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assume true; + // ----- assert line2 == line3 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert {:subsumption 0} (Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)))) + <= Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), Seq#Drop(a#0, LitInt(1)))) + && Seq#SameUntil(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))), + Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), Seq#Drop(a#0, LitInt(1))), + Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)))))) + == (Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))), + a#0, + Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)))))); + assume false; + } + else if (*) + { + // ----- assume wf[lhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assume defass#x#1_0_1_0; + assume {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assume {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assume true; + // ----- Hint3 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(178,13) + assert defass#x#1_0_1_0; + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 && k#1_0_1_0 <= Seq#Length(Seq#Drop(pat#0, LitInt(1))); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 1 && k#1_0_1_0 + 1 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assume true; + assert Seq#Equal(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))), + Seq#Append(Seq#Take(pat#0, k#1_0_1_0 + 1), Seq#Drop(pat#0, k#1_0_1_0 + 2))); + // ----- assert wf[rhs] ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert {:subsumption 0} 0 <= k#1_0_1_0 + 1 && k#1_0_1_0 + 1 <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= k#1_0_1_0 + 2 && k#1_0_1_0 + 2 <= Seq#Length(pat#0); + assume true; + // ----- assert line3 == line4 ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(170,7) + assert {:subsumption 0} (Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2))), + a#0, + Seq#Length(Seq#Append(Seq#Build(Seq#Empty(): Seq Box, x#1_0_1_0), + Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), Seq#Drop(pat#0, k#1_0_1_0 + 2)))))) + == (Seq#Length(Seq#Append(Seq#Take(pat#0, k#1_0_1_0 + 1), Seq#Drop(pat#0, k#1_0_1_0 + 2))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#1_0_1_0 + 1), Seq#Drop(pat#0, k#1_0_1_0 + 2)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#1_0_1_0 + 1), Seq#Drop(pat#0, k#1_0_1_0 + 2))))); + assume false; + } + + assume (Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1))) + <= Seq#Length(Seq#Drop(a#0, LitInt(1))) + && Seq#SameUntil(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1)), + Seq#Drop(a#0, LitInt(1)), + Seq#Length(Seq#Append(Seq#Take(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0), + Seq#Drop(Seq#Drop(pat#0, LitInt(1)), k#1_0_1_0 + 1))))) + == (Seq#Length(Seq#Append(Seq#Take(pat#0, k#1_0_1_0 + 1), Seq#Drop(pat#0, k#1_0_1_0 + 2))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, k#1_0_1_0 + 1), Seq#Drop(pat#0, k#1_0_1_0 + 2)), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, k#1_0_1_0 + 1), Seq#Drop(pat#0, k#1_0_1_0 + 2))))); + } + } + else + { + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(183,17) + // TrCallStmt: Before ProcessCallStmt + assert 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume true; + // ProcessCallStmt: CheckSubrange + pat##1_1_0 := Seq#Drop(pat#0, LitInt(1)); + assume true; + // ProcessCallStmt: CheckSubrange + a##1_1_0 := a#0; + // ProcessCallStmt: Make the call + call Call$$_module.__default.Same2__Prefix(_module._default.Same2$T, pat##1_1_0, a##1_1_0); + // TrCallStmt: After ProcessCallStmt + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(184,5) + assert {:subsumption 0} 0 <= LitInt(1) && LitInt(1) <= Seq#Length(pat#0); + assume true; + assert Seq#Length(Seq#Drop(pat#0, LitInt(1))) <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Drop(pat#0, LitInt(1)), a#0, Seq#Length(Seq#Drop(pat#0, LitInt(1)))); + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\Problem1.dfy(185,5) + if (LitInt(0) <= LitInt(0)) + { + } + + if (LitInt(0) <= LitInt(0) && 0 < Seq#Length(pat#0)) + { + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) <= Seq#Length(pat#0); + assert {:subsumption 0} 0 <= LitInt(0 + 1) && LitInt(0 + 1) <= Seq#Length(pat#0); + } + + assume true; + assert {:subsumption 0} LitInt(0) <= LitInt(0); + assert {:subsumption 0} 0 < Seq#Length(pat#0); + assert {:subsumption 0} Seq#Length(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1)))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1))), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1))))); + assume LitInt(0) <= LitInt(0) + && 0 < Seq#Length(pat#0) + && + Seq#Length(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1)))) + <= Seq#Length(a#0) + && Seq#SameUntil(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1))), + a#0, + Seq#Length(Seq#Append(Seq#Take(pat#0, LitInt(0)), Seq#Drop(pat#0, LitInt(0 + 1))))); + } + } +} + + + +procedure {:verboseName "Same2_Prefix (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same2__Prefix(_module._default.Same2_Prefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same2_Prefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same2_Prefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same2_Prefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same2_Prefix$T), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Same2_Prefix (well-formedness)"} {:_induction pat#0, a#0} CheckWellFormed$$_module.__default.Same2__Prefix(_module._default.Same2_Prefix$T: Ty, pat#0: Seq Box, a#0: Seq Box) +{ + var $_Frame: [ref,Field beta]bool; + var ##pat#0: Seq Box; + var ##a#0: Seq Box; + var ##slack#0: int; + + // AddMethodImpl: Same2_Prefix, CheckWellFormed$$_module.__default.Same2__Prefix + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + ##pat#0 := pat#0; + // assume allocatedness for argument to function + assume $IsAlloc(##pat#0, TSeq(_module._default.Same2_Prefix$T), $Heap); + ##a#0 := a#0; + // assume allocatedness for argument to function + assume $IsAlloc(##a#0, TSeq(_module._default.Same2_Prefix$T), $Heap); + assert $Is(LitInt(0), Tclass._System.nat()); + ##slack#0 := LitInt(0); + // assume allocatedness for argument to function + assume $IsAlloc(##slack#0, Tclass._System.nat(), $Heap); + assume _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2_Prefix$T, pat#0, a#0, LitInt(0)); + assume _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)); + havoc $Heap; + assume old($Heap) == $Heap; + assume Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); +} + + + +procedure {:verboseName "Same2_Prefix (call)"} {:_induction pat#0, a#0} Call$$_module.__default.Same2__Prefix(_module._default.Same2_Prefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same2_Prefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same2_Prefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same2_Prefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same2_Prefix$T), $Heap)); + // user-defined preconditions + requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2_Prefix$T, pat#0, a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + || (Seq#Equal(pat#0, Seq#Empty(): Seq Box) ==> Lit(true)); + requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2_Prefix$T, pat#0, a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(0))); + requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2_Prefix$T, pat#0, a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> Lit(0 > 0)); + requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2_Prefix$T, pat#0, a#0, LitInt(0)) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + || (!Seq#Equal(pat#0, Seq#Empty(): Seq Box) + ==> + !(!Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0))) + ==> _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, + $LS($LS($LZ)), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(0 - 1))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); + // frame condition + free ensures old($Heap) == $Heap; + + + +procedure {:verboseName "Same2_Prefix (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same2__Prefix(_module._default.Same2_Prefix$T: Ty, + pat#0: Seq Box + where $Is(pat#0, TSeq(_module._default.Same2_Prefix$T)) + && $IsAlloc(pat#0, TSeq(_module._default.Same2_Prefix$T), $Heap), + a#0: Seq Box + where $Is(a#0, TSeq(_module._default.Same2_Prefix$T)) + && $IsAlloc(a#0, TSeq(_module._default.Same2_Prefix$T), $Heap)) + returns ($_reverifyPost: bool); + free requires 2 == $FunctionContextHeight; + // user-defined preconditions + free requires _module.__default.IsRelaxedPrefixAux#canCall(_module._default.Same2_Prefix$T, pat#0, a#0, LitInt(0)) + && + _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, $LS($LZ), pat#0, a#0, LitInt(0)) + && (if Seq#Equal(pat#0, Seq#Empty(): Seq Box) + then true + else (if !Seq#Equal(a#0, Seq#Empty(): Seq Box) + && Seq#Index(pat#0, LitInt(0)) == Seq#Index(a#0, LitInt(0)) + then _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + Seq#Drop(a#0, LitInt(1)), + LitInt(0)) + else 0 > 0 + && _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, + $LS($LZ), + Seq#Drop(pat#0, LitInt(1)), + a#0, + LitInt(0 - 1)))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures Seq#Length(pat#0) <= Seq#Length(a#0) + && Seq#SameUntil(pat#0, a#0, Seq#Length(pat#0)); + // frame condition + free ensures old($Heap) == $Heap; + + + +implementation {:verboseName "Same2_Prefix (correctness)"} {:_induction pat#0, a#0} Impl$$_module.__default.Same2__Prefix(_module._default.Same2_Prefix$T: Ty, pat#0: Seq Box, a#0: Seq Box) + returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $initHeapForallStmt#0: Heap; + + // AddMethodImpl: Same2_Prefix, Impl$$_module.__default.Same2__Prefix + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> false); + $initHeapForallStmt#0 := $Heap; + havoc $Heap, $Tick; + assume $initHeapForallStmt#0 == $Heap; + assume (forall $ih#pat0#0: Seq Box, $ih#a0#0: Seq Box :: + $Is($ih#pat0#0, TSeq(_module._default.Same2_Prefix$T)) + && $Is($ih#a0#0, TSeq(_module._default.Same2_Prefix$T)) + && _module.__default.IsRelaxedPrefixAux(_module._default.Same2_Prefix$T, $LS($LZ), $ih#pat0#0, $ih#a0#0, LitInt(0)) + && (Seq#Rank($ih#pat0#0) < Seq#Rank(pat#0) + || (Seq#Rank($ih#pat0#0) == Seq#Rank(pat#0) && Seq#Rank($ih#a0#0) < Seq#Rank(a#0))) + ==> Seq#Length($ih#pat0#0) <= Seq#Length($ih#a0#0) + && Seq#SameUntil($ih#pat0#0, $ih#a0#0, Seq#Length($ih#pat0#0))); + $_reverifyPost := false; +} + + + +const unique tytagFamily$nat: TyTagFamily; + +const unique tytagFamily$object: TyTagFamily; + +const unique tytagFamily$array: TyTagFamily; + +const unique tytagFamily$_#Func1: TyTagFamily; + +const unique tytagFamily$_#PartialFunc1: TyTagFamily; + +const unique tytagFamily$_#TotalFunc1: TyTagFamily; + +const unique tytagFamily$_#Func0: TyTagFamily; + +const unique tytagFamily$_#PartialFunc0: TyTagFamily; + +const unique tytagFamily$_#TotalFunc0: TyTagFamily; + +const unique tytagFamily$_#Func2: TyTagFamily; + +const unique tytagFamily$_#PartialFunc2: TyTagFamily; + +const unique tytagFamily$_#TotalFunc2: TyTagFamily; + +const unique tytagFamily$_#Func3: TyTagFamily; + +const unique tytagFamily$_#PartialFunc3: TyTagFamily; + +const unique tytagFamily$_#TotalFunc3: TyTagFamily; + +const unique tytagFamily$_tuple#2: TyTagFamily; + +const unique tytagFamily$_tuple#0: TyTagFamily; + +const unique tytagFamily$_default: TyTagFamily; diff --git a/Test/monomorphize/dafny/SchorrWaite.dfy.bpl b/Test/monomorphize/dafny/SchorrWaite.dfy.bpl new file mode 100644 index 000000000..2e714daf6 --- /dev/null +++ b/Test/monomorphize/dafny/SchorrWaite.dfy.bpl @@ -0,0 +1,9153 @@ +// Dafny 3.7.3.40719 +// Command Line Options: /compile:0 /print:SchorrWaite.dfy.bpl +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +type Ty; + +type TyTag; + +type TyTagFamily; + +type char; + +type ref; + +type Box; + +type ClassName; + +type HandleType; + +type DatatypeType; + +type DtCtorId; + +type LayerType; + +type Field _; + +type NameFamily; + +type TickType; + +type Seq _; + +type Map _ _; + +type IMap _ _; + +const $$Language$Dafny: bool; + +axiom $$Language$Dafny; + +type Bv0 = int; + +const unique TBool: Ty; + +axiom Tag(TBool) == TagBool; + +const unique TChar: Ty; + +axiom Tag(TChar) == TagChar; + +const unique TInt: Ty; + +axiom Tag(TInt) == TagInt; + +const unique TReal: Ty; + +axiom Tag(TReal) == TagReal; + +const unique TORDINAL: Ty; + +axiom Tag(TORDINAL) == TagORDINAL; + +axiom (forall w: int :: { TBitvector(w) } Inv0_TBitvector(TBitvector(w)) == w); + +function TBitvector(int) : Ty; + +axiom (forall t: Ty :: { TSet(t) } Inv0_TSet(TSet(t)) == t); + +axiom (forall t: Ty :: { TSet(t) } Tag(TSet(t)) == TagSet); + +function TSet(Ty) : Ty; + +axiom (forall t: Ty :: { TISet(t) } Inv0_TISet(TISet(t)) == t); + +axiom (forall t: Ty :: { TISet(t) } Tag(TISet(t)) == TagISet); + +function TISet(Ty) : Ty; + +axiom (forall t: Ty :: { TMultiSet(t) } Inv0_TMultiSet(TMultiSet(t)) == t); + +axiom (forall t: Ty :: { TMultiSet(t) } Tag(TMultiSet(t)) == TagMultiSet); + +function TMultiSet(Ty) : Ty; + +axiom (forall t: Ty :: { TSeq(t) } Inv0_TSeq(TSeq(t)) == t); + +axiom (forall t: Ty :: { TSeq(t) } Tag(TSeq(t)) == TagSeq); + +function TSeq(Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv0_TMap(TMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv1_TMap(TMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Tag(TMap(t, u)) == TagMap); + +function TMap(Ty, Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv0_TIMap(TIMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv1_TIMap(TIMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Tag(TIMap(t, u)) == TagIMap); + +function TIMap(Ty, Ty) : Ty; + +function Inv0_TBitvector(Ty) : int; + +function Inv0_TSet(Ty) : Ty; + +function Inv0_TISet(Ty) : Ty; + +function Inv0_TSeq(Ty) : Ty; + +function Inv0_TMultiSet(Ty) : Ty; + +function Inv0_TMap(Ty) : Ty; + +function Inv1_TMap(Ty) : Ty; + +function Inv0_TIMap(Ty) : Ty; + +function Inv1_TIMap(Ty) : Ty; + +function Tag(Ty) : TyTag; + +const unique TagBool: TyTag; + +const unique TagChar: TyTag; + +const unique TagInt: TyTag; + +const unique TagReal: TyTag; + +const unique TagORDINAL: TyTag; + +const unique TagSet: TyTag; + +const unique TagISet: TyTag; + +const unique TagMultiSet: TyTag; + +const unique TagSeq: TyTag; + +const unique TagMap: TyTag; + +const unique TagIMap: TyTag; + +const unique TagClass: TyTag; + +function TagFamily(Ty) : TyTagFamily; + +axiom (forall x: T :: { $Box(Lit(x)) } $Box(Lit(x)) == Lit($Box(x))); + +function {:identity} Lit(x: T) : T; + +axiom (forall x: T :: {:identity} { Lit(x): T } Lit(x): T == x); + +axiom (forall x: int :: { $Box(LitInt(x)) } $Box(LitInt(x)) == Lit($Box(x))); + +function {:identity} LitInt(x: int) : int; + +axiom (forall x: int :: {:identity} { LitInt(x): int } LitInt(x): int == x); + +axiom (forall x: real :: { $Box(LitReal(x)) } $Box(LitReal(x)) == Lit($Box(x))); + +function {:identity} LitReal(x: real) : real; + +axiom (forall x: real :: {:identity} { LitReal(x): real } LitReal(x): real == x); + +axiom (forall n: int :: + { char#FromInt(n) } + 0 <= n && n < 65536 ==> char#ToInt(char#FromInt(n)) == n); + +function char#FromInt(int) : char; + +axiom (forall ch: char :: + { char#ToInt(ch) } + char#FromInt(char#ToInt(ch)) == ch + && 0 <= char#ToInt(ch) + && char#ToInt(ch) < 65536); + +function char#ToInt(char) : int; + +axiom (forall a: char, b: char :: + { char#Plus(a, b) } + char#Plus(a, b) == char#FromInt(char#ToInt(a) + char#ToInt(b))); + +function char#Plus(char, char) : char; + +axiom (forall a: char, b: char :: + { char#Minus(a, b) } + char#Minus(a, b) == char#FromInt(char#ToInt(a) - char#ToInt(b))); + +function char#Minus(char, char) : char; + +const null: ref; + +const $ArbitraryBoxValue: Box; + +axiom (forall x: T :: { $Box(x) } $Unbox($Box(x)) == x); + +function $Box(T) : Box; + +function $Unbox(Box) : T; + +function $IsBox(T, Ty) : bool; + +function $IsAllocBox(T, Ty, Heap) : bool; + +axiom (forall bx: Box :: + { $IsBox(bx, TInt) } + $IsBox(bx, TInt) ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, TInt)); + +axiom (forall bx: Box :: + { $IsBox(bx, TReal) } + $IsBox(bx, TReal) + ==> $Box($Unbox(bx): real) == bx && $Is($Unbox(bx): real, TReal)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBool) } + $IsBox(bx, TBool) + ==> $Box($Unbox(bx): bool) == bx && $Is($Unbox(bx): bool, TBool)); + +axiom (forall bx: Box :: + { $IsBox(bx, TChar) } + $IsBox(bx, TChar) + ==> $Box($Unbox(bx): char) == bx && $Is($Unbox(bx): char, TChar)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBitvector(0)) } + $IsBox(bx, TBitvector(0)) + ==> $Box($Unbox(bx): Bv0) == bx && $Is($Unbox(bx): Set Box, TBitvector(0))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSet(t)) } + $IsBox(bx, TSet(t)) + ==> $Box($Unbox(bx): Set Box) == bx && $Is($Unbox(bx): Set Box, TSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TISet(t)) } + $IsBox(bx, TISet(t)) + ==> $Box($Unbox(bx): ISet Box) == bx && $Is($Unbox(bx): ISet Box, TISet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TMultiSet(t)) } + $IsBox(bx, TMultiSet(t)) + ==> $Box($Unbox(bx): MultiSet Box) == bx + && $Is($Unbox(bx): MultiSet Box, TMultiSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSeq(t)) } + $IsBox(bx, TSeq(t)) + ==> $Box($Unbox(bx): Seq Box) == bx && $Is($Unbox(bx): Seq Box, TSeq(t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TMap(s, t)) } + $IsBox(bx, TMap(s, t)) + ==> $Box($Unbox(bx): Map Box Box) == bx && $Is($Unbox(bx): Map Box Box, TMap(s, t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TIMap(s, t)) } + $IsBox(bx, TIMap(s, t)) + ==> $Box($Unbox(bx): IMap Box Box) == bx + && $Is($Unbox(bx): IMap Box Box, TIMap(s, t))); + +axiom (forall v: T, t: Ty :: + { $IsBox($Box(v), t) } + $IsBox($Box(v), t) <==> $Is(v, t)); + +axiom (forall v: T, t: Ty, h: Heap :: + { $IsAllocBox($Box(v), t, h) } + $IsAllocBox($Box(v), t, h) <==> $IsAlloc(v, t, h)); + +axiom (forall v: int :: { $Is(v, TInt) } $Is(v, TInt)); + +axiom (forall v: real :: { $Is(v, TReal) } $Is(v, TReal)); + +axiom (forall v: bool :: { $Is(v, TBool) } $Is(v, TBool)); + +axiom (forall v: char :: { $Is(v, TChar) } $Is(v, TChar)); + +axiom (forall v: ORDINAL :: { $Is(v, TORDINAL) } $Is(v, TORDINAL)); + +axiom (forall v: Bv0 :: { $Is(v, TBitvector(0)) } $Is(v, TBitvector(0))); + +axiom (forall v: Set Box, t0: Ty :: + { $Is(v, TSet(t0)) } + $Is(v, TSet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: ISet Box, t0: Ty :: + { $Is(v, TISet(t0)) } + $Is(v, TISet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) ==> $IsGoodMultiSet(v)); + +axiom (forall v: Seq Box, t0: Ty :: + { $Is(v, TSeq(t0)) } + $Is(v, TSeq(t0)) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsBox(Seq#Index(v, i), t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] ==> $IsBox(Map#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + ==> $Is(Map#Domain(v), TSet(t0)) + && $Is(Map#Values(v), TSet(t1)) + && $Is(Map#Items(v), TSet(Tclass._System.Tuple2(t0, t1)))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] ==> $IsBox(IMap#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + ==> $Is(IMap#Domain(v), TISet(t0)) + && $Is(IMap#Values(v), TISet(t1)) + && $Is(IMap#Items(v), TISet(Tclass._System.Tuple2(t0, t1)))); + +function $Is(T, Ty) : bool; + +axiom (forall h: Heap, v: int :: { $IsAlloc(v, TInt, h) } $IsAlloc(v, TInt, h)); + +axiom (forall h: Heap, v: real :: { $IsAlloc(v, TReal, h) } $IsAlloc(v, TReal, h)); + +axiom (forall h: Heap, v: bool :: { $IsAlloc(v, TBool, h) } $IsAlloc(v, TBool, h)); + +axiom (forall h: Heap, v: char :: { $IsAlloc(v, TChar, h) } $IsAlloc(v, TChar, h)); + +axiom (forall h: Heap, v: ORDINAL :: + { $IsAlloc(v, TORDINAL, h) } + $IsAlloc(v, TORDINAL, h)); + +axiom (forall v: Bv0, h: Heap :: + { $IsAlloc(v, TBitvector(0), h) } + $IsAlloc(v, TBitvector(0), h)); + +axiom (forall v: Set Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSet(t0), h) } + $IsAlloc(v, TSet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: ISet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TISet(t0), h) } + $IsAlloc(v, TISet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: MultiSet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TMultiSet(t0), h) } + $IsAlloc(v, TMultiSet(t0), h) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: Seq Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSeq(t0), h) } + $IsAlloc(v, TSeq(t0), h) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsAllocBox(Seq#Index(v, i), t0, h))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TMap(t0, t1), h) } + $IsAlloc(v, TMap(t0, t1), h) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] + ==> $IsAllocBox(Map#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TIMap(t0, t1), h) } + $IsAlloc(v, TIMap(t0, t1), h) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] + ==> $IsAllocBox(IMap#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +function $IsAlloc(T, Ty, Heap) : bool; + +axiom (forall ty: Ty :: + { $AlwaysAllocated(ty) } + $AlwaysAllocated(ty) + ==> (forall h: Heap, v: Box :: + { $IsAllocBox(v, ty, h) } + $IsBox(v, ty) ==> $IsAllocBox(v, ty, h))); + +function $AlwaysAllocated(Ty) : bool; + +function $OlderTag(Heap) : bool; + +const unique class._System.int: ClassName; + +const unique class._System.bool: ClassName; + +const unique class._System.set: ClassName; + +const unique class._System.seq: ClassName; + +const unique class._System.multiset: ClassName; + +function Tclass._System.object?() : Ty; + +function Tclass._System.Tuple2(Ty, Ty) : Ty; + +function dtype(ref) : Ty; + +function TypeTuple(a: ClassName, b: ClassName) : ClassName; + +function TypeTupleCar(ClassName) : ClassName; + +function TypeTupleCdr(ClassName) : ClassName; + +axiom (forall a: ClassName, b: ClassName :: + { TypeTuple(a, b) } + TypeTupleCar(TypeTuple(a, b)) == a && TypeTupleCdr(TypeTuple(a, b)) == b); + +function SetRef_to_SetBox(s: [ref]bool) : Set Box; + +axiom (forall s: [ref]bool, bx: Box :: + { SetRef_to_SetBox(s)[bx] } + SetRef_to_SetBox(s)[bx] == s[$Unbox(bx): ref]); + +axiom (forall s: [ref]bool :: + { SetRef_to_SetBox(s) } + $Is(SetRef_to_SetBox(s), TSet(Tclass._System.object?()))); + +function Apply1(Ty, Ty, Heap, HandleType, Box) : Box; + +function DatatypeCtorId(DatatypeType) : DtCtorId; + +function DtRank(DatatypeType) : int; + +function BoxRank(Box) : int; + +axiom (forall d: DatatypeType :: { BoxRank($Box(d)) } BoxRank($Box(d)) == DtRank(d)); + +type ORDINAL = Box; + +function ORD#IsNat(ORDINAL) : bool; + +function ORD#Offset(ORDINAL) : int; + +axiom (forall o: ORDINAL :: { ORD#Offset(o) } 0 <= ORD#Offset(o)); + +function {:inline} ORD#IsLimit(o: ORDINAL) : bool +{ + ORD#Offset(o) == 0 +} + +function {:inline} ORD#IsSucc(o: ORDINAL) : bool +{ + 0 < ORD#Offset(o) +} + +function ORD#FromNat(int) : ORDINAL; + +axiom (forall n: int :: + { ORD#FromNat(n) } + 0 <= n ==> ORD#IsNat(ORD#FromNat(n)) && ORD#Offset(ORD#FromNat(n)) == n); + +axiom (forall o: ORDINAL :: + { ORD#Offset(o) } { ORD#IsNat(o) } + ORD#IsNat(o) ==> o == ORD#FromNat(ORD#Offset(o))); + +function ORD#Less(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p) } + (ORD#Less(o, p) ==> o != p) + && (ORD#IsNat(o) && !ORD#IsNat(p) ==> ORD#Less(o, p)) + && (ORD#IsNat(o) && ORD#IsNat(p) + ==> ORD#Less(o, p) == (ORD#Offset(o) < ORD#Offset(p))) + && (ORD#Less(o, p) && ORD#IsNat(p) ==> ORD#IsNat(o))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, o) } + ORD#Less(o, p) || o == p || ORD#Less(p, o)); + +axiom (forall o: ORDINAL, p: ORDINAL, r: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, r) } { ORD#Less(o, p), ORD#Less(o, r) } + ORD#Less(o, p) && ORD#Less(p, r) ==> ORD#Less(o, r)); + +function ORD#LessThanLimit(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#LessThanLimit(o, p) } + ORD#LessThanLimit(o, p) == ORD#Less(o, p)); + +function ORD#Plus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (ORD#IsNat(ORD#Plus(o, p)) ==> ORD#IsNat(o) && ORD#IsNat(p)) + && (ORD#IsNat(p) + ==> ORD#IsNat(ORD#Plus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Plus(o, p)) == ORD#Offset(o) + ORD#Offset(p))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#Plus(o, p) || ORD#Less(o, ORD#Plus(o, p))) + && (p == ORD#Plus(o, p) || ORD#Less(p, ORD#Plus(o, p)))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#FromNat(0) ==> ORD#Plus(o, p) == p) + && (p == ORD#FromNat(0) ==> ORD#Plus(o, p) == o)); + +function ORD#Minus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> ORD#IsNat(ORD#Minus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Minus(o, p)) == ORD#Offset(o) - ORD#Offset(p)); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> (p == ORD#FromNat(0) && ORD#Minus(o, p) == o) + || (p != ORD#FromNat(0) && ORD#Less(ORD#Minus(o, p), o))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n + ==> ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && m + n <= ORD#Offset(o) + ==> ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(n - m)))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(n - m)))); + +const $ModuleContextHeight: int; + +const $FunctionContextHeight: int; + +const $LZ: LayerType; + +function $LS(LayerType) : LayerType; + +function AsFuelBottom(LayerType) : LayerType; + +function AtLayer([LayerType]A, LayerType) : A; + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, ly) } + AtLayer(f, ly) == f[ly]); + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, $LS(ly)) } + AtLayer(f, $LS(ly)) == AtLayer(f, ly)); + +axiom FDim(alloc) == 0; + +function FDim(Field T) : int; + +function IndexField(int) : Field Box; + +axiom (forall i: int :: { IndexField(i) } FDim(IndexField(i)) == 1); + +function IndexField_Inverse(Field T) : int; + +axiom (forall i: int :: { IndexField(i) } IndexField_Inverse(IndexField(i)) == i); + +function MultiIndexField(Field Box, int) : Field Box; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + FDim(MultiIndexField(f, i)) == FDim(f) + 1); + +function MultiIndexField_Inverse0(Field T) : Field T; + +function MultiIndexField_Inverse1(Field T) : int; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + MultiIndexField_Inverse0(MultiIndexField(f, i)) == f + && MultiIndexField_Inverse1(MultiIndexField(f, i)) == i); + +function DeclType(Field T) : ClassName; + +axiom DeclName(alloc) == allocName; + +function DeclName(Field T) : NameFamily; + +function FieldOfDecl(ClassName, NameFamily) : Field alpha; + +axiom (forall cl: ClassName, nm: NameFamily :: + { FieldOfDecl(cl, nm): Field T } + DeclType(FieldOfDecl(cl, nm): Field T) == cl + && DeclName(FieldOfDecl(cl, nm): Field T) == nm); + +axiom $IsGhostField(alloc); + +axiom (forall h: Heap, k: Heap :: + { $HeapSuccGhost(h, k) } + $HeapSuccGhost(h, k) + ==> $HeapSucc(h, k) + && (forall o: ref, f: Field alpha :: + { read(k, o, f) } + !$IsGhostField(f) ==> read(h, o, f) == read(k, o, f))); + +function $IsGhostField(Field T) : bool; + +axiom (forall h: Heap, k: Heap, v: T, t: Ty :: + { $HeapSucc(h, k), $IsAlloc(v, t, h) } + $HeapSucc(h, k) ==> $IsAlloc(v, t, h) ==> $IsAlloc(v, t, k)); + +axiom (forall h: Heap, k: Heap, bx: Box, t: Ty :: + { $HeapSucc(h, k), $IsAllocBox(bx, t, h) } + $HeapSucc(h, k) ==> $IsAllocBox(bx, t, h) ==> $IsAllocBox(bx, t, k)); + +const unique alloc: Field bool; + +const unique allocName: NameFamily; + +axiom (forall o: ref :: 0 <= _System.array.Length(o)); + +function _System.array.Length(a: ref) : int; + +function Int(x: real) : int; + +axiom (forall x: real :: { Int(x): int } Int(x): int == int(x)); + +function Real(x: int) : real; + +axiom (forall x: int :: { Real(x): real } Real(x): real == real(x)); + +axiom (forall i: int :: { Int(Real(i)) } Int(Real(i)) == i); + +function {:inline} _System.real.Floor(x: real) : int +{ + Int(x) +} + +type Heap = [ref][Field alpha]alpha; + +function {:inline} read(H: Heap, r: ref, f: Field alpha) : alpha +{ + H[r][f] +} + +function {:inline} update(H: Heap, r: ref, f: Field alpha, v: alpha) : Heap +{ + H[r := H[r][f := v]] +} + +function $IsGoodHeap(Heap) : bool; + +function $IsHeapAnchor(Heap) : bool; + +var $Heap: Heap where $IsGoodHeap($Heap) && $IsHeapAnchor($Heap); + +const $OneHeap: Heap; + +axiom $IsGoodHeap($OneHeap); + +function $HeapSucc(Heap, Heap) : bool; + +axiom (forall h: Heap, r: ref, f: Field alpha, x: alpha :: + { update(h, r, f, x) } + $IsGoodHeap(update(h, r, f, x)) ==> $HeapSucc(h, update(h, r, f, x))); + +axiom (forall a: Heap, b: Heap, c: Heap :: + { $HeapSucc(a, b), $HeapSucc(b, c) } + a != c ==> $HeapSucc(a, b) && $HeapSucc(b, c) ==> $HeapSucc(a, c)); + +axiom (forall h: Heap, k: Heap :: + { $HeapSucc(h, k) } + $HeapSucc(h, k) + ==> (forall o: ref :: { read(k, o, alloc) } read(h, o, alloc) ==> read(k, o, alloc))); + +function $HeapSuccGhost(Heap, Heap) : bool; + +var $Tick: TickType; + +procedure $YieldHavoc(this: ref, rds: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + $o == this || rds[$Box($o)] || nw[$Box($o)] + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc0(this: ref, rds: Set Box, modi: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + rds[$Box($o)] && !modi[$Box($o)] && $o != this + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc1(this: ref, modi: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f) + || $o == this + || modi[$Box($o)] + || nw[$Box($o)]); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterCollectNewObjects(prevHeap: Heap, newHeap: Heap, this: ref, NW: Field (Set Box)) + returns (s: Set Box); + ensures (forall bx: Box :: + { s[bx] } + s[bx] + <==> read(newHeap, this, NW)[bx] + || ( + $Unbox(bx) != null + && !read(prevHeap, $Unbox(bx): ref, alloc) + && read(newHeap, $Unbox(bx): ref, alloc))); + + + +type Set T = [T]bool; + +function Set#Card(Set T) : int; + +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty() : Set T; + +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); + +axiom (forall s: Set T :: + { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) + && (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T) : Set T; + +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); + +axiom (forall r: T, o: T :: + { Set#Singleton(r)[o] } + Set#Singleton(r)[o] <==> r == o); + +axiom (forall r: T :: + { Set#Card(Set#Singleton(r)) } + Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T) : Set T; + +axiom (forall a: Set T, x: T, o: T :: + { Set#UnionOne(a, x)[o] } + Set#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } Set#UnionOne(a, x)[x]); + +axiom (forall a: Set T, x: T, y: T :: + { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Union(a, b)[o] } + Set#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, b) } + Set#Disjoint(a, b) + ==> Set#Difference(Set#Union(a, b), a) == b + && Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Intersection(a, b)[o] } + Set#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Union(a, b)) } { Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) + == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Difference(a, b)[o] } + Set#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) + && Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Subset(a, b) } + Set#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function Set#Equal(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Equal(a, b) } + Set#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: Set T, b: Set T :: { Set#Equal(a, b) } Set#Equal(a, b) ==> a == b); + +function Set#Disjoint(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Disjoint(a, b) } + Set#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +type ISet T = [T]bool; + +function ISet#Empty() : Set T; + +axiom (forall o: T :: { ISet#Empty()[o] } !ISet#Empty()[o]); + +function ISet#UnionOne(ISet T, T) : ISet T; + +axiom (forall a: ISet T, x: T, o: T :: + { ISet#UnionOne(a, x)[o] } + ISet#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: ISet T, x: T :: { ISet#UnionOne(a, x) } ISet#UnionOne(a, x)[x]); + +axiom (forall a: ISet T, x: T, y: T :: + { ISet#UnionOne(a, x), a[y] } + a[y] ==> ISet#UnionOne(a, x)[y]); + +function ISet#Union(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Union(a, b)[o] } + ISet#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Union(a, b), a[y] } + a[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { ISet#Union(a, b), b[y] } + b[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(a, b) } + ISet#Disjoint(a, b) + ==> ISet#Difference(ISet#Union(a, b), a) == b + && ISet#Difference(ISet#Union(a, b), b) == a); + +function ISet#Intersection(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Intersection(a, b)[o] } + ISet#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(ISet#Union(a, b), b) } + ISet#Union(ISet#Union(a, b), b) == ISet#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { ISet#Union(a, ISet#Union(a, b)) } + ISet#Union(a, ISet#Union(a, b)) == ISet#Union(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(ISet#Intersection(a, b), b) } + ISet#Intersection(ISet#Intersection(a, b), b) == ISet#Intersection(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(a, ISet#Intersection(a, b)) } + ISet#Intersection(a, ISet#Intersection(a, b)) == ISet#Intersection(a, b)); + +function ISet#Difference(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Difference(a, b)[o] } + ISet#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Difference(a, b), b[y] } + b[y] ==> !ISet#Difference(a, b)[y]); + +function ISet#Subset(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Subset(a, b) } + ISet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function ISet#Equal(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) ==> a == b); + +function ISet#Disjoint(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Disjoint(a, b) } + ISet#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +function Math#min(a: int, b: int) : int; + +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); + +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); + +axiom (forall a: int, b: int :: + { Math#min(a, b) } + Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int) : int; + +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); + +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T = [T]int; + +function $IsGoodMultiSet(ms: MultiSet T) : bool; + +axiom (forall ms: MultiSet T :: + { $IsGoodMultiSet(ms) } + $IsGoodMultiSet(ms) + <==> (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +function MultiSet#Card(MultiSet T) : int; + +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); + +axiom (forall s: MultiSet T, x: T, n: int :: + { MultiSet#Card(s[x := n]) } + 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); + +function MultiSet#Empty() : MultiSet T; + +axiom (forall o: T :: { MultiSet#Empty()[o] } MultiSet#Empty()[o] == 0); + +axiom (forall s: MultiSet T :: + { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) + && (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < s[x]))); + +function MultiSet#Singleton(T) : MultiSet T; + +axiom (forall r: T, o: T :: + { MultiSet#Singleton(r)[o] } + (MultiSet#Singleton(r)[o] == 1 <==> r == o) + && (MultiSet#Singleton(r)[o] == 0 <==> r != o)); + +axiom (forall r: T :: + { MultiSet#Singleton(r) } + MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); + +function MultiSet#UnionOne(MultiSet T, T) : MultiSet T; + +axiom (forall a: MultiSet T, x: T, o: T :: + { MultiSet#UnionOne(a, x)[o] } + 0 < MultiSet#UnionOne(a, x)[o] <==> o == x || 0 < a[o]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#UnionOne(a, x) } + MultiSet#UnionOne(a, x)[x] == a[x] + 1); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + 0 < a[y] ==> 0 < MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + x != y ==> a[y] == MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#Card(MultiSet#UnionOne(a, x)) } + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); + +function MultiSet#Union(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Union(a, b)[o] } + MultiSet#Union(a, b)[o] == a[o] + b[o]); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Union(a, b)) } + MultiSet#Card(MultiSet#Union(a, b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Intersection(a, b)[o] } + MultiSet#Intersection(a, b)[o] == Math#min(a[o], b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) + == MultiSet#Intersection(a, b)); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) + == MultiSet#Intersection(a, b)); + +function MultiSet#Difference(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Difference(a, b)[o] } + MultiSet#Difference(a, b)[o] == Math#clip(a[o] - b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T, y: T :: + { MultiSet#Difference(a, b), b[y], a[y] } + a[y] <= b[y] ==> MultiSet#Difference(a, b)[y] == 0); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) + && MultiSet#Card(MultiSet#Difference(a, b)) + == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +function MultiSet#Subset(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Subset(a, b) } + MultiSet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <= b[o])); + +function MultiSet#Equal(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] == b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Disjoint(a, b) } + MultiSet#Disjoint(a, b) + <==> (forall o: T :: { a[o] } { b[o] } a[o] == 0 || b[o] == 0)); + +function MultiSet#FromSet(Set T) : MultiSet T; + +axiom (forall s: Set T, a: T :: + { MultiSet#FromSet(s)[a] } + (MultiSet#FromSet(s)[a] == 0 <==> !s[a]) + && (MultiSet#FromSet(s)[a] == 1 <==> s[a])); + +axiom (forall s: Set T :: + { MultiSet#Card(MultiSet#FromSet(s)) } + MultiSet#Card(MultiSet#FromSet(s)) == Set#Card(s)); + +axiom (forall :: + MultiSet#FromSeq(Seq#Empty(): Seq T) == MultiSet#Empty(): MultiSet T); + +function MultiSet#FromSeq(Seq T) : MultiSet T; + +axiom (forall s: Seq T :: + { MultiSet#FromSeq(s) } + $IsGoodMultiSet(MultiSet#FromSeq(s))); + +axiom (forall s: Seq T :: + { MultiSet#Card(MultiSet#FromSeq(s)) } + MultiSet#Card(MultiSet#FromSeq(s)) == Seq#Length(s)); + +axiom (forall s: Seq T, v: T :: + { MultiSet#FromSeq(Seq#Build(s, v)) } + MultiSet#FromSeq(Seq#Build(s, v)) == MultiSet#UnionOne(MultiSet#FromSeq(s), v)); + +axiom (forall a: Seq T, b: Seq T :: + { MultiSet#FromSeq(Seq#Append(a, b)) } + MultiSet#FromSeq(Seq#Append(a, b)) + == MultiSet#Union(MultiSet#FromSeq(a), MultiSet#FromSeq(b))); + +axiom (forall s: Seq T, i: int, v: T, x: T :: + { MultiSet#FromSeq(Seq#Update(s, i, v))[x] } + 0 <= i && i < Seq#Length(s) + ==> MultiSet#FromSeq(Seq#Update(s, i, v))[x] + == MultiSet#Union(MultiSet#Difference(MultiSet#FromSeq(s), MultiSet#Singleton(Seq#Index(s, i))), + MultiSet#Singleton(v))[x]); + +axiom (forall s: Seq T, x: T :: + { MultiSet#FromSeq(s)[x] } + (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && x == Seq#Index(s, i)) + <==> 0 < MultiSet#FromSeq(s)[x]); + +function Seq#Length(Seq T) : int; + +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty() : Seq T; + +axiom (forall :: { Seq#Empty(): Seq T } Seq#Length(Seq#Empty(): Seq T) == 0); + +axiom (forall s: Seq T :: + { Seq#Length(s) } + Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T) : Seq T; + +axiom (forall t: T :: + { Seq#Length(Seq#Singleton(t)) } + Seq#Length(Seq#Singleton(t)) == 1); + +function Seq#Build(s: Seq T, val: T) : Seq T; + +function Seq#Build_inv0(s: Seq T) : Seq T; + +function Seq#Build_inv1(s: Seq T) : T; + +axiom (forall s: Seq T, val: T :: + { Seq#Build(s, val) } + Seq#Build_inv0(Seq#Build(s, val)) == s + && Seq#Build_inv1(Seq#Build(s, val)) == val); + +axiom (forall s: Seq T, v: T :: + { Seq#Build(s, v) } + Seq#Length(Seq#Build(s, v)) == 1 + Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Index(Seq#Build(s, v), i) } + (i == Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == v) + && (i != Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == Seq#Index(s, i))); + +axiom (forall s: Seq Box, bx: Box, t: Ty :: + { $Is(Seq#Build(s, bx), TSeq(t)) } + $Is(s, TSeq(t)) && $IsBox(bx, t) ==> $Is(Seq#Build(s, bx), TSeq(t))); + +function Seq#Create(ty: Ty, heap: Heap, len: int, init: HandleType) : Seq Box; + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType :: + { Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) } + $IsGoodHeap(heap) && 0 <= len + ==> Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) == len); + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType, i: int :: + { Seq#Index(Seq#Create(ty, heap, len, init), i) } + $IsGoodHeap(heap) && 0 <= i && i < len + ==> Seq#Index(Seq#Create(ty, heap, len, init), i) + == Apply1(TInt, TSeq(ty), heap, init, $Box(i))); + +function Seq#Append(Seq T, Seq T) : Seq T; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Length(Seq#Append(s0, s1)) } + Seq#Length(Seq#Append(s0, s1)) == Seq#Length(s0) + Seq#Length(s1)); + +function Seq#Index(Seq T, int) : T; + +axiom (forall t: T :: + { Seq#Index(Seq#Singleton(t), 0) } + Seq#Index(Seq#Singleton(t), 0) == t); + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#Index(Seq#Append(s0, s1), n) } + (n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s0, n)) + && (Seq#Length(s0) <= n + ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s1, n - Seq#Length(s0)))); + +function Seq#Update(Seq T, int, T) : Seq T; + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Length(Seq#Update(s, i, v)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s, i, v)) == Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Index(Seq#Update(s, i, v), n) } + 0 <= n && n < Seq#Length(s) + ==> (i == n ==> Seq#Index(Seq#Update(s, i, v), n) == v) + && (i != n ==> Seq#Index(Seq#Update(s, i, v), n) == Seq#Index(s, n))); + +function Seq#Contains(Seq T, T) : bool; + +axiom (forall s: Seq T, x: T :: + { Seq#Contains(s, x) } + Seq#Contains(s, x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) + <==> Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, v: T, x: T :: + { Seq#Contains(Seq#Build(s, v), x) } + Seq#Contains(Seq#Build(s, v), x) <==> v == x || Seq#Contains(s, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +function Seq#Equal(Seq T, Seq T) : bool; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Equal(s0, s1) } + Seq#Equal(s0, s1) + <==> Seq#Length(s0) == Seq#Length(s1) + && (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a, b) } Seq#Equal(a, b) ==> a == b); + +function Seq#SameUntil(Seq T, Seq T, int) : bool; + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#SameUntil(s0, s1, n) } + Seq#SameUntil(s0, s1, n) + <==> (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < n ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +function Seq#Take(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Take(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s, n)) == n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Take(s, n), j) } { Seq#Index(s, j), Seq#Take(s, n) } + 0 <= j && j < n && j < Seq#Length(s) + ==> Seq#Index(Seq#Take(s, n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Drop(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s, n)) == Seq#Length(s) - n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Drop(s, n), j) } + 0 <= n && 0 <= j && j < Seq#Length(s) - n + ==> Seq#Index(Seq#Drop(s, n), j) == Seq#Index(s, j + n)); + +axiom (forall s: Seq T, n: int, k: int :: + {:weight 25} { Seq#Index(s, k), Seq#Drop(s, n) } + 0 <= n && n <= k && k < Seq#Length(s) + ==> Seq#Index(Seq#Drop(s, n), k - n) == Seq#Index(s, k)); + +axiom (forall s: Seq T, t: Seq T, n: int :: + { Seq#Take(Seq#Append(s, t), n) } { Seq#Drop(Seq#Append(s, t), n) } + n == Seq#Length(s) + ==> Seq#Take(Seq#Append(s, t), n) == s && Seq#Drop(Seq#Append(s, t), n) == t); + +function Seq#FromArray(h: Heap, a: ref) : Seq Box; + +axiom (forall h: Heap, a: ref :: + { Seq#Length(Seq#FromArray(h, a)) } + Seq#Length(Seq#FromArray(h, a)) == _System.array.Length(a)); + +axiom (forall h: Heap, a: ref :: + { Seq#FromArray(h, a) } + (forall i: int :: + { read(h, a, IndexField(i)) } { Seq#Index(Seq#FromArray(h, a): Seq Box, i) } + 0 <= i && i < Seq#Length(Seq#FromArray(h, a)) + ==> Seq#Index(Seq#FromArray(h, a), i) == read(h, a, IndexField(i)))); + +axiom (forall h0: Heap, h1: Heap, a: ref :: + { Seq#FromArray(h1, a), $HeapSucc(h0, h1) } + $IsGoodHeap(h0) && $IsGoodHeap(h1) && $HeapSucc(h0, h1) && h0[a] == h1[a] + ==> Seq#FromArray(h0, a) == Seq#FromArray(h1, a)); + +axiom (forall h: Heap, i: int, v: Box, a: ref :: + { Seq#FromArray(update(h, a, IndexField(i), v), a) } + 0 <= i && i < _System.array.Length(a) + ==> Seq#FromArray(update(h, a, IndexField(i), v), a) + == Seq#Update(Seq#FromArray(h, a), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= n && n <= i && i < Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i - n, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + +axiom (forall h: Heap, a: ref, n0: int, n1: int :: + { Seq#Take(Seq#FromArray(h, a), n0), Seq#Take(Seq#FromArray(h, a), n1) } + n0 + 1 == n1 && 0 <= n0 && n1 <= _System.array.Length(a) + ==> Seq#Take(Seq#FromArray(h, a), n1) + == Seq#Build(Seq#Take(Seq#FromArray(h, a), n0), read(h, a, IndexField(n0): Field Box))); + +axiom (forall s: Seq T, v: T, n: int :: + { Seq#Drop(Seq#Build(s, v), n) } + 0 <= n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Build(s, v), n) == Seq#Build(Seq#Drop(s, n), v)); + +function Seq#Rank(Seq T) : int; + +axiom (forall s: Seq Box, i: int :: + { DtRank($Unbox(Seq#Index(s, i)): DatatypeType) } + 0 <= i && i < Seq#Length(s) + ==> DtRank($Unbox(Seq#Index(s, i)): DatatypeType) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Drop(s, i)) } + 0 < i && i <= Seq#Length(s) ==> Seq#Rank(Seq#Drop(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Take(s, i)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Rank(Seq#Take(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int, j: int :: + { Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) } + 0 <= i && i < j && j <= Seq#Length(s) + ==> Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) < Seq#Rank(s)); + +axiom (forall s: Seq T, n: int :: + { Seq#Drop(s, n) } + n == 0 ==> Seq#Drop(s, n) == s); + +axiom (forall s: Seq T, n: int :: + { Seq#Take(s, n) } + n == 0 ==> Seq#Take(s, n) == Seq#Empty()); + +axiom (forall s: Seq T, m: int, n: int :: + { Seq#Drop(Seq#Drop(s, m), n) } + 0 <= m && 0 <= n && m + n <= Seq#Length(s) + ==> Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, m + n)); + +function Map#Domain(Map U V) : Set U; + +function Map#Elements(Map U V) : [U]V; + +function Map#Card(Map U V) : int; + +axiom (forall m: Map U V :: { Map#Card(m) } 0 <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Map#Card(m) } + Map#Card(m) == 0 <==> m == Map#Empty()); + +axiom (forall m: Map U V :: + { Map#Domain(m) } + m == Map#Empty() || (exists k: U :: Map#Domain(m)[k])); + +axiom (forall m: Map U V :: + { Map#Values(m) } + m == Map#Empty() || (exists v: V :: Map#Values(m)[v])); + +axiom (forall m: Map U V :: + { Map#Items(m) } + m == Map#Empty() + || (exists k: Box, v: Box :: Map#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: Map U V :: + { Set#Card(Map#Domain(m)) } + Set#Card(Map#Domain(m)) == Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Values(m)) } + Set#Card(Map#Values(m)) <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Items(m)) } + Set#Card(Map#Items(m)) == Map#Card(m)); + +function Map#Values(Map U V) : Set V; + +axiom (forall m: Map U V, v: V :: + { Map#Values(m)[v] } + Map#Values(m)[v] + == (exists u: U :: + { Map#Domain(m)[u] } { Map#Elements(m)[u] } + Map#Domain(m)[u] && v == Map#Elements(m)[u])); + +function Map#Items(Map U V) : Set Box; + +function #_System._tuple#2._#Make2(Box, Box) : DatatypeType; + +function _System.Tuple2._0(DatatypeType) : Box; + +function _System.Tuple2._1(DatatypeType) : Box; + +axiom (forall m: Map Box Box, item: Box :: + { Map#Items(m)[item] } + Map#Items(m)[item] + <==> Map#Domain(m)[_System.Tuple2._0($Unbox(item))] + && Map#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function Map#Empty() : Map U V; + +axiom (forall u: U :: + { Map#Domain(Map#Empty(): Map U V)[u] } + !Map#Domain(Map#Empty(): Map U V)[u]); + +function Map#Glue([U]bool, [U]V, Ty) : Map U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Domain(Map#Glue(a, b, t)) } + Map#Domain(Map#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Elements(Map#Glue(a, b, t)) } + Map#Elements(Map#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { Map#Glue(a, b, TMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TMap(t0, t1)), TMap(t0, t1))); + +function Map#Build(Map U V, U, V) : Map U V; + +axiom (forall m: Map U V, u: U, u': U, v: V :: + { Map#Domain(Map#Build(m, u, v))[u'] } { Map#Elements(Map#Build(m, u, v))[u'] } + (u' == u + ==> Map#Domain(Map#Build(m, u, v))[u'] && Map#Elements(Map#Build(m, u, v))[u'] == v) + && (u' != u + ==> Map#Domain(Map#Build(m, u, v))[u'] == Map#Domain(m)[u'] + && Map#Elements(Map#Build(m, u, v))[u'] == Map#Elements(m)[u'])); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m)); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + !Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m) + 1); + +function Map#Merge(Map U V, Map U V) : Map U V; + +axiom (forall m: Map U V, n: Map U V :: + { Map#Domain(Map#Merge(m, n)) } + Map#Domain(Map#Merge(m, n)) == Set#Union(Map#Domain(m), Map#Domain(n))); + +axiom (forall m: Map U V, n: Map U V, u: U :: + { Map#Elements(Map#Merge(m, n))[u] } + Map#Domain(Map#Merge(m, n))[u] + ==> (!Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(m)[u]) + && (Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(n)[u])); + +function Map#Subtract(Map U V, Set U) : Map U V; + +axiom (forall m: Map U V, s: Set U :: + { Map#Domain(Map#Subtract(m, s)) } + Map#Domain(Map#Subtract(m, s)) == Set#Difference(Map#Domain(m), s)); + +axiom (forall m: Map U V, s: Set U, u: U :: + { Map#Elements(Map#Subtract(m, s))[u] } + Map#Domain(Map#Subtract(m, s))[u] + ==> Map#Elements(Map#Subtract(m, s))[u] == Map#Elements(m)[u]); + +function Map#Equal(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') + <==> (forall u: U :: Map#Domain(m)[u] == Map#Domain(m')[u]) + && (forall u: U :: Map#Domain(m)[u] ==> Map#Elements(m)[u] == Map#Elements(m')[u])); + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') ==> m == m'); + +function Map#Disjoint(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Disjoint(m, m') } + Map#Disjoint(m, m') + <==> (forall o: U :: + { Map#Domain(m)[o] } { Map#Domain(m')[o] } + !Map#Domain(m)[o] || !Map#Domain(m')[o])); + +function IMap#Domain(IMap U V) : Set U; + +function IMap#Elements(IMap U V) : [U]V; + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() || (exists k: U :: IMap#Domain(m)[k])); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() || (exists v: V :: IMap#Values(m)[v])); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() + || (exists k: Box, v: Box :: IMap#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() <==> IMap#Domain(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() <==> IMap#Values(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() <==> IMap#Items(m) == ISet#Empty()); + +function IMap#Values(IMap U V) : Set V; + +axiom (forall m: IMap U V, v: V :: + { IMap#Values(m)[v] } + IMap#Values(m)[v] + == (exists u: U :: + { IMap#Domain(m)[u] } { IMap#Elements(m)[u] } + IMap#Domain(m)[u] && v == IMap#Elements(m)[u])); + +function IMap#Items(IMap U V) : Set Box; + +axiom (forall m: IMap Box Box, item: Box :: + { IMap#Items(m)[item] } + IMap#Items(m)[item] + <==> IMap#Domain(m)[_System.Tuple2._0($Unbox(item))] + && IMap#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function IMap#Empty() : IMap U V; + +axiom (forall u: U :: + { IMap#Domain(IMap#Empty(): IMap U V)[u] } + !IMap#Domain(IMap#Empty(): IMap U V)[u]); + +function IMap#Glue([U]bool, [U]V, Ty) : IMap U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Domain(IMap#Glue(a, b, t)) } + IMap#Domain(IMap#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Elements(IMap#Glue(a, b, t)) } + IMap#Elements(IMap#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { IMap#Glue(a, b, TIMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TIMap(t0, t1)), TIMap(t0, t1))); + +function IMap#Build(IMap U V, U, V) : IMap U V; + +axiom (forall m: IMap U V, u: U, u': U, v: V :: + { IMap#Domain(IMap#Build(m, u, v))[u'] } + { IMap#Elements(IMap#Build(m, u, v))[u'] } + (u' == u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == v) + && (u' != u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] == IMap#Domain(m)[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == IMap#Elements(m)[u'])); + +function IMap#Equal(IMap U V, IMap U V) : bool; + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') + <==> (forall u: U :: IMap#Domain(m)[u] == IMap#Domain(m')[u]) + && (forall u: U :: + IMap#Domain(m)[u] ==> IMap#Elements(m)[u] == IMap#Elements(m')[u])); + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') ==> m == m'); + +function IMap#Merge(IMap U V, IMap U V) : IMap U V; + +axiom (forall m: IMap U V, n: IMap U V :: + { IMap#Domain(IMap#Merge(m, n)) } + IMap#Domain(IMap#Merge(m, n)) == Set#Union(IMap#Domain(m), IMap#Domain(n))); + +axiom (forall m: IMap U V, n: IMap U V, u: U :: + { IMap#Elements(IMap#Merge(m, n))[u] } + IMap#Domain(IMap#Merge(m, n))[u] + ==> (!IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(m)[u]) + && (IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(n)[u])); + +function IMap#Subtract(IMap U V, Set U) : IMap U V; + +axiom (forall m: IMap U V, s: Set U :: + { IMap#Domain(IMap#Subtract(m, s)) } + IMap#Domain(IMap#Subtract(m, s)) == Set#Difference(IMap#Domain(m), s)); + +axiom (forall m: IMap U V, s: Set U, u: U :: + { IMap#Elements(IMap#Subtract(m, s))[u] } + IMap#Domain(IMap#Subtract(m, s))[u] + ==> IMap#Elements(IMap#Subtract(m, s))[u] == IMap#Elements(m)[u]); + +function INTERNAL_add_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_add_boogie(x, y): int } + INTERNAL_add_boogie(x, y): int == x + y); + +function INTERNAL_sub_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_sub_boogie(x, y): int } + INTERNAL_sub_boogie(x, y): int == x - y); + +function INTERNAL_mul_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mul_boogie(x, y): int } + INTERNAL_mul_boogie(x, y): int == x * y); + +function INTERNAL_div_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_div_boogie(x, y): int } + INTERNAL_div_boogie(x, y): int == x div y); + +function INTERNAL_mod_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mod_boogie(x, y): int } + INTERNAL_mod_boogie(x, y): int == x mod y); + +function {:never_pattern true} INTERNAL_lt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_lt_boogie(x, y): bool } + INTERNAL_lt_boogie(x, y): bool == (x < y)); + +function {:never_pattern true} INTERNAL_le_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_le_boogie(x, y): bool } + INTERNAL_le_boogie(x, y): bool == (x <= y)); + +function {:never_pattern true} INTERNAL_gt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_gt_boogie(x, y): bool } + INTERNAL_gt_boogie(x, y): bool == (x > y)); + +function {:never_pattern true} INTERNAL_ge_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_ge_boogie(x, y): bool } + INTERNAL_ge_boogie(x, y): bool == (x >= y)); + +function Mul(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mul(x, y): int } Mul(x, y): int == x * y); + +function Div(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Div(x, y): int } Div(x, y): int == x div y); + +function Mod(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mod(x, y): int } Mod(x, y): int == x mod y); + +function Add(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Add(x, y): int } Add(x, y): int == x + y); + +function Sub(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Sub(x, y): int } Sub(x, y): int == x - y); + +function Tclass._System.nat() : Ty; + +const unique Tagclass._System.nat: TyTag; + +// Tclass._System.nat Tag +axiom Tag(Tclass._System.nat()) == Tagclass._System.nat + && TagFamily(Tclass._System.nat()) == tytagFamily$nat; + +// Box/unbox axiom for Tclass._System.nat +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.nat()) } + $IsBox(bx, Tclass._System.nat()) + ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, Tclass._System.nat())); + +// _System.nat: subset type $Is +axiom (forall x#0: int :: + { $Is(x#0, Tclass._System.nat()) } + $Is(x#0, Tclass._System.nat()) <==> LitInt(0) <= x#0); + +// _System.nat: subset type $IsAlloc +axiom (forall x#0: int, $h: Heap :: + { $IsAlloc(x#0, Tclass._System.nat(), $h) } + $IsAlloc(x#0, Tclass._System.nat(), $h)); + +const unique class._System.object?: ClassName; + +const unique Tagclass._System.object?: TyTag; + +// Tclass._System.object? Tag +axiom Tag(Tclass._System.object?()) == Tagclass._System.object? + && TagFamily(Tclass._System.object?()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object?()) } + $IsBox(bx, Tclass._System.object?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object?())); + +// object: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._System.object?()) } + $Is($o, Tclass._System.object?())); + +// object: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.object?(), $h) } + $IsAlloc($o, Tclass._System.object?(), $h) + <==> $o == null || read($h, $o, alloc)); + +function implements$_System.object(ty: Ty) : bool; + +function Tclass._System.object() : Ty; + +const unique Tagclass._System.object: TyTag; + +// Tclass._System.object Tag +axiom Tag(Tclass._System.object()) == Tagclass._System.object + && TagFamily(Tclass._System.object()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object()) } + $IsBox(bx, Tclass._System.object()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object())); + +// _System.object: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._System.object()) } + $Is(c#0, Tclass._System.object()) + <==> $Is(c#0, Tclass._System.object?()) && c#0 != null); + +// _System.object: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.object(), $h) } + $IsAlloc(c#0, Tclass._System.object(), $h) + <==> $IsAlloc(c#0, Tclass._System.object?(), $h)); + +const unique class._System.array?: ClassName; + +function Tclass._System.array?(Ty) : Ty; + +const unique Tagclass._System.array?: TyTag; + +// Tclass._System.array? Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tag(Tclass._System.array?(_System.array$arg)) == Tagclass._System.array? + && TagFamily(Tclass._System.array?(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array?_0(Ty) : Ty; + +// Tclass._System.array? injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tclass._System.array?_0(Tclass._System.array?(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array? +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array?(_System.array$arg)) } + $IsBox(bx, Tclass._System.array?(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array?(_System.array$arg))); + +// array.: Type axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + ==> $IsBox(read($h, $o, IndexField($i0)), _System.array$arg)); + +// array.: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + && read($h, $o, alloc) + ==> $IsAllocBox(read($h, $o, IndexField($i0)), _System.array$arg, $h)); + +// array: Class $Is +axiom (forall _System.array$arg: Ty, $o: ref :: + { $Is($o, Tclass._System.array?(_System.array$arg)) } + $Is($o, Tclass._System.array?(_System.array$arg)) + <==> $o == null || dtype($o) == Tclass._System.array?(_System.array$arg)); + +// array: Class $IsAlloc +axiom (forall _System.array$arg: Ty, $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) } + $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) + <==> $o == null || read($h, $o, alloc)); + +// array.Length: Type axiom +axiom (forall _System.array$arg: Ty, $o: ref :: + { _System.array.Length($o), Tclass._System.array?(_System.array$arg) } + $o != null && dtype($o) == Tclass._System.array?(_System.array$arg) + ==> $Is(_System.array.Length($o), TInt)); + +// array.Length: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref :: + { _System.array.Length($o), read($h, $o, alloc), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && read($h, $o, alloc) + ==> $IsAlloc(_System.array.Length($o), TInt, $h)); + +function Tclass._System.array(Ty) : Ty; + +const unique Tagclass._System.array: TyTag; + +// Tclass._System.array Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tag(Tclass._System.array(_System.array$arg)) == Tagclass._System.array + && TagFamily(Tclass._System.array(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array_0(Ty) : Ty; + +// Tclass._System.array injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tclass._System.array_0(Tclass._System.array(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array(_System.array$arg)) } + $IsBox(bx, Tclass._System.array(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array(_System.array$arg))); + +// _System.array: non-null type $Is +axiom (forall _System.array$arg: Ty, c#0: ref :: + { $Is(c#0, Tclass._System.array(_System.array$arg)) } + $Is(c#0, Tclass._System.array(_System.array$arg)) + <==> $Is(c#0, Tclass._System.array?(_System.array$arg)) && c#0 != null); + +// _System.array: non-null type $IsAlloc +axiom (forall _System.array$arg: Ty, c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) } + $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) + <==> $IsAlloc(c#0, Tclass._System.array?(_System.array$arg), $h)); + +function Tclass._System.___hFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc1: TyTag; + +// Tclass._System.___hFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tag(Tclass._System.___hFunc1(#$T0, #$R)) == Tagclass._System.___hFunc1 + && TagFamily(Tclass._System.___hFunc1(#$T0, #$R)) == tytagFamily$_#Func1); + +function Tclass._System.___hFunc1_0(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_0(Tclass._System.___hFunc1(#$T0, #$R)) == #$T0); + +function Tclass._System.___hFunc1_1(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_1(Tclass._System.___hFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc1(#$T0, #$R))); + +function Handle1([Heap,Box]Box, [Heap,Box]bool, [Heap,Box]Set Box) : HandleType; + +function Requires1(Ty, Ty, Heap, HandleType, Box) : bool; + +function Reads1(Ty, Ty, Heap, HandleType, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) } + Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) == h[heap, bx0]); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Requires1(t0, t1, heap, Handle1(h, r, rd), bx0) } + r[heap, bx0] ==> Requires1(t0, t1, heap, Handle1(h, r, rd), bx0)); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box, + bx: Box :: + { Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] } + Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] == rd[heap, bx0][bx]); + +function {:inline} Requires1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +function {:inline} Reads1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// empty-reads property for Reads1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Reads1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Reads1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) && $IsBox(bx0, t0) && $Is(f, Tclass._System.___hFunc1(t0, t1)) + ==> (Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + <==> Set#Equal(Reads1(t0, t1, heap, f, bx0), Set#Empty(): Set Box))); + +// empty-reads property for Requires1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Requires1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Requires1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + ==> Requires1(t0, t1, $OneHeap, f, bx0) == Requires1(t0, t1, heap, f, bx0)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + <==> (forall h: Heap, bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsGoodHeap(h) && $IsBox(bx0, t0) && Requires1(t0, t1, h, f, bx0) + ==> $IsBox(Apply1(t0, t1, h, f, bx0), t1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, u0: Ty, u1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)), $Is(f, Tclass._System.___hFunc1(u0, u1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, t1) } { $IsBox(bx, u1) } + $IsBox(bx, t1) ==> $IsBox(bx, u1)) + ==> $Is(f, Tclass._System.___hFunc1(u0, u1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + <==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } { Reads1(t0, t1, h, f, bx0) } + $IsBox(bx0, t0) && $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> (forall r: ref :: + { Reads1(t0, t1, h, f, bx0)[$Box(r)] } + r != null && Reads1(t0, t1, h, f, bx0)[$Box(r)] ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + ==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> $IsAllocBox(Apply1(t0, t1, h, f, bx0), t1, h))); + +function Tclass._System.___hPartialFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc1: TyTag; + +// Tclass._System.___hPartialFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tag(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == Tagclass._System.___hPartialFunc1 + && TagFamily(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == tytagFamily$_#PartialFunc1); + +function Tclass._System.___hPartialFunc1_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_0(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc1_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_1(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc1(#$T0, #$R))); + +// _System._#PartialFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) + ==> Set#Equal(Reads1(#$T0, #$R, $OneHeap, f#0, x0#0), Set#Empty(): Set Box))); + +// _System._#PartialFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hTotalFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc1: TyTag; + +// Tclass._System.___hTotalFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tag(Tclass._System.___hTotalFunc1(#$T0, #$R)) == Tagclass._System.___hTotalFunc1 + && TagFamily(Tclass._System.___hTotalFunc1(#$T0, #$R)) == tytagFamily$_#TotalFunc1); + +function Tclass._System.___hTotalFunc1_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_0(Tclass._System.___hTotalFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc1_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_1(Tclass._System.___hTotalFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc1(#$T0, #$R))); + +// _System._#TotalFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) ==> Requires1(#$T0, #$R, $OneHeap, f#0, x0#0))); + +// _System._#TotalFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hFunc0(Ty) : Ty; + +const unique Tagclass._System.___hFunc0: TyTag; + +// Tclass._System.___hFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tag(Tclass._System.___hFunc0(#$R)) == Tagclass._System.___hFunc0 + && TagFamily(Tclass._System.___hFunc0(#$R)) == tytagFamily$_#Func0); + +function Tclass._System.___hFunc0_0(Ty) : Ty; + +// Tclass._System.___hFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tclass._System.___hFunc0_0(Tclass._System.___hFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc0(#$R))); + +function Handle0([Heap]Box, [Heap]bool, [Heap]Set Box) : HandleType; + +function Apply0(Ty, Heap, HandleType) : Box; + +function Requires0(Ty, Heap, HandleType) : bool; + +function Reads0(Ty, Heap, HandleType) : Set Box; + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Apply0(t0, heap, Handle0(h, r, rd)) } + Apply0(t0, heap, Handle0(h, r, rd)) == h[heap]); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Requires0(t0, heap, Handle0(h, r, rd)) } + r[heap] ==> Requires0(t0, heap, Handle0(h, r, rd))); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box, bx: Box :: + { Reads0(t0, heap, Handle0(h, r, rd))[bx] } + Reads0(t0, heap, Handle0(h, r, rd))[bx] == rd[heap][bx]); + +function {:inline} Requires0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +function {:inline} Reads0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// empty-reads property for Reads0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Reads0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Reads0(t0, heap, f) } + $IsGoodHeap(heap) && $Is(f, Tclass._System.___hFunc0(t0)) + ==> (Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + <==> Set#Equal(Reads0(t0, heap, f), Set#Empty(): Set Box))); + +// empty-reads property for Requires0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Requires0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Requires0(t0, heap, f) } + $IsGoodHeap(heap) + && $Is(f, Tclass._System.___hFunc0(t0)) + && Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + ==> Requires0(t0, $OneHeap, f) == Requires0(t0, heap, f)); + +axiom (forall f: HandleType, t0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + <==> (forall h: Heap :: + { Apply0(t0, h, f) } + $IsGoodHeap(h) && Requires0(t0, h, f) ==> $IsBox(Apply0(t0, h, f), t0))); + +axiom (forall f: HandleType, t0: Ty, u0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)), $Is(f, Tclass._System.___hFunc0(u0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + && (forall bx: Box :: + { $IsBox(bx, t0) } { $IsBox(bx, u0) } + $IsBox(bx, t0) ==> $IsBox(bx, u0)) + ==> $Is(f, Tclass._System.___hFunc0(u0))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc0(t0), h) + <==> Requires0(t0, h, f) + ==> (forall r: ref :: + { Reads0(t0, h, f)[$Box(r)] } + r != null && Reads0(t0, h, f)[$Box(r)] ==> read(h, r, alloc)))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc0(t0), h) + ==> + Requires0(t0, h, f) + ==> $IsAllocBox(Apply0(t0, h, f), t0, h)); + +function Tclass._System.___hPartialFunc0(Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc0: TyTag; + +// Tclass._System.___hPartialFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tag(Tclass._System.___hPartialFunc0(#$R)) == Tagclass._System.___hPartialFunc0 + && TagFamily(Tclass._System.___hPartialFunc0(#$R)) == tytagFamily$_#PartialFunc0); + +function Tclass._System.___hPartialFunc0_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tclass._System.___hPartialFunc0_0(Tclass._System.___hPartialFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc0(#$R))); + +// _System._#PartialFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) } + $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hFunc0(#$R)) + && Set#Equal(Reads0(#$R, $OneHeap, f#0), Set#Empty(): Set Box)); + +// _System._#PartialFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc0(#$R), $h)); + +function Tclass._System.___hTotalFunc0(Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc0: TyTag; + +// Tclass._System.___hTotalFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tag(Tclass._System.___hTotalFunc0(#$R)) == Tagclass._System.___hTotalFunc0 + && TagFamily(Tclass._System.___hTotalFunc0(#$R)) == tytagFamily$_#TotalFunc0); + +function Tclass._System.___hTotalFunc0_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tclass._System.___hTotalFunc0_0(Tclass._System.___hTotalFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc0(#$R))); + +// _System._#TotalFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) } + $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) && Requires0(#$R, $OneHeap, f#0)); + +// _System._#TotalFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h)); + +function Tclass._System.___hFunc3(Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc3: TyTag; + +// Tclass._System.___hFunc3 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tag(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == Tagclass._System.___hFunc3 + && TagFamily(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == tytagFamily$_#Func3); + +function Tclass._System.___hFunc3_0(Ty) : Ty; + +// Tclass._System.___hFunc3 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hFunc3_0(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T0); + +function Tclass._System.___hFunc3_1(Ty) : Ty; + +// Tclass._System.___hFunc3 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hFunc3_1(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T1); + +function Tclass._System.___hFunc3_2(Ty) : Ty; + +// Tclass._System.___hFunc3 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hFunc3_2(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T2); + +function Tclass._System.___hFunc3_3(Ty) : Ty; + +// Tclass._System.___hFunc3 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hFunc3_3(Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) } + $IsBox(bx, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R))); + +function Handle3([Heap,Box,Box,Box]Box, [Heap,Box,Box,Box]bool, [Heap,Box,Box,Box]Set Box) + : HandleType; + +function Apply3(Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box) : Box; + +function Requires3(Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box) : bool; + +function Reads3(Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + h: [Heap,Box,Box,Box]Box, + r: [Heap,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box :: + { Apply3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2) } + Apply3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2) + == h[heap, bx0, bx1, bx2]); + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + h: [Heap,Box,Box,Box]Box, + r: [Heap,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box :: + { Requires3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2) } + r[heap, bx0, bx1, bx2] + ==> Requires3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2)); + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + h: [Heap,Box,Box,Box]Box, + r: [Heap,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box, + bx: Box :: + { Reads3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2)[bx] } + Reads3(t0, t1, t2, t3, heap, Handle3(h, r, rd), bx0, bx1, bx2)[bx] + == rd[heap, bx0, bx1, bx2][bx]); + +function {:inline} Requires3#canCall(t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box) + : bool +{ + true +} + +function {:inline} Reads3#canCall(t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box) + : bool +{ + true +} + +// frame axiom for Reads3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Reads3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Requires3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Requires3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Requires3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Requires3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Requires3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Requires3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Apply3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Apply3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Apply3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// frame axiom for Apply3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { $HeapSucc(h0, h1), Apply3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall o: ref, fld: Field a :: + o != null && Reads3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply3(t0, t1, t2, t3, h0, f, bx0, bx1, bx2) + == Apply3(t0, t1, t2, t3, h1, f, bx0, bx1, bx2)); + +// empty-reads property for Reads3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { Reads3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2), $IsGoodHeap(heap) } + { Reads3(t0, t1, t2, t3, heap, f, bx0, bx1, bx2) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + ==> (Set#Equal(Reads3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2), Set#Empty(): Set Box) + <==> Set#Equal(Reads3(t0, t1, t2, t3, heap, f, bx0, bx1, bx2), Set#Empty(): Set Box))); + +// empty-reads property for Requires3 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box :: + { Requires3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2), $IsGoodHeap(heap) } + { Requires3(t0, t1, t2, t3, heap, f, bx0, bx1, bx2) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && Set#Equal(Reads3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2), Set#Empty(): Set Box) + ==> Requires3(t0, t1, t2, t3, $OneHeap, f, bx0, bx1, bx2) + == Requires3(t0, t1, t2, t3, heap, f, bx0, bx1, bx2)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty :: + { $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) } + $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + <==> (forall h: Heap, bx0: Box, bx1: Box, bx2: Box :: + { Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) } + $IsGoodHeap(h) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && Requires3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) + ==> $IsBox(Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2), t3))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, u0: Ty, u1: Ty, u2: Ty, u3: Ty :: + { $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)), $Is(f, Tclass._System.___hFunc3(u0, u1, u2, u3)) } + $Is(f, Tclass._System.___hFunc3(t0, t1, t2, t3)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, u1) } { $IsBox(bx, t1) } + $IsBox(bx, u1) ==> $IsBox(bx, t1)) + && (forall bx: Box :: + { $IsBox(bx, u2) } { $IsBox(bx, t2) } + $IsBox(bx, u2) ==> $IsBox(bx, t2)) + && (forall bx: Box :: + { $IsBox(bx, t3) } { $IsBox(bx, u3) } + $IsBox(bx, t3) ==> $IsBox(bx, u3)) + ==> $Is(f, Tclass._System.___hFunc3(u0, u1, u2, u3))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc3(t0, t1, t2, t3), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc3(t0, t1, t2, t3), h) + <==> (forall bx0: Box, bx1: Box, bx2: Box :: + { Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) } + { Reads3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) } + $IsBox(bx0, t0) + && $IsAllocBox(bx0, t0, h) + && + $IsBox(bx1, t1) + && $IsAllocBox(bx1, t1, h) + && + $IsBox(bx2, t2) + && $IsAllocBox(bx2, t2, h) + && Requires3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) + ==> (forall r: ref :: + { Reads3(t0, t1, t2, t3, h, f, bx0, bx1, bx2)[$Box(r)] } + r != null && Reads3(t0, t1, t2, t3, h, f, bx0, bx1, bx2)[$Box(r)] + ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc3(t0, t1, t2, t3), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc3(t0, t1, t2, t3), h) + ==> (forall bx0: Box, bx1: Box, bx2: Box :: + { Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) } + $IsAllocBox(bx0, t0, h) + && $IsAllocBox(bx1, t1, h) + && $IsAllocBox(bx2, t2, h) + && Requires3(t0, t1, t2, t3, h, f, bx0, bx1, bx2) + ==> $IsAllocBox(Apply3(t0, t1, t2, t3, h, f, bx0, bx1, bx2), t3, h))); + +function Tclass._System.___hPartialFunc3(Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc3: TyTag; + +// Tclass._System.___hPartialFunc3 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tag(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == Tagclass._System.___hPartialFunc3 + && TagFamily(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == tytagFamily$_#PartialFunc3); + +function Tclass._System.___hPartialFunc3_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc3 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hPartialFunc3_0(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc3_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc3 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hPartialFunc3_1(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T1); + +function Tclass._System.___hPartialFunc3_2(Ty) : Ty; + +// Tclass._System.___hPartialFunc3 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hPartialFunc3_2(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T2); + +function Tclass._System.___hPartialFunc3_3(Ty) : Ty; + +// Tclass._System.___hPartialFunc3 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hPartialFunc3_3(Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R))); + +// _System._#PartialFunc3: subset type $Is +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R)) + && (forall x0#0: Box, x1#0: Box, x2#0: Box :: + $IsBox(x0#0, #$T0) && $IsBox(x1#0, #$T1) && $IsBox(x2#0, #$T2) + ==> Set#Equal(Reads3(#$T0, #$T1, #$T2, #$R, $OneHeap, f#0, x0#0, x1#0, x2#0), + Set#Empty(): Set Box))); + +// _System._#PartialFunc3: subset type $IsAlloc +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc3(#$T0, #$T1, #$T2, #$R), $h)); + +function Tclass._System.___hTotalFunc3(Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc3: TyTag; + +// Tclass._System.___hTotalFunc3 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tag(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == Tagclass._System.___hTotalFunc3 + && TagFamily(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == tytagFamily$_#TotalFunc3); + +function Tclass._System.___hTotalFunc3_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc3 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hTotalFunc3_0(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc3_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc3 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hTotalFunc3_1(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T1); + +function Tclass._System.___hTotalFunc3_2(Ty) : Ty; + +// Tclass._System.___hTotalFunc3 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hTotalFunc3_2(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == #$T2); + +function Tclass._System.___hTotalFunc3_3(Ty) : Ty; + +// Tclass._System.___hTotalFunc3 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R) } + Tclass._System.___hTotalFunc3_3(Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R))); + +// _System._#TotalFunc3: subset type $Is +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R)) + && (forall x0#0: Box, x1#0: Box, x2#0: Box :: + $IsBox(x0#0, #$T0) && $IsBox(x1#0, #$T1) && $IsBox(x2#0, #$T2) + ==> Requires3(#$T0, #$T1, #$T2, #$R, $OneHeap, f#0, x0#0, x1#0, x2#0))); + +// _System._#TotalFunc3: subset type $IsAlloc +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc3(#$T0, #$T1, #$T2, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc3(#$T0, #$T1, #$T2, #$R), $h)); + +function Tclass._System.___hFunc4(Ty, Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc4: TyTag; + +// Tclass._System.___hFunc4 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tag(Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == Tagclass._System.___hFunc4 + && TagFamily(Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == tytagFamily$_#Func4); + +function Tclass._System.___hFunc4_0(Ty) : Ty; + +// Tclass._System.___hFunc4 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hFunc4_0(Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T0); + +function Tclass._System.___hFunc4_1(Ty) : Ty; + +// Tclass._System.___hFunc4 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hFunc4_1(Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T1); + +function Tclass._System.___hFunc4_2(Ty) : Ty; + +// Tclass._System.___hFunc4 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hFunc4_2(Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T2); + +function Tclass._System.___hFunc4_3(Ty) : Ty; + +// Tclass._System.___hFunc4 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hFunc4_3(Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T3); + +function Tclass._System.___hFunc4_4(Ty) : Ty; + +// Tclass._System.___hFunc4 injectivity 4 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hFunc4_4(Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc4 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) } + $IsBox(bx, Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R))); + +function Handle4([Heap,Box,Box,Box,Box]Box, + [Heap,Box,Box,Box,Box]bool, + [Heap,Box,Box,Box,Box]Set Box) + : HandleType; + +function Apply4(Ty, Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box, Box) : Box; + +function Requires4(Ty, Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box, Box) : bool; + +function Reads4(Ty, Ty, Ty, Ty, Ty, Heap, HandleType, Box, Box, Box, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + heap: Heap, + h: [Heap,Box,Box,Box,Box]Box, + r: [Heap,Box,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { Apply4(t0, t1, t2, t3, t4, heap, Handle4(h, r, rd), bx0, bx1, bx2, bx3) } + Apply4(t0, t1, t2, t3, t4, heap, Handle4(h, r, rd), bx0, bx1, bx2, bx3) + == h[heap, bx0, bx1, bx2, bx3]); + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + heap: Heap, + h: [Heap,Box,Box,Box,Box]Box, + r: [Heap,Box,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { Requires4(t0, t1, t2, t3, t4, heap, Handle4(h, r, rd), bx0, bx1, bx2, bx3) } + r[heap, bx0, bx1, bx2, bx3] + ==> Requires4(t0, t1, t2, t3, t4, heap, Handle4(h, r, rd), bx0, bx1, bx2, bx3)); + +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + heap: Heap, + h: [Heap,Box,Box,Box,Box]Box, + r: [Heap,Box,Box,Box,Box]bool, + rd: [Heap,Box,Box,Box,Box]Set Box, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box, + bx: Box :: + { Reads4(t0, t1, t2, t3, t4, heap, Handle4(h, r, rd), bx0, bx1, bx2, bx3)[bx] } + Reads4(t0, t1, t2, t3, t4, heap, Handle4(h, r, rd), bx0, bx1, bx2, bx3)[bx] + == rd[heap, bx0, bx1, bx2, bx3][bx]); + +function {:inline} Requires4#canCall(t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box) + : bool +{ + true +} + +function {:inline} Reads4#canCall(t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box) + : bool +{ + true +} + +// frame axiom for Reads4 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { $HeapSucc(h0, h1), Reads4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + && (forall o: ref, fld: Field a :: + o != null && Reads4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3) + == Reads4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)); + +// frame axiom for Reads4 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { $HeapSucc(h0, h1), Reads4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + && (forall o: ref, fld: Field a :: + o != null && Reads4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3) + == Reads4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)); + +// frame axiom for Requires4 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { $HeapSucc(h0, h1), Requires4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + && (forall o: ref, fld: Field a :: + o != null && Reads4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3) + == Requires4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)); + +// frame axiom for Requires4 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { $HeapSucc(h0, h1), Requires4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + && (forall o: ref, fld: Field a :: + o != null && Reads4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3) + == Requires4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)); + +// frame axiom for Apply4 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { $HeapSucc(h0, h1), Apply4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + && (forall o: ref, fld: Field a :: + o != null && Reads4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3) + == Apply4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)); + +// frame axiom for Apply4 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + h0: Heap, + h1: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { $HeapSucc(h0, h1), Apply4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + && (forall o: ref, fld: Field a :: + o != null && Reads4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply4(t0, t1, t2, t3, t4, h0, f, bx0, bx1, bx2, bx3) + == Apply4(t0, t1, t2, t3, t4, h1, f, bx0, bx1, bx2, bx3)); + +// empty-reads property for Reads4 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { Reads4(t0, t1, t2, t3, t4, $OneHeap, f, bx0, bx1, bx2, bx3), $IsGoodHeap(heap) } + { Reads4(t0, t1, t2, t3, t4, heap, f, bx0, bx1, bx2, bx3) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + ==> (Set#Equal(Reads4(t0, t1, t2, t3, t4, $OneHeap, f, bx0, bx1, bx2, bx3), + Set#Empty(): Set Box) + <==> Set#Equal(Reads4(t0, t1, t2, t3, t4, heap, f, bx0, bx1, bx2, bx3), Set#Empty(): Set Box))); + +// empty-reads property for Requires4 +axiom (forall t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + heap: Heap, + f: HandleType, + bx0: Box, + bx1: Box, + bx2: Box, + bx3: Box :: + { Requires4(t0, t1, t2, t3, t4, $OneHeap, f, bx0, bx1, bx2, bx3), $IsGoodHeap(heap) } + { Requires4(t0, t1, t2, t3, t4, heap, f, bx0, bx1, bx2, bx3) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + && Set#Equal(Reads4(t0, t1, t2, t3, t4, $OneHeap, f, bx0, bx1, bx2, bx3), + Set#Empty(): Set Box) + ==> Requires4(t0, t1, t2, t3, t4, $OneHeap, f, bx0, bx1, bx2, bx3) + == Requires4(t0, t1, t2, t3, t4, heap, f, bx0, bx1, bx2, bx3)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, t4: Ty :: + { $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) } + $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + <==> (forall h: Heap, bx0: Box, bx1: Box, bx2: Box, bx3: Box :: + { Apply4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3) } + $IsGoodHeap(h) + && + $IsBox(bx0, t0) + && $IsBox(bx1, t1) + && $IsBox(bx2, t2) + && $IsBox(bx3, t3) + && Requires4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3) + ==> $IsBox(Apply4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3), t4))); + +axiom (forall f: HandleType, + t0: Ty, + t1: Ty, + t2: Ty, + t3: Ty, + t4: Ty, + u0: Ty, + u1: Ty, + u2: Ty, + u3: Ty, + u4: Ty :: + { $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)), $Is(f, Tclass._System.___hFunc4(u0, u1, u2, u3, u4)) } + $Is(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, u1) } { $IsBox(bx, t1) } + $IsBox(bx, u1) ==> $IsBox(bx, t1)) + && (forall bx: Box :: + { $IsBox(bx, u2) } { $IsBox(bx, t2) } + $IsBox(bx, u2) ==> $IsBox(bx, t2)) + && (forall bx: Box :: + { $IsBox(bx, u3) } { $IsBox(bx, t3) } + $IsBox(bx, u3) ==> $IsBox(bx, t3)) + && (forall bx: Box :: + { $IsBox(bx, t4) } { $IsBox(bx, u4) } + $IsBox(bx, t4) ==> $IsBox(bx, u4)) + ==> $Is(f, Tclass._System.___hFunc4(u0, u1, u2, u3, u4))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, t4: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4), h) + <==> (forall bx0: Box, bx1: Box, bx2: Box, bx3: Box :: + { Apply4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3) } + { Reads4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3) } + $IsBox(bx0, t0) + && $IsAllocBox(bx0, t0, h) + && + $IsBox(bx1, t1) + && $IsAllocBox(bx1, t1, h) + && + $IsBox(bx2, t2) + && $IsAllocBox(bx2, t2, h) + && + $IsBox(bx3, t3) + && $IsAllocBox(bx3, t3, h) + && Requires4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3) + ==> (forall r: ref :: + { Reads4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3)[$Box(r)] } + r != null && Reads4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3)[$Box(r)] + ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, t2: Ty, t3: Ty, t4: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc4(t0, t1, t2, t3, t4), h) + ==> (forall bx0: Box, bx1: Box, bx2: Box, bx3: Box :: + { Apply4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3) } + $IsAllocBox(bx0, t0, h) + && $IsAllocBox(bx1, t1, h) + && $IsAllocBox(bx2, t2, h) + && $IsAllocBox(bx3, t3, h) + && Requires4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3) + ==> $IsAllocBox(Apply4(t0, t1, t2, t3, t4, h, f, bx0, bx1, bx2, bx3), t4, h))); + +function Tclass._System.___hPartialFunc4(Ty, Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc4: TyTag; + +// Tclass._System.___hPartialFunc4 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tag(Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == Tagclass._System.___hPartialFunc4 + && TagFamily(Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == tytagFamily$_#PartialFunc4); + +function Tclass._System.___hPartialFunc4_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc4 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hPartialFunc4_0(Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc4_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc4 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hPartialFunc4_1(Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T1); + +function Tclass._System.___hPartialFunc4_2(Ty) : Ty; + +// Tclass._System.___hPartialFunc4 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hPartialFunc4_2(Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T2); + +function Tclass._System.___hPartialFunc4_3(Ty) : Ty; + +// Tclass._System.___hPartialFunc4 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hPartialFunc4_3(Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T3); + +function Tclass._System.___hPartialFunc4_4(Ty) : Ty; + +// Tclass._System.___hPartialFunc4 injectivity 4 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hPartialFunc4_4(Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc4 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, + Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R))); + +// _System._#PartialFunc4: subset type $Is +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + && (forall x0#0: Box, x1#0: Box, x2#0: Box, x3#0: Box :: + $IsBox(x0#0, #$T0) + && $IsBox(x1#0, #$T1) + && $IsBox(x2#0, #$T2) + && $IsBox(x3#0, #$T3) + ==> Set#Equal(Reads4(#$T0, #$T1, #$T2, #$T3, #$R, $OneHeap, f#0, x0#0, x1#0, x2#0, x3#0), + Set#Empty(): Set Box))); + +// _System._#PartialFunc4: subset type $IsAlloc +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc4(#$T0, #$T1, #$T2, #$T3, #$R), $h)); + +function Tclass._System.___hTotalFunc4(Ty, Ty, Ty, Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc4: TyTag; + +// Tclass._System.___hTotalFunc4 Tag +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tag(Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == Tagclass._System.___hTotalFunc4 + && TagFamily(Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == tytagFamily$_#TotalFunc4); + +function Tclass._System.___hTotalFunc4_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc4 injectivity 0 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hTotalFunc4_0(Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc4_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc4 injectivity 1 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hTotalFunc4_1(Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T1); + +function Tclass._System.___hTotalFunc4_2(Ty) : Ty; + +// Tclass._System.___hTotalFunc4 injectivity 2 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hTotalFunc4_2(Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T2); + +function Tclass._System.___hTotalFunc4_3(Ty) : Ty; + +// Tclass._System.___hTotalFunc4 injectivity 3 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hTotalFunc4_3(Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$T3); + +function Tclass._System.___hTotalFunc4_4(Ty) : Ty; + +// Tclass._System.___hTotalFunc4 injectivity 4 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R) } + Tclass._System.___hTotalFunc4_4(Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc4 +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, + Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R))); + +// _System._#TotalFunc4: subset type $Is +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R)) + && (forall x0#0: Box, x1#0: Box, x2#0: Box, x3#0: Box :: + $IsBox(x0#0, #$T0) + && $IsBox(x1#0, #$T1) + && $IsBox(x2#0, #$T2) + && $IsBox(x3#0, #$T3) + ==> Requires4(#$T0, #$T1, #$T2, #$T3, #$R, $OneHeap, f#0, x0#0, x1#0, x2#0, x3#0))); + +// _System._#TotalFunc4: subset type $IsAlloc +axiom (forall #$T0: Ty, #$T1: Ty, #$T2: Ty, #$T3: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc4(#$T0, #$T1, #$T2, #$T3, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc4(#$T0, #$T1, #$T2, #$T3, #$R), $h)); + +// Constructor identifier +axiom (forall a#0#0#0: Box, a#0#1#0: Box :: + { #_System._tuple#2._#Make2(a#0#0#0, a#0#1#0) } + DatatypeCtorId(#_System._tuple#2._#Make2(a#0#0#0, a#0#1#0)) + == ##_System._tuple#2._#Make2); + +const unique ##_System._tuple#2._#Make2: DtCtorId; + +function _System.Tuple2.___hMake2_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#2._#Make2); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + ==> (exists a#1#0#0: Box, a#1#1#0: Box :: + d == #_System._tuple#2._#Make2(a#1#0#0, a#1#1#0))); + +const unique Tagclass._System.Tuple2: TyTag; + +// Tclass._System.Tuple2 Tag +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tag(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == Tagclass._System.Tuple2 + && TagFamily(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == tytagFamily$_tuple#2); + +function Tclass._System.Tuple2_0(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 0 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_0(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T0); + +function Tclass._System.Tuple2_1(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 1 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_1(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T1); + +// Box/unbox axiom for Tclass._System.Tuple2 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1))); + +// Constructor $Is +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, a#2#0#0: Box, a#2#1#0: Box :: + { $Is(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + <==> $IsBox(a#2#0#0, _System._tuple#2$T0) && $IsBox(a#2#1#0, _System._tuple#2$T1)); + +// Constructor $IsAlloc +axiom (forall _System._tuple#2$T0: Ty, + _System._tuple#2$T1: Ty, + a#2#0#0: Box, + a#2#1#0: Box, + $h: Heap :: + { $IsAlloc(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) } + $IsGoodHeap($h) + ==> ($IsAlloc(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) + <==> $IsAllocBox(a#2#0#0, _System._tuple#2$T0, $h) + && $IsAllocBox(a#2#1#0, _System._tuple#2$T1, $h))); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T0: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T1: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h)); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T1: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T0: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h)); + +// Constructor literal +axiom (forall a#3#0#0: Box, a#3#1#0: Box :: + { #_System._tuple#2._#Make2(Lit(a#3#0#0), Lit(a#3#1#0)) } + #_System._tuple#2._#Make2(Lit(a#3#0#0), Lit(a#3#1#0)) + == Lit(#_System._tuple#2._#Make2(a#3#0#0, a#3#1#0))); + +// Constructor injectivity +axiom (forall a#4#0#0: Box, a#4#1#0: Box :: + { #_System._tuple#2._#Make2(a#4#0#0, a#4#1#0) } + _System.Tuple2._0(#_System._tuple#2._#Make2(a#4#0#0, a#4#1#0)) == a#4#0#0); + +// Inductive rank +axiom (forall a#5#0#0: Box, a#5#1#0: Box :: + { #_System._tuple#2._#Make2(a#5#0#0, a#5#1#0) } + BoxRank(a#5#0#0) < DtRank(#_System._tuple#2._#Make2(a#5#0#0, a#5#1#0))); + +// Constructor injectivity +axiom (forall a#6#0#0: Box, a#6#1#0: Box :: + { #_System._tuple#2._#Make2(a#6#0#0, a#6#1#0) } + _System.Tuple2._1(#_System._tuple#2._#Make2(a#6#0#0, a#6#1#0)) == a#6#1#0); + +// Inductive rank +axiom (forall a#7#0#0: Box, a#7#1#0: Box :: + { #_System._tuple#2._#Make2(a#7#0#0, a#7#1#0) } + BoxRank(a#7#1#0) < DtRank(#_System._tuple#2._#Make2(a#7#0#0, a#7#1#0))); + +// Depth-one case-split function +function $IsA#_System.Tuple2(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple2(d) } + $IsA#_System.Tuple2(d) ==> _System.Tuple2.___hMake2_q(d)); + +// Questionmark data type disjunctivity +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d), $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> _System.Tuple2.___hMake2_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple2#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#2._#Make2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + true + ==> (_System.Tuple2#Equal(a, b) + <==> _System.Tuple2._0(a) == _System.Tuple2._0(b) + && _System.Tuple2._1(a) == _System.Tuple2._1(b))); + +// Datatype extensionality axiom: _System._tuple#2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + _System.Tuple2#Equal(a, b) <==> a == b); + +const unique class._System.Tuple2: ClassName; + +// Constructor function declaration +function #_System._tuple#0._#Make0() : DatatypeType; + +// Constructor identifier +axiom DatatypeCtorId(#_System._tuple#0._#Make0()) == ##_System._tuple#0._#Make0; + +const unique ##_System._tuple#0._#Make0: DtCtorId; + +function _System.Tuple0.___hMake0_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#0._#Make0); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) ==> d == #_System._tuple#0._#Make0()); + +function Tclass._System.Tuple0() : Ty; + +const unique Tagclass._System.Tuple0: TyTag; + +// Tclass._System.Tuple0 Tag +axiom Tag(Tclass._System.Tuple0()) == Tagclass._System.Tuple0 + && TagFamily(Tclass._System.Tuple0()) == tytagFamily$_tuple#0; + +// Box/unbox axiom for Tclass._System.Tuple0 +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.Tuple0()) } + $IsBox(bx, Tclass._System.Tuple0()) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, Tclass._System.Tuple0())); + +// Constructor $Is +axiom $Is(#_System._tuple#0._#Make0(), Tclass._System.Tuple0()); + +// Constructor $IsAlloc +axiom (forall $h: Heap :: + { $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h) } + $IsGoodHeap($h) + ==> $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h)); + +// Constructor literal +axiom #_System._tuple#0._#Make0() == Lit(#_System._tuple#0._#Make0()); + +// Depth-one case-split function +function $IsA#_System.Tuple0(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple0(d) } + $IsA#_System.Tuple0(d) ==> _System.Tuple0.___hMake0_q(d)); + +// Questionmark data type disjunctivity +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d), $Is(d, Tclass._System.Tuple0()) } + $Is(d, Tclass._System.Tuple0()) ==> _System.Tuple0.___hMake0_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple0#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#0._#Make0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + true ==> (_System.Tuple0#Equal(a, b) <==> true)); + +// Datatype extensionality axiom: _System._tuple#0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + _System.Tuple0#Equal(a, b) <==> a == b); + +const unique class._System.Tuple0: ClassName; + +const unique class._module.Node?: ClassName; + +function Tclass._module.Node?() : Ty; + +const unique Tagclass._module.Node?: TyTag; + +// Tclass._module.Node? Tag +axiom Tag(Tclass._module.Node?()) == Tagclass._module.Node? + && TagFamily(Tclass._module.Node?()) == tytagFamily$Node; + +// Box/unbox axiom for Tclass._module.Node? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Node?()) } + $IsBox(bx, Tclass._module.Node?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Node?())); + +// Node: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.Node?()) } + $Is($o, Tclass._module.Node?()) + <==> $o == null || dtype($o) == Tclass._module.Node?()); + +// Node: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.Node?(), $h) } + $IsAlloc($o, Tclass._module.Node?(), $h) <==> $o == null || read($h, $o, alloc)); + +axiom FDim(_module.Node.children) == 0 + && FieldOfDecl(class._module.Node?, field$children) == _module.Node.children + && !$IsGhostField(_module.Node.children); + +const _module.Node.children: Field (Seq Box); + +// Node.children: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.children) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.children), TSeq(Tclass._module.Node?()))); + +// Node.children: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.children) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.children), TSeq(Tclass._module.Node?()), $h)); + +axiom FDim(_module.Node.marked) == 0 + && FieldOfDecl(class._module.Node?, field$marked) == _module.Node.marked + && !$IsGhostField(_module.Node.marked); + +const _module.Node.marked: Field bool; + +// Node.marked: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.marked) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.marked), TBool)); + +// Node.marked: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.marked) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.marked), TBool, $h)); + +axiom FDim(_module.Node.childrenVisited) == 0 + && FieldOfDecl(class._module.Node?, field$childrenVisited) + == _module.Node.childrenVisited + && !$IsGhostField(_module.Node.childrenVisited); + +const _module.Node.childrenVisited: Field int; + +// Node.childrenVisited: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.childrenVisited) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.childrenVisited), Tclass._System.nat())); + +// Node.childrenVisited: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.childrenVisited) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.childrenVisited), Tclass._System.nat(), $h)); + +axiom FDim(_module.Node.pathFromRoot) == 0 + && FieldOfDecl(class._module.Node?, field$pathFromRoot) + == _module.Node.pathFromRoot + && $IsGhostField(_module.Node.pathFromRoot); + +const _module.Node.pathFromRoot: Field DatatypeType; + +function Tclass._module.Path() : Ty; + +const unique Tagclass._module.Path: TyTag; + +// Tclass._module.Path Tag +axiom Tag(Tclass._module.Path()) == Tagclass._module.Path + && TagFamily(Tclass._module.Path()) == tytagFamily$Path; + +// Box/unbox axiom for Tclass._module.Path +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Path()) } + $IsBox(bx, Tclass._module.Path()) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, Tclass._module.Path())); + +// Node.pathFromRoot: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.pathFromRoot) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.pathFromRoot), Tclass._module.Path())); + +// Node.pathFromRoot: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.pathFromRoot) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.pathFromRoot), Tclass._module.Path(), $h)); + +function Tclass._module.Node() : Ty; + +const unique Tagclass._module.Node: TyTag; + +// Tclass._module.Node Tag +axiom Tag(Tclass._module.Node()) == Tagclass._module.Node + && TagFamily(Tclass._module.Node()) == tytagFamily$Node; + +// Box/unbox axiom for Tclass._module.Node +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Node()) } + $IsBox(bx, Tclass._module.Node()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Node())); + +// _module.Node: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._module.Node()) } + $Is(c#0, Tclass._module.Node()) + <==> $Is(c#0, Tclass._module.Node?()) && c#0 != null); + +// _module.Node: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._module.Node(), $h) } + $IsAlloc(c#0, Tclass._module.Node(), $h) + <==> $IsAlloc(c#0, Tclass._module.Node?(), $h)); + +// Constructor function declaration +function #_module.Path.Empty() : DatatypeType; + +// Constructor identifier +axiom DatatypeCtorId(#_module.Path.Empty()) == ##_module.Path.Empty; + +const unique ##_module.Path.Empty: DtCtorId; + +function _module.Path.Empty_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _module.Path.Empty_q(d) } + _module.Path.Empty_q(d) <==> DatatypeCtorId(d) == ##_module.Path.Empty); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _module.Path.Empty_q(d) } + _module.Path.Empty_q(d) ==> d == #_module.Path.Empty()); + +// Constructor $Is +axiom $Is(#_module.Path.Empty(), Tclass._module.Path()); + +// Constructor $IsAlloc +axiom (forall $h: Heap :: + { $IsAlloc(#_module.Path.Empty(), Tclass._module.Path(), $h) } + $IsGoodHeap($h) ==> $IsAlloc(#_module.Path.Empty(), Tclass._module.Path(), $h)); + +// Constructor literal +axiom #_module.Path.Empty() == Lit(#_module.Path.Empty()); + +// Constructor function declaration +function #_module.Path.Extend(DatatypeType, ref) : DatatypeType; + +// Constructor identifier +axiom (forall a#16#0#0: DatatypeType, a#16#1#0: ref :: + { #_module.Path.Extend(a#16#0#0, a#16#1#0) } + DatatypeCtorId(#_module.Path.Extend(a#16#0#0, a#16#1#0)) + == ##_module.Path.Extend); + +const unique ##_module.Path.Extend: DtCtorId; + +function _module.Path.Extend_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _module.Path.Extend_q(d) } + _module.Path.Extend_q(d) <==> DatatypeCtorId(d) == ##_module.Path.Extend); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _module.Path.Extend_q(d) } + _module.Path.Extend_q(d) + ==> (exists a#17#0#0: DatatypeType, a#17#1#0: ref :: + d == #_module.Path.Extend(a#17#0#0, a#17#1#0))); + +// Constructor $Is +axiom (forall a#18#0#0: DatatypeType, a#18#1#0: ref :: + { $Is(#_module.Path.Extend(a#18#0#0, a#18#1#0), Tclass._module.Path()) } + $Is(#_module.Path.Extend(a#18#0#0, a#18#1#0), Tclass._module.Path()) + <==> $Is(a#18#0#0, Tclass._module.Path()) && $Is(a#18#1#0, Tclass._module.Node())); + +// Constructor $IsAlloc +axiom (forall a#18#0#0: DatatypeType, a#18#1#0: ref, $h: Heap :: + { $IsAlloc(#_module.Path.Extend(a#18#0#0, a#18#1#0), Tclass._module.Path(), $h) } + $IsGoodHeap($h) + ==> ($IsAlloc(#_module.Path.Extend(a#18#0#0, a#18#1#0), Tclass._module.Path(), $h) + <==> $IsAlloc(a#18#0#0, Tclass._module.Path(), $h) + && $IsAlloc(a#18#1#0, Tclass._module.Node(), $h))); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, $h: Heap :: + { $IsAlloc(_module.Path._h0(d), Tclass._module.Path(), $h) } + $IsGoodHeap($h) + && + _module.Path.Extend_q(d) + && $IsAlloc(d, Tclass._module.Path(), $h) + ==> $IsAlloc(_module.Path._h0(d), Tclass._module.Path(), $h)); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, $h: Heap :: + { $IsAlloc(_module.Path._h1(d), Tclass._module.Node(), $h) } + $IsGoodHeap($h) + && + _module.Path.Extend_q(d) + && $IsAlloc(d, Tclass._module.Path(), $h) + ==> $IsAlloc(_module.Path._h1(d), Tclass._module.Node(), $h)); + +// Constructor literal +axiom (forall a#19#0#0: DatatypeType, a#19#1#0: ref :: + { #_module.Path.Extend(Lit(a#19#0#0), Lit(a#19#1#0)) } + #_module.Path.Extend(Lit(a#19#0#0), Lit(a#19#1#0)) + == Lit(#_module.Path.Extend(a#19#0#0, a#19#1#0))); + +function _module.Path._h0(DatatypeType) : DatatypeType; + +// Constructor injectivity +axiom (forall a#20#0#0: DatatypeType, a#20#1#0: ref :: + { #_module.Path.Extend(a#20#0#0, a#20#1#0) } + _module.Path._h0(#_module.Path.Extend(a#20#0#0, a#20#1#0)) == a#20#0#0); + +// Inductive rank +axiom (forall a#21#0#0: DatatypeType, a#21#1#0: ref :: + { #_module.Path.Extend(a#21#0#0, a#21#1#0) } + DtRank(a#21#0#0) < DtRank(#_module.Path.Extend(a#21#0#0, a#21#1#0))); + +function _module.Path._h1(DatatypeType) : ref; + +// Constructor injectivity +axiom (forall a#22#0#0: DatatypeType, a#22#1#0: ref :: + { #_module.Path.Extend(a#22#0#0, a#22#1#0) } + _module.Path._h1(#_module.Path.Extend(a#22#0#0, a#22#1#0)) == a#22#1#0); + +// Depth-one case-split function +function $IsA#_module.Path(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_module.Path(d) } + $IsA#_module.Path(d) ==> _module.Path.Empty_q(d) || _module.Path.Extend_q(d)); + +// Questionmark data type disjunctivity +axiom (forall d: DatatypeType :: + { _module.Path.Extend_q(d), $Is(d, Tclass._module.Path()) } + { _module.Path.Empty_q(d), $Is(d, Tclass._module.Path()) } + $Is(d, Tclass._module.Path()) + ==> _module.Path.Empty_q(d) || _module.Path.Extend_q(d)); + +// Datatype extensional equality declaration +function _module.Path#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_module.Path.Empty +axiom (forall a: DatatypeType, b: DatatypeType :: + { _module.Path#Equal(a, b), _module.Path.Empty_q(a) } + { _module.Path#Equal(a, b), _module.Path.Empty_q(b) } + _module.Path.Empty_q(a) && _module.Path.Empty_q(b) + ==> (_module.Path#Equal(a, b) <==> true)); + +// Datatype extensional equality definition: #_module.Path.Extend +axiom (forall a: DatatypeType, b: DatatypeType :: + { _module.Path#Equal(a, b), _module.Path.Extend_q(a) } + { _module.Path#Equal(a, b), _module.Path.Extend_q(b) } + _module.Path.Extend_q(a) && _module.Path.Extend_q(b) + ==> (_module.Path#Equal(a, b) + <==> _module.Path#Equal(_module.Path._h0(a), _module.Path._h0(b)) + && _module.Path._h1(a) == _module.Path._h1(b))); + +// Datatype extensionality axiom: _module.Path +axiom (forall a: DatatypeType, b: DatatypeType :: + { _module.Path#Equal(a, b) } + _module.Path#Equal(a, b) <==> a == b); + +const unique class._module.Path: ClassName; + +const unique class._module.__default: ClassName; + +function Tclass._module.__default() : Ty; + +const unique Tagclass._module.__default: TyTag; + +// Tclass._module.__default Tag +axiom Tag(Tclass._module.__default()) == Tagclass._module.__default + && TagFamily(Tclass._module.__default()) == tytagFamily$_default; + +// Box/unbox axiom for Tclass._module.__default +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.__default()) } + $IsBox(bx, Tclass._module.__default()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.__default())); + +// _default: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.__default()) } + $Is($o, Tclass._module.__default()) + <==> $o == null || dtype($o) == Tclass._module.__default()); + +// _default: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.__default(), $h) } + $IsAlloc($o, Tclass._module.__default(), $h) + <==> $o == null || read($h, $o, alloc)); + +procedure {:verboseName "RecursiveMark (well-formedness)"} CheckWellFormed$$_module.__default.RecursiveMark(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "RecursiveMark (well-formedness)"} CheckWellFormed$$_module.__default.RecursiveMark(root#0: ref, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var n#0: ref; + var ch#0: ref; + var newtype$check#0: ref; + var n#2: ref; + var n#4: ref; + var ch#3: ref; + var newtype$check#1: ref; + var n#6: ref; + + // AddMethodImpl: RecursiveMark, CheckWellFormed$$_module.__default.RecursiveMark + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + assume S#0[$Box(root#0)]; + havoc n#0; + assume $Is(n#0, Tclass._module.Node()) && $IsAlloc(n#0, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#0)]; + havoc ch#0; + assume $Is(ch#0, Tclass._module.Node?()) + && $IsAlloc(ch#0, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#0 != null; + assume Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#0)); + if (*) + { + newtype$check#0 := null; + assume ch#0 == null; + } + else + { + assume ch#0 != null; + assume S#0[$Box(ch#0)]; + } + } + else + { + assume Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#0)) + ==> ch#0 == null || S#0[$Box(ch#0)]; + } + + assume (forall ch#1: ref :: + { S#0[$Box(ch#1)] } + { Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) } + $Is(ch#1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) + ==> ch#1 == null || S#0[$Box(ch#1)]); + } + else + { + assume S#0[$Box(n#0)] + ==> (forall ch#1: ref :: + { S#0[$Box(ch#1)] } + { Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) } + $Is(ch#1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) + ==> ch#1 == null || S#0[$Box(ch#1)]); + } + + assume (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + havoc n#2; + assume $Is(n#2, Tclass._module.Node()) && $IsAlloc(n#2, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#2)]; + assert n#2 != null; + assume !read($Heap, n#2, _module.Node.marked); + assert n#2 != null; + assume read($Heap, n#2, _module.Node.childrenVisited) == LitInt(0); + } + else + { + assume S#0[$Box(n#2)] + ==> !read($Heap, n#2, _module.Node.marked) + && read($Heap, n#2, _module.Node.childrenVisited) == LitInt(0); + } + + assume (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + assert root#0 != null; + assume read($Heap, root#0, _module.Node.marked); + havoc n#4; + assume $Is(n#4, Tclass._module.Node()) && $IsAlloc(n#4, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#4)]; + assert n#4 != null; + assume read($Heap, n#4, _module.Node.marked); + havoc ch#3; + assume $Is(ch#3, Tclass._module.Node?()) + && $IsAlloc(ch#3, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#4 != null; + assume Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#3)); + newtype$check#1 := null; + assume ch#3 != null; + assert ch#3 != null; + assume read($Heap, ch#3, _module.Node.marked); + } + else + { + assume Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#3)) + && ch#3 != null + ==> read($Heap, ch#3, _module.Node.marked); + } + + assume (forall ch#4: ref :: + { read($Heap, ch#4, _module.Node.marked) } + { Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) } + $Is(ch#4, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) + && ch#4 != null + ==> read($Heap, ch#4, _module.Node.marked)); + } + else + { + assume S#0[$Box(n#4)] && read($Heap, n#4, _module.Node.marked) + ==> (forall ch#4: ref :: + { read($Heap, ch#4, _module.Node.marked) } + { Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) } + $Is(ch#4, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) + && ch#4 != null + ==> read($Heap, ch#4, _module.Node.marked)); + } + + assume (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + havoc n#6; + assume $Is(n#6, Tclass._module.Node()) && $IsAlloc(n#6, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#6)]; + assert n#6 != null; + assert n#6 != null; + assert $IsAlloc(n#6, Tclass._module.Node(), old($Heap)); + assume read($Heap, n#6, _module.Node.childrenVisited) + == read(old($Heap), n#6, _module.Node.childrenVisited); + assert n#6 != null; + assert n#6 != null; + assert $IsAlloc(n#6, Tclass._module.Node(), old($Heap)); + assume Seq#Equal(read($Heap, n#6, _module.Node.children), + read(old($Heap), n#6, _module.Node.children)); + } + else + { + assume S#0[$Box(n#6)] + ==> read($Heap, n#6, _module.Node.childrenVisited) + == read(old($Heap), n#6, _module.Node.childrenVisited) + && Seq#Equal(read($Heap, n#6, _module.Node.children), + read(old($Heap), n#6, _module.Node.children)); + } + + assume (forall n#7: ref :: + { read(old($Heap), n#7, _module.Node.children) } + { read($Heap, n#7, _module.Node.children) } + { read(old($Heap), n#7, _module.Node.childrenVisited) } + { read($Heap, n#7, _module.Node.childrenVisited) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> (S#0[$Box(n#7)] + ==> read($Heap, n#7, _module.Node.childrenVisited) + == read(old($Heap), n#7, _module.Node.childrenVisited)) + && (S#0[$Box(n#7)] + ==> Seq#Equal(read($Heap, n#7, _module.Node.children), + read(old($Heap), n#7, _module.Node.children)))); +} + + + +procedure {:verboseName "RecursiveMark (call)"} Call$$_module.__default.RecursiveMark(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)); + // user-defined preconditions + requires S#0[$Box(root#0)]; + requires (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + requires (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, root#0, _module.Node.marked); + free ensures true; + ensures (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + free ensures true; + ensures (forall n#7: ref :: + { read(old($Heap), n#7, _module.Node.children) } + { read($Heap, n#7, _module.Node.children) } + { read(old($Heap), n#7, _module.Node.childrenVisited) } + { read($Heap, n#7, _module.Node.childrenVisited) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> (S#0[$Box(n#7)] + ==> read($Heap, n#7, _module.Node.childrenVisited) + == read(old($Heap), n#7, _module.Node.childrenVisited)) + && (S#0[$Box(n#7)] + ==> Seq#Equal(read($Heap, n#7, _module.Node.children), + read(old($Heap), n#7, _module.Node.children)))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "RecursiveMark (correctness)"} Impl$$_module.__default.RecursiveMark(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)) + returns ($_reverifyPost: bool); + free requires 2 == $FunctionContextHeight; + // user-defined preconditions + requires S#0[$Box(root#0)]; + requires (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + requires (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, root#0, _module.Node.marked); + free ensures true; + ensures (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + free ensures true; + ensures (forall n#7: ref :: + { read(old($Heap), n#7, _module.Node.children) } + { read($Heap, n#7, _module.Node.children) } + { read(old($Heap), n#7, _module.Node.childrenVisited) } + { read($Heap, n#7, _module.Node.childrenVisited) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> (S#0[$Box(n#7)] + ==> read($Heap, n#7, _module.Node.childrenVisited) + == read(old($Heap), n#7, _module.Node.childrenVisited)) + && (S#0[$Box(n#7)] + ==> Seq#Equal(read($Heap, n#7, _module.Node.children), + read(old($Heap), n#7, _module.Node.children)))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "RecursiveMark (correctness)"} Impl$$_module.__default.RecursiveMark(root#0: ref, S#0: Set Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var root##0: ref; + var S##0: Set Box; + var stackNodes##0: Set Box; + + // AddMethodImpl: RecursiveMark, Impl$$_module.__default.RecursiveMark + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + $_reverifyPost := false; + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(34,22) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + root##0 := root#0; + assume true; + // ProcessCallStmt: CheckSubrange + S##0 := S#0; + assume true; + // ProcessCallStmt: CheckSubrange + stackNodes##0 := Lit(Set#Empty(): Set Box); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##0[$Box($o)] ==> $_Frame[$o, $f]); + // ProcessCallStmt: Make the call + call Call$$_module.__default.RecursiveMarkWorker(root##0, S##0, stackNodes##0); + // TrCallStmt: After ProcessCallStmt +} + + + +procedure {:verboseName "RecursiveMarkWorker (well-formedness)"} CheckWellFormed$$_module.__default.RecursiveMarkWorker(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap), + stackNodes#0: Set Box + where $Is(stackNodes#0, TSet(Tclass._module.Node())) + && $IsAlloc(stackNodes#0, TSet(Tclass._module.Node()), $Heap)); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "RecursiveMarkWorker (well-formedness)"} CheckWellFormed$$_module.__default.RecursiveMarkWorker(root#0: ref, S#0: Set Box, stackNodes#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var n#0: ref; + var ch#0: ref; + var newtype$check#0: ref; + var n#2: ref; + var ch#3: ref; + var newtype$check#1: ref; + var n#4: ref; + var n#6: ref; + var ch#6: ref; + var newtype$check#2: ref; + var n#8: ref; + var n#10: ref; + + // AddMethodImpl: RecursiveMarkWorker, CheckWellFormed$$_module.__default.RecursiveMarkWorker + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + assume S#0[$Box(root#0)]; + havoc n#0; + assume $Is(n#0, Tclass._module.Node()) && $IsAlloc(n#0, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#0)]; + havoc ch#0; + assume $Is(ch#0, Tclass._module.Node?()) + && $IsAlloc(ch#0, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#0 != null; + assume Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#0)); + if (*) + { + newtype$check#0 := null; + assume ch#0 == null; + } + else + { + assume ch#0 != null; + assume S#0[$Box(ch#0)]; + } + } + else + { + assume Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#0)) + ==> ch#0 == null || S#0[$Box(ch#0)]; + } + + assume (forall ch#1: ref :: + { S#0[$Box(ch#1)] } + { Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) } + $Is(ch#1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) + ==> ch#1 == null || S#0[$Box(ch#1)]); + } + else + { + assume S#0[$Box(n#0)] + ==> (forall ch#1: ref :: + { S#0[$Box(ch#1)] } + { Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) } + $Is(ch#1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) + ==> ch#1 == null || S#0[$Box(ch#1)]); + } + + assume (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + havoc n#2; + assume $Is(n#2, Tclass._module.Node()) && $IsAlloc(n#2, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#2)]; + assert n#2 != null; + assume read($Heap, n#2, _module.Node.marked); + if (*) + { + assume stackNodes#0[$Box(n#2)]; + } + else + { + assume !stackNodes#0[$Box(n#2)]; + havoc ch#3; + assume $Is(ch#3, Tclass._module.Node?()) + && $IsAlloc(ch#3, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#2 != null; + assume Seq#Contains(read($Heap, n#2, _module.Node.children), $Box(ch#3)); + newtype$check#1 := null; + assume ch#3 != null; + assert ch#3 != null; + assume read($Heap, ch#3, _module.Node.marked); + } + else + { + assume Seq#Contains(read($Heap, n#2, _module.Node.children), $Box(ch#3)) + && ch#3 != null + ==> read($Heap, ch#3, _module.Node.marked); + } + + assume (forall ch#4: ref :: + { read($Heap, ch#4, _module.Node.marked) } + { Seq#Contains(read($Heap, n#2, _module.Node.children), $Box(ch#4)) } + $Is(ch#4, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#2, _module.Node.children), $Box(ch#4)) + && ch#4 != null + ==> read($Heap, ch#4, _module.Node.marked)); + } + } + else + { + assume S#0[$Box(n#2)] && read($Heap, n#2, _module.Node.marked) + ==> stackNodes#0[$Box(n#2)] + || (forall ch#4: ref :: + { read($Heap, ch#4, _module.Node.marked) } + { Seq#Contains(read($Heap, n#2, _module.Node.children), $Box(ch#4)) } + $Is(ch#4, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#2, _module.Node.children), $Box(ch#4)) + && ch#4 != null + ==> read($Heap, ch#4, _module.Node.marked)); + } + + assume (forall n#3: ref :: + { read($Heap, n#3, _module.Node.children) } + { stackNodes#0[$Box(n#3)] } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> + S#0[$Box(n#3)] && read($Heap, n#3, _module.Node.marked) + ==> stackNodes#0[$Box(n#3)] + || (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#3, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#3, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + havoc n#4; + assume $Is(n#4, Tclass._module.Node()) && $IsAlloc(n#4, Tclass._module.Node(), $Heap); + if (*) + { + assume stackNodes#0[$Box(n#4)]; + assert n#4 != null; + assume read($Heap, n#4, _module.Node.marked); + } + else + { + assume stackNodes#0[$Box(n#4)] ==> read($Heap, n#4, _module.Node.marked); + } + + assume (forall n#5: ref :: + { read($Heap, n#5, _module.Node.marked) } { stackNodes#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + stackNodes#0[$Box(n#5)] + ==> read($Heap, n#5, _module.Node.marked)); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + assert root#0 != null; + assume read($Heap, root#0, _module.Node.marked); + havoc n#6; + assume $Is(n#6, Tclass._module.Node()) && $IsAlloc(n#6, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#6)]; + assert n#6 != null; + assume read($Heap, n#6, _module.Node.marked); + if (*) + { + assume stackNodes#0[$Box(n#6)]; + } + else + { + assume !stackNodes#0[$Box(n#6)]; + havoc ch#6; + assume $Is(ch#6, Tclass._module.Node?()) + && $IsAlloc(ch#6, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#6 != null; + assume Seq#Contains(read($Heap, n#6, _module.Node.children), $Box(ch#6)); + newtype$check#2 := null; + assume ch#6 != null; + assert ch#6 != null; + assume read($Heap, ch#6, _module.Node.marked); + } + else + { + assume Seq#Contains(read($Heap, n#6, _module.Node.children), $Box(ch#6)) + && ch#6 != null + ==> read($Heap, ch#6, _module.Node.marked); + } + + assume (forall ch#7: ref :: + { read($Heap, ch#7, _module.Node.marked) } + { Seq#Contains(read($Heap, n#6, _module.Node.children), $Box(ch#7)) } + $Is(ch#7, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#6, _module.Node.children), $Box(ch#7)) + && ch#7 != null + ==> read($Heap, ch#7, _module.Node.marked)); + } + } + else + { + assume S#0[$Box(n#6)] && read($Heap, n#6, _module.Node.marked) + ==> stackNodes#0[$Box(n#6)] + || (forall ch#7: ref :: + { read($Heap, ch#7, _module.Node.marked) } + { Seq#Contains(read($Heap, n#6, _module.Node.children), $Box(ch#7)) } + $Is(ch#7, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#6, _module.Node.children), $Box(ch#7)) + && ch#7 != null + ==> read($Heap, ch#7, _module.Node.marked)); + } + + assume (forall n#7: ref :: + { read($Heap, n#7, _module.Node.children) } + { stackNodes#0[$Box(n#7)] } + { read($Heap, n#7, _module.Node.marked) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> + S#0[$Box(n#7)] && read($Heap, n#7, _module.Node.marked) + ==> stackNodes#0[$Box(n#7)] + || (forall ch#8: ref :: + { read($Heap, ch#8, _module.Node.marked) } + { Seq#Contains(read($Heap, n#7, _module.Node.children), $Box(ch#8)) } + $Is(ch#8, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#7, _module.Node.children), $Box(ch#8)) + && ch#8 != null + ==> read($Heap, ch#8, _module.Node.marked))); + havoc n#8; + assume $Is(n#8, Tclass._module.Node()) && $IsAlloc(n#8, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#8)]; + assert n#8 != null; + assert $IsAlloc(n#8, Tclass._module.Node(), old($Heap)); + assume read(old($Heap), n#8, _module.Node.marked); + assert n#8 != null; + assume read($Heap, n#8, _module.Node.marked); + } + else + { + assume S#0[$Box(n#8)] && read(old($Heap), n#8, _module.Node.marked) + ==> read($Heap, n#8, _module.Node.marked); + } + + assume (forall n#9: ref :: + { read($Heap, n#9, _module.Node.marked) } + { read(old($Heap), n#9, _module.Node.marked) } + { S#0[$Box(n#9)] } + $Is(n#9, Tclass._module.Node()) + ==> + S#0[$Box(n#9)] && read(old($Heap), n#9, _module.Node.marked) + ==> read($Heap, n#9, _module.Node.marked)); + havoc n#10; + assume $Is(n#10, Tclass._module.Node()) && $IsAlloc(n#10, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#10)]; + assert n#10 != null; + assert n#10 != null; + assert $IsAlloc(n#10, Tclass._module.Node(), old($Heap)); + assume read($Heap, n#10, _module.Node.childrenVisited) + == read(old($Heap), n#10, _module.Node.childrenVisited); + assert n#10 != null; + assert n#10 != null; + assert $IsAlloc(n#10, Tclass._module.Node(), old($Heap)); + assume Seq#Equal(read($Heap, n#10, _module.Node.children), + read(old($Heap), n#10, _module.Node.children)); + } + else + { + assume S#0[$Box(n#10)] + ==> read($Heap, n#10, _module.Node.childrenVisited) + == read(old($Heap), n#10, _module.Node.childrenVisited) + && Seq#Equal(read($Heap, n#10, _module.Node.children), + read(old($Heap), n#10, _module.Node.children)); + } + + assume (forall n#11: ref :: + { read(old($Heap), n#11, _module.Node.children) } + { read($Heap, n#11, _module.Node.children) } + { read(old($Heap), n#11, _module.Node.childrenVisited) } + { read($Heap, n#11, _module.Node.childrenVisited) } + { S#0[$Box(n#11)] } + $Is(n#11, Tclass._module.Node()) + ==> (S#0[$Box(n#11)] + ==> read($Heap, n#11, _module.Node.childrenVisited) + == read(old($Heap), n#11, _module.Node.childrenVisited)) + && (S#0[$Box(n#11)] + ==> Seq#Equal(read($Heap, n#11, _module.Node.children), + read(old($Heap), n#11, _module.Node.children)))); +} + + + +procedure {:verboseName "RecursiveMarkWorker (call)"} Call$$_module.__default.RecursiveMarkWorker(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap), + stackNodes#0: Set Box + where $Is(stackNodes#0, TSet(Tclass._module.Node())) + && $IsAlloc(stackNodes#0, TSet(Tclass._module.Node()), $Heap)); + // user-defined preconditions + requires S#0[$Box(root#0)]; + requires (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + requires (forall n#3: ref :: + { read($Heap, n#3, _module.Node.children) } + { stackNodes#0[$Box(n#3)] } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> + S#0[$Box(n#3)] && read($Heap, n#3, _module.Node.marked) + ==> stackNodes#0[$Box(n#3)] + || (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#3, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#3, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + requires (forall n#5: ref :: + { read($Heap, n#5, _module.Node.marked) } { stackNodes#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + stackNodes#0[$Box(n#5)] + ==> read($Heap, n#5, _module.Node.marked)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, root#0, _module.Node.marked); + free ensures true; + ensures (forall n#7: ref :: + { read($Heap, n#7, _module.Node.children) } + { stackNodes#0[$Box(n#7)] } + { read($Heap, n#7, _module.Node.marked) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> + S#0[$Box(n#7)] && read($Heap, n#7, _module.Node.marked) + ==> stackNodes#0[$Box(n#7)] + || (forall ch#8: ref :: + { read($Heap, ch#8, _module.Node.marked) } + { Seq#Contains(read($Heap, n#7, _module.Node.children), $Box(ch#8)) } + $Is(ch#8, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#7, _module.Node.children), $Box(ch#8)) + && ch#8 != null + ==> read($Heap, ch#8, _module.Node.marked))); + free ensures true; + ensures (forall n#9: ref :: + { read($Heap, n#9, _module.Node.marked) } + { read(old($Heap), n#9, _module.Node.marked) } + { S#0[$Box(n#9)] } + $Is(n#9, Tclass._module.Node()) + ==> + S#0[$Box(n#9)] && read(old($Heap), n#9, _module.Node.marked) + ==> read($Heap, n#9, _module.Node.marked)); + free ensures true; + ensures (forall n#11: ref :: + { read(old($Heap), n#11, _module.Node.children) } + { read($Heap, n#11, _module.Node.children) } + { read(old($Heap), n#11, _module.Node.childrenVisited) } + { read($Heap, n#11, _module.Node.childrenVisited) } + { S#0[$Box(n#11)] } + $Is(n#11, Tclass._module.Node()) + ==> (S#0[$Box(n#11)] + ==> read($Heap, n#11, _module.Node.childrenVisited) + == read(old($Heap), n#11, _module.Node.childrenVisited)) + && (S#0[$Box(n#11)] + ==> Seq#Equal(read($Heap, n#11, _module.Node.children), + read(old($Heap), n#11, _module.Node.children)))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "RecursiveMarkWorker (correctness)"} Impl$$_module.__default.RecursiveMarkWorker(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap), + stackNodes#0: Set Box + where $Is(stackNodes#0, TSet(Tclass._module.Node())) + && $IsAlloc(stackNodes#0, TSet(Tclass._module.Node()), $Heap)) + returns ($_reverifyPost: bool); + free requires 1 == $FunctionContextHeight; + // user-defined preconditions + requires S#0[$Box(root#0)]; + requires (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + requires (forall n#3: ref :: + { read($Heap, n#3, _module.Node.children) } + { stackNodes#0[$Box(n#3)] } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> + S#0[$Box(n#3)] && read($Heap, n#3, _module.Node.marked) + ==> stackNodes#0[$Box(n#3)] + || (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#3, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#3, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + requires (forall n#5: ref :: + { read($Heap, n#5, _module.Node.marked) } { stackNodes#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + stackNodes#0[$Box(n#5)] + ==> read($Heap, n#5, _module.Node.marked)); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, root#0, _module.Node.marked); + free ensures true; + ensures (forall n#7: ref :: + { read($Heap, n#7, _module.Node.children) } + { stackNodes#0[$Box(n#7)] } + { read($Heap, n#7, _module.Node.marked) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> + S#0[$Box(n#7)] && read($Heap, n#7, _module.Node.marked) + ==> stackNodes#0[$Box(n#7)] + || (forall ch#8: ref :: + { read($Heap, ch#8, _module.Node.marked) } + { Seq#Contains(read($Heap, n#7, _module.Node.children), $Box(ch#8)) } + $Is(ch#8, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#7, _module.Node.children), $Box(ch#8)) + && ch#8 != null + ==> read($Heap, ch#8, _module.Node.marked))); + free ensures true; + ensures (forall n#9: ref :: + { read($Heap, n#9, _module.Node.marked) } + { read(old($Heap), n#9, _module.Node.marked) } + { S#0[$Box(n#9)] } + $Is(n#9, Tclass._module.Node()) + ==> + S#0[$Box(n#9)] && read(old($Heap), n#9, _module.Node.marked) + ==> read($Heap, n#9, _module.Node.marked)); + free ensures true; + ensures (forall n#11: ref :: + { read(old($Heap), n#11, _module.Node.children) } + { read($Heap, n#11, _module.Node.children) } + { read(old($Heap), n#11, _module.Node.childrenVisited) } + { read($Heap, n#11, _module.Node.childrenVisited) } + { S#0[$Box(n#11)] } + $Is(n#11, Tclass._module.Node()) + ==> (S#0[$Box(n#11)] + ==> read($Heap, n#11, _module.Node.childrenVisited) + == read(old($Heap), n#11, _module.Node.childrenVisited)) + && (S#0[$Box(n#11)] + ==> Seq#Equal(read($Heap, n#11, _module.Node.children), + read(old($Heap), n#11, _module.Node.children)))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "RecursiveMarkWorker (correctness)"} Impl$$_module.__default.RecursiveMarkWorker(root#0: ref, S#0: Set Box, stackNodes#0: Set Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $rhs#0_0: bool; + var i#0_0: int; + var $PreLoopHeap$loop#0_0: Heap; + var $decr_init$loop#0_00: int; + var $w$loop#0_0: bool; + var n#0_0: ref; + var ch#0_0: ref; + var newtype$check#0_0: ref; + var j#0_0: int; + var newtype$check#0_1: ref; + var n#0_2: ref; + var n#0_4: ref; + var $decr$loop#0_00: int; + var c#0_0_0: ref + where $Is(c#0_0_0, Tclass._module.Node?()) + && $IsAlloc(c#0_0_0, Tclass._module.Node?(), $Heap); + var newtype$check#0_0_0: ref; + var root##0_0_0_0: ref; + var S##0_0_0_0: Set Box; + var stackNodes##0_0_0_0: Set Box; + + // AddMethodImpl: RecursiveMarkWorker, Impl$$_module.__default.RecursiveMarkWorker + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + $_reverifyPost := false; + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(57,3) + assert root#0 != null; + assume true; + if (!read($Heap, root#0, _module.Node.marked)) + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(58,17) + assert root#0 != null; + assume true; + assert $_Frame[root#0, _module.Node.marked]; + assume true; + $rhs#0_0 := Lit(true); + $Heap := update($Heap, root#0, _module.Node.marked, $rhs#0_0); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(59,11) + assume true; + assume true; + i#0_0 := LitInt(0); + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(60,5) + // Assume Fuel Constant + $PreLoopHeap$loop#0_0 := $Heap; + $decr_init$loop#0_00 := Seq#Length(read($Heap, root#0, _module.Node.children)) - i#0_0; + havoc $w$loop#0_0; + while (true) + free invariant $w$loop#0_0 ==> true; + invariant $w$loop#0_0 ==> read($Heap, root#0, _module.Node.marked); + invariant $w$loop#0_0 ==> i#0_0 <= Seq#Length(read($Heap, root#0, _module.Node.children)); + free invariant $w$loop#0_0 ==> true; + invariant $w$loop#0_0 + ==> (forall n#0_1: ref :: + { read($Heap, n#0_1, _module.Node.children) } + { stackNodes#0[$Box(n#0_1)] } + { read($Heap, n#0_1, _module.Node.marked) } + { S#0[$Box(n#0_1)] } + $Is(n#0_1, Tclass._module.Node()) + ==> + S#0[$Box(n#0_1)] && read($Heap, n#0_1, _module.Node.marked) + ==> n#0_1 == root#0 + || stackNodes#0[$Box(n#0_1)] + || (forall ch#0_1: ref :: + { read($Heap, ch#0_1, _module.Node.marked) } + { Seq#Contains(read($Heap, n#0_1, _module.Node.children), $Box(ch#0_1)) } + $Is(ch#0_1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0_1, _module.Node.children), $Box(ch#0_1)) + && ch#0_1 != null + ==> read($Heap, ch#0_1, _module.Node.marked))); + free invariant $w$loop#0_0 ==> true; + invariant $w$loop#0_0 + ==> (forall j#0_1: int :: + { $Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), j#0_1)): ref } + true + ==> + LitInt(0) <= j#0_1 && j#0_1 < i#0_0 + ==> $Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), j#0_1)): ref + == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), j#0_1)): ref, + _module.Node.marked)); + free invariant $w$loop#0_0 ==> true; + invariant $w$loop#0_0 + ==> (forall n#0_3: ref :: + { read($Heap, n#0_3, _module.Node.marked) } + { read(old($Heap), n#0_3, _module.Node.marked) } + { S#0[$Box(n#0_3)] } + $Is(n#0_3, Tclass._module.Node()) + ==> + S#0[$Box(n#0_3)] && read(old($Heap), n#0_3, _module.Node.marked) + ==> read($Heap, n#0_3, _module.Node.marked)); + free invariant $w$loop#0_0 ==> true; + invariant $w$loop#0_0 + ==> (forall n#0_5: ref :: + { read(old($Heap), n#0_5, _module.Node.children) } + { read($Heap, n#0_5, _module.Node.children) } + { read(old($Heap), n#0_5, _module.Node.childrenVisited) } + { read($Heap, n#0_5, _module.Node.childrenVisited) } + { S#0[$Box(n#0_5)] } + $Is(n#0_5, Tclass._module.Node()) + ==> (S#0[$Box(n#0_5)] + ==> read($Heap, n#0_5, _module.Node.childrenVisited) + == read(old($Heap), n#0_5, _module.Node.childrenVisited)) + && (S#0[$Box(n#0_5)] + ==> Seq#Equal(read($Heap, n#0_5, _module.Node.children), + read(old($Heap), n#0_5, _module.Node.children)))); + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#0_0[$o] || S#0[$Box($o)]); + free invariant $HeapSucc($PreLoopHeap$loop#0_0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#0_0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0_0, $o, $f) || $_Frame[$o, $f]); + free invariant Seq#Length(read($Heap, root#0, _module.Node.children)) - i#0_0 + <= $decr_init$loop#0_00 + && (Seq#Length(read($Heap, root#0, _module.Node.children)) - i#0_0 + == $decr_init$loop#0_00 + ==> true); + { + if (!$w$loop#0_0) + { + assert {:subsumption 0} root#0 != null; + if (read($Heap, root#0, _module.Node.marked)) + { + assert {:subsumption 0} root#0 != null; + } + + assume true; + assume read($Heap, root#0, _module.Node.marked) + && i#0_0 <= Seq#Length(read($Heap, root#0, _module.Node.children)); + // Begin Comprehension WF check + havoc n#0_0; + if ($Is(n#0_0, Tclass._module.Node()) + && $IsAlloc(n#0_0, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#0_0)]) + { + assert {:subsumption 0} n#0_0 != null; + } + + if (S#0[$Box(n#0_0)] && read($Heap, n#0_0, _module.Node.marked)) + { + if (n#0_0 != root#0) + { + } + + if (!(n#0_0 == root#0 || stackNodes#0[$Box(n#0_0)])) + { + // Begin Comprehension WF check + havoc ch#0_0; + if ($Is(ch#0_0, Tclass._module.Node?()) + && $IsAlloc(ch#0_0, Tclass._module.Node?(), $Heap)) + { + assert {:subsumption 0} n#0_0 != null; + if (Seq#Contains(read($Heap, n#0_0, _module.Node.children), $Box(ch#0_0))) + { + newtype$check#0_0 := null; + } + + if (Seq#Contains(read($Heap, n#0_0, _module.Node.children), $Box(ch#0_0)) + && ch#0_0 != null) + { + assert {:subsumption 0} ch#0_0 != null; + } + } + + // End Comprehension WF check + } + } + } + + // End Comprehension WF check + assume true; + assume (forall n#0_1: ref :: + { read($Heap, n#0_1, _module.Node.children) } + { stackNodes#0[$Box(n#0_1)] } + { read($Heap, n#0_1, _module.Node.marked) } + { S#0[$Box(n#0_1)] } + $Is(n#0_1, Tclass._module.Node()) + ==> + S#0[$Box(n#0_1)] && read($Heap, n#0_1, _module.Node.marked) + ==> n#0_1 == root#0 + || stackNodes#0[$Box(n#0_1)] + || (forall ch#0_1: ref :: + { read($Heap, ch#0_1, _module.Node.marked) } + { Seq#Contains(read($Heap, n#0_1, _module.Node.children), $Box(ch#0_1)) } + $Is(ch#0_1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0_1, _module.Node.children), $Box(ch#0_1)) + && ch#0_1 != null + ==> read($Heap, ch#0_1, _module.Node.marked))); + // Begin Comprehension WF check + havoc j#0_0; + if (true) + { + if (LitInt(0) <= j#0_0) + { + } + + if (LitInt(0) <= j#0_0 && j#0_0 < i#0_0) + { + assert {:subsumption 0} root#0 != null; + assert {:subsumption 0} 0 <= j#0_0 && j#0_0 < Seq#Length(read($Heap, root#0, _module.Node.children)); + newtype$check#0_1 := null; + if ($Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), j#0_0)): ref + != null) + { + assert {:subsumption 0} root#0 != null; + assert {:subsumption 0} 0 <= j#0_0 && j#0_0 < Seq#Length(read($Heap, root#0, _module.Node.children)); + assert {:subsumption 0} $Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), j#0_0)): ref + != null; + } + } + } + + // End Comprehension WF check + assume true; + assume (forall j#0_1: int :: + { $Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), j#0_1)): ref } + true + ==> + LitInt(0) <= j#0_1 && j#0_1 < i#0_0 + ==> $Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), j#0_1)): ref + == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), j#0_1)): ref, + _module.Node.marked)); + // Begin Comprehension WF check + havoc n#0_2; + if ($Is(n#0_2, Tclass._module.Node()) + && $IsAlloc(n#0_2, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#0_2)]) + { + assert {:subsumption 0} n#0_2 != null; + assert $IsAlloc(n#0_2, Tclass._module.Node(), old($Heap)); + } + + if (S#0[$Box(n#0_2)] && read(old($Heap), n#0_2, _module.Node.marked)) + { + assert {:subsumption 0} n#0_2 != null; + } + } + + // End Comprehension WF check + assume true; + assume (forall n#0_3: ref :: + { read($Heap, n#0_3, _module.Node.marked) } + { read(old($Heap), n#0_3, _module.Node.marked) } + { S#0[$Box(n#0_3)] } + $Is(n#0_3, Tclass._module.Node()) + ==> + S#0[$Box(n#0_3)] && read(old($Heap), n#0_3, _module.Node.marked) + ==> read($Heap, n#0_3, _module.Node.marked)); + // Begin Comprehension WF check + havoc n#0_4; + if ($Is(n#0_4, Tclass._module.Node()) + && $IsAlloc(n#0_4, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#0_4)]) + { + assert {:subsumption 0} n#0_4 != null; + assert {:subsumption 0} n#0_4 != null; + assert $IsAlloc(n#0_4, Tclass._module.Node(), old($Heap)); + if (read($Heap, n#0_4, _module.Node.childrenVisited) + == read(old($Heap), n#0_4, _module.Node.childrenVisited)) + { + assert {:subsumption 0} n#0_4 != null; + assert {:subsumption 0} n#0_4 != null; + assert $IsAlloc(n#0_4, Tclass._module.Node(), old($Heap)); + } + } + } + + // End Comprehension WF check + assume true; + assume (forall n#0_5: ref :: + { read(old($Heap), n#0_5, _module.Node.children) } + { read($Heap, n#0_5, _module.Node.children) } + { read(old($Heap), n#0_5, _module.Node.childrenVisited) } + { read($Heap, n#0_5, _module.Node.childrenVisited) } + { S#0[$Box(n#0_5)] } + $Is(n#0_5, Tclass._module.Node()) + ==> (S#0[$Box(n#0_5)] + ==> read($Heap, n#0_5, _module.Node.childrenVisited) + == read(old($Heap), n#0_5, _module.Node.childrenVisited)) + && (S#0[$Box(n#0_5)] + ==> Seq#Equal(read($Heap, n#0_5, _module.Node.children), + read(old($Heap), n#0_5, _module.Node.children)))); + assert root#0 != null; + assume true; + assume false; + } + + assert root#0 != null; + assume true; + if (Seq#Length(read($Heap, root#0, _module.Node.children)) <= i#0_0) + { + break; + } + + $decr$loop#0_00 := Seq#Length(read($Heap, root#0, _module.Node.children)) - i#0_0; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(73,13) + assume true; + assert root#0 != null; + assert 0 <= i#0_0 && i#0_0 < Seq#Length(read($Heap, root#0, _module.Node.children)); + assume true; + c#0_0_0 := $Unbox(Seq#Index(read($Heap, root#0, _module.Node.children), i#0_0)): ref; + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(74,7) + newtype$check#0_0_0 := null; + assume true; + if (c#0_0_0 != null) + { + // ----- call statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(75,28) + // TrCallStmt: Before ProcessCallStmt + assume true; + // ProcessCallStmt: CheckSubrange + assert $Is(c#0_0_0, Tclass._module.Node()); + root##0_0_0_0 := c#0_0_0; + assume true; + // ProcessCallStmt: CheckSubrange + S##0_0_0_0 := S#0; + assume true; + // ProcessCallStmt: CheckSubrange + stackNodes##0_0_0_0 := Set#Union(stackNodes#0, Set#UnionOne(Set#Empty(): Set Box, $Box(root#0))); + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && S##0_0_0_0[$Box($o)] ==> $_Frame[$o, $f]); + assert Set#Subset(Set#Difference(S##0_0_0_0, stackNodes##0_0_0_0), + Set#Difference(S#0, stackNodes#0)) + && !Set#Subset(Set#Difference(S#0, stackNodes#0), + Set#Difference(S##0_0_0_0, stackNodes##0_0_0_0)); + // ProcessCallStmt: Make the call + call Call$$_module.__default.RecursiveMarkWorker(root##0_0_0_0, S##0_0_0_0, stackNodes##0_0_0_0); + // TrCallStmt: After ProcessCallStmt + } + else + { + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(77,9) + assume true; + assume true; + i#0_0 := i#0_0 + 1; + // ----- loop termination check ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(60,5) + assert 0 <= $decr$loop#0_00 + || Seq#Length(read($Heap, root#0, _module.Node.children)) - i#0_0 + == $decr$loop#0_00; + assert Seq#Length(read($Heap, root#0, _module.Node.children)) - i#0_0 < $decr$loop#0_00; + assume true; + } + } + else + { + } +} + + + +procedure {:verboseName "IterativeMark (well-formedness)"} CheckWellFormed$$_module.__default.IterativeMark(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "IterativeMark (well-formedness)"} CheckWellFormed$$_module.__default.IterativeMark(root#0: ref, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var n#0: ref; + var ch#0: ref; + var newtype$check#0: ref; + var n#2: ref; + var n#4: ref; + var ch#3: ref; + var newtype$check#1: ref; + var n#6: ref; + + // AddMethodImpl: IterativeMark, CheckWellFormed$$_module.__default.IterativeMark + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + assume S#0[$Box(root#0)]; + havoc n#0; + assume $Is(n#0, Tclass._module.Node()) && $IsAlloc(n#0, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#0)]; + havoc ch#0; + assume $Is(ch#0, Tclass._module.Node?()) + && $IsAlloc(ch#0, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#0 != null; + assume Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#0)); + if (*) + { + newtype$check#0 := null; + assume ch#0 == null; + } + else + { + assume ch#0 != null; + assume S#0[$Box(ch#0)]; + } + } + else + { + assume Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#0)) + ==> ch#0 == null || S#0[$Box(ch#0)]; + } + + assume (forall ch#1: ref :: + { S#0[$Box(ch#1)] } + { Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) } + $Is(ch#1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) + ==> ch#1 == null || S#0[$Box(ch#1)]); + } + else + { + assume S#0[$Box(n#0)] + ==> (forall ch#1: ref :: + { S#0[$Box(ch#1)] } + { Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) } + $Is(ch#1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) + ==> ch#1 == null || S#0[$Box(ch#1)]); + } + + assume (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + havoc n#2; + assume $Is(n#2, Tclass._module.Node()) && $IsAlloc(n#2, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#2)]; + assert n#2 != null; + assume !read($Heap, n#2, _module.Node.marked); + assert n#2 != null; + assume read($Heap, n#2, _module.Node.childrenVisited) == LitInt(0); + } + else + { + assume S#0[$Box(n#2)] + ==> !read($Heap, n#2, _module.Node.marked) + && read($Heap, n#2, _module.Node.childrenVisited) == LitInt(0); + } + + assume (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + assert root#0 != null; + assume read($Heap, root#0, _module.Node.marked); + havoc n#4; + assume $Is(n#4, Tclass._module.Node()) && $IsAlloc(n#4, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#4)]; + assert n#4 != null; + assume read($Heap, n#4, _module.Node.marked); + havoc ch#3; + assume $Is(ch#3, Tclass._module.Node?()) + && $IsAlloc(ch#3, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#4 != null; + assume Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#3)); + newtype$check#1 := null; + assume ch#3 != null; + assert ch#3 != null; + assume read($Heap, ch#3, _module.Node.marked); + } + else + { + assume Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#3)) + && ch#3 != null + ==> read($Heap, ch#3, _module.Node.marked); + } + + assume (forall ch#4: ref :: + { read($Heap, ch#4, _module.Node.marked) } + { Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) } + $Is(ch#4, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) + && ch#4 != null + ==> read($Heap, ch#4, _module.Node.marked)); + } + else + { + assume S#0[$Box(n#4)] && read($Heap, n#4, _module.Node.marked) + ==> (forall ch#4: ref :: + { read($Heap, ch#4, _module.Node.marked) } + { Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) } + $Is(ch#4, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) + && ch#4 != null + ==> read($Heap, ch#4, _module.Node.marked)); + } + + assume (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + havoc n#6; + assume $Is(n#6, Tclass._module.Node()) && $IsAlloc(n#6, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#6)]; + assert n#6 != null; + assert n#6 != null; + assert $IsAlloc(n#6, Tclass._module.Node(), old($Heap)); + assume read($Heap, n#6, _module.Node.childrenVisited) + == read(old($Heap), n#6, _module.Node.childrenVisited); + assert n#6 != null; + assert n#6 != null; + assert $IsAlloc(n#6, Tclass._module.Node(), old($Heap)); + assume Seq#Equal(read($Heap, n#6, _module.Node.children), + read(old($Heap), n#6, _module.Node.children)); + } + else + { + assume S#0[$Box(n#6)] + ==> read($Heap, n#6, _module.Node.childrenVisited) + == read(old($Heap), n#6, _module.Node.childrenVisited) + && Seq#Equal(read($Heap, n#6, _module.Node.children), + read(old($Heap), n#6, _module.Node.children)); + } + + assume (forall n#7: ref :: + { read(old($Heap), n#7, _module.Node.children) } + { read($Heap, n#7, _module.Node.children) } + { read(old($Heap), n#7, _module.Node.childrenVisited) } + { read($Heap, n#7, _module.Node.childrenVisited) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> (S#0[$Box(n#7)] + ==> read($Heap, n#7, _module.Node.childrenVisited) + == read(old($Heap), n#7, _module.Node.childrenVisited)) + && (S#0[$Box(n#7)] + ==> Seq#Equal(read($Heap, n#7, _module.Node.children), + read(old($Heap), n#7, _module.Node.children)))); +} + + + +procedure {:verboseName "IterativeMark (call)"} Call$$_module.__default.IterativeMark(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)); + // user-defined preconditions + requires S#0[$Box(root#0)]; + requires (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + requires (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, root#0, _module.Node.marked); + free ensures true; + ensures (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + free ensures true; + ensures (forall n#7: ref :: + { read(old($Heap), n#7, _module.Node.children) } + { read($Heap, n#7, _module.Node.children) } + { read(old($Heap), n#7, _module.Node.childrenVisited) } + { read($Heap, n#7, _module.Node.childrenVisited) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> (S#0[$Box(n#7)] + ==> read($Heap, n#7, _module.Node.childrenVisited) + == read(old($Heap), n#7, _module.Node.childrenVisited)) + && (S#0[$Box(n#7)] + ==> Seq#Equal(read($Heap, n#7, _module.Node.children), + read(old($Heap), n#7, _module.Node.children)))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "IterativeMark (correctness)"} Impl$$_module.__default.IterativeMark(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)) + returns ($_reverifyPost: bool); + free requires 1 == $FunctionContextHeight; + // user-defined preconditions + requires S#0[$Box(root#0)]; + requires (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + requires (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, root#0, _module.Node.marked); + free ensures true; + ensures (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + free ensures true; + ensures (forall n#7: ref :: + { read(old($Heap), n#7, _module.Node.children) } + { read($Heap, n#7, _module.Node.children) } + { read(old($Heap), n#7, _module.Node.childrenVisited) } + { read($Heap, n#7, _module.Node.childrenVisited) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> (S#0[$Box(n#7)] + ==> read($Heap, n#7, _module.Node.childrenVisited) + == read(old($Heap), n#7, _module.Node.childrenVisited)) + && (S#0[$Box(n#7)] + ==> Seq#Equal(read($Heap, n#7, _module.Node.children), + read(old($Heap), n#7, _module.Node.children)))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "IterativeMark (correctness)"} Impl$$_module.__default.IterativeMark(root#0: ref, S#0: Set Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var t#0: ref + where $Is(t#0, Tclass._module.Node?()) && $IsAlloc(t#0, Tclass._module.Node?(), $Heap); + var $rhs#0: bool; + var stackNodes#0: Seq Box + where $Is(stackNodes#0, TSeq(Tclass._module.Node())) + && $IsAlloc(stackNodes#0, TSeq(Tclass._module.Node()), $Heap); + var unmarkedNodes#0: Set Box + where $Is(unmarkedNodes#0, TSet(Tclass._module.Node?())) + && $IsAlloc(unmarkedNodes#0, TSet(Tclass._module.Node?()), $Heap); + var $PreLoopHeap$loop#0: Heap; + var $decr_init$loop#00: Set Box; + var $decr_init$loop#01: Seq Box; + var $decr_init$loop#02: int; + var $w$loop#0: bool; + var i#0: int; + var j#0: int; + var n#8: ref; + var n#10: ref; + var j#2: int; + var newtype$check#2: ref; + var n#12: ref; + var j#4: int; + var n#14: ref; + var ch#6: ref; + var newtype$check#3: ref; + var n#16: ref; + var n#18: ref; + var n#20: ref; + var $decr$loop#00: Set Box; + var $decr$loop#01: Seq Box; + var $decr$loop#02: int; + var $rhs#0_0_0: int; + var $rhs#0_0_1: int; + var newtype$check#0_1_0: ref; + var $rhs#0_1_0_0: int; + var $rhs#0_1_1_0: bool; + + // AddMethodImpl: IterativeMark, Impl$$_module.__default.IterativeMark + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(99,9) + assume true; + assume true; + t#0 := root#0; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(100,12) + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.marked]; + assume true; + $rhs#0 := Lit(true); + $Heap := update($Heap, t#0, _module.Node.marked, $rhs#0); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(101,29) + assume true; + assume true; + stackNodes#0 := Lit(Seq#Empty(): Seq Box); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(102,27) + assume true; + assume true; + unmarkedNodes#0 := Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(t#0))); + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(103,3) + // Assume Fuel Constant + $PreLoopHeap$loop#0 := $Heap; + $decr_init$loop#00 := unmarkedNodes#0; + $decr_init$loop#01 := stackNodes#0; + $decr_init$loop#02 := Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited); + havoc $w$loop#0; + while (true) + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 ==> read($Heap, root#0, _module.Node.marked); + invariant $w$loop#0 ==> S#0[$Box(t#0)]; + invariant $w$loop#0 ==> !Seq#Contains(stackNodes#0, $Box(t#0)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall i#1: int, j#1: int :: + { $Unbox(Seq#Index(stackNodes#0, j#1)): ref, $Unbox(Seq#Index(stackNodes#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < j#1 && j#1 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(stackNodes#0, i#1)): ref + != $Unbox(Seq#Index(stackNodes#0, j#1)): ref); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#9: ref :: + { S#0[$Box(n#9)] } { Seq#Contains(stackNodes#0, $Box(n#9)) } + $Is(n#9, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#9)) + ==> S#0[$Box(n#9)]); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#11: ref :: + { read($Heap, n#11, _module.Node.marked) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#11)) || n#11 == t#0 + ==> read($Heap, n#11, _module.Node.marked)); + invariant $w$loop#0 + ==> (forall n#11: ref :: + { read($Heap, n#11, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#11)) || n#11 == t#0 + ==> LitInt(0) <= read($Heap, n#11, _module.Node.childrenVisited)); + invariant $w$loop#0 + ==> (forall n#11: ref :: + { read($Heap, n#11, _module.Node.children) } + { read($Heap, n#11, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> (Seq#Contains(stackNodes#0, $Box(n#11)) || n#11 == t#0 + ==> read($Heap, n#11, _module.Node.childrenVisited) + <= Seq#Length(read($Heap, n#11, _module.Node.children))) + && (Seq#Contains(stackNodes#0, $Box(n#11)) || n#11 == t#0 + ==> (forall j#3: int :: + { $Unbox(Seq#Index(read($Heap, n#11, _module.Node.children), j#3)): ref } + true + ==> + LitInt(0) <= j#3 && j#3 < read($Heap, n#11, _module.Node.childrenVisited) + ==> $Unbox(Seq#Index(read($Heap, n#11, _module.Node.children), j#3)): ref == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, n#11, _module.Node.children), j#3)): ref, + _module.Node.marked)))); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#13: ref :: + { read($Heap, n#13, _module.Node.children) } + { read($Heap, n#13, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#13)) } + $Is(n#13, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#13)) + ==> read($Heap, n#13, _module.Node.childrenVisited) + < Seq#Length(read($Heap, n#13, _module.Node.children))); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall j#5: int, _t#0#0: int :: + { $Unbox(Seq#Index(stackNodes#0, _t#0#0)): ref, $Unbox(Seq#Index(stackNodes#0, j#5)): ref } + _t#0#0 == j#5 + 1 + ==> + LitInt(0) <= j#5 && _t#0#0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, $Unbox(Seq#Index(stackNodes#0, j#5)): ref, _module.Node.children), + read($Heap, $Unbox(Seq#Index(stackNodes#0, j#5)): ref, _module.Node.childrenVisited))): ref + == $Unbox(Seq#Index(stackNodes#0, _t#0#0)): ref); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> + 0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.children), + read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited))): ref + == t#0; + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#15: ref :: + { read($Heap, n#15, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#15)) } + { read($Heap, n#15, _module.Node.marked) } + { S#0[$Box(n#15)] } + $Is(n#15, Tclass._module.Node()) + ==> + S#0[$Box(n#15)] + && read($Heap, n#15, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#15)) + && n#15 != t#0 + ==> (forall ch#7: ref :: + { read($Heap, ch#7, _module.Node.marked) } + { Seq#Contains(read($Heap, n#15, _module.Node.children), $Box(ch#7)) } + $Is(ch#7, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#15, _module.Node.children), $Box(ch#7)) + && ch#7 != null + ==> read($Heap, ch#7, _module.Node.marked))); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#17: ref :: + { read(old($Heap), n#17, _module.Node.childrenVisited) } + { read($Heap, n#17, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#17)) } + { S#0[$Box(n#17)] } + $Is(n#17, Tclass._module.Node()) + ==> + S#0[$Box(n#17)] && !Seq#Contains(stackNodes#0, $Box(n#17)) && n#17 != t#0 + ==> read($Heap, n#17, _module.Node.childrenVisited) + == read(old($Heap), n#17, _module.Node.childrenVisited)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#19: ref :: + { read(old($Heap), n#19, _module.Node.children) } + { read($Heap, n#19, _module.Node.children) } + { S#0[$Box(n#19)] } + $Is(n#19, Tclass._module.Node()) + ==> + S#0[$Box(n#19)] + ==> Seq#Equal(read($Heap, n#19, _module.Node.children), + read(old($Heap), n#19, _module.Node.children))); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#21: ref :: + { unmarkedNodes#0[$Box(n#21)] } + { read($Heap, n#21, _module.Node.marked) } + { S#0[$Box(n#21)] } + $Is(n#21, Tclass._module.Node()) + ==> + S#0[$Box(n#21)] && !read($Heap, n#21, _module.Node.marked) + ==> unmarkedNodes#0[$Box(n#21)]); + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#0[$o] || S#0[$Box($o)]); + free invariant $HeapSucc($PreLoopHeap$loop#0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0, $o, $f) || $_Frame[$o, $f]); + free invariant Set#Subset(unmarkedNodes#0, $decr_init$loop#00) + && (Set#Equal(unmarkedNodes#0, $decr_init$loop#00) + ==> Seq#Rank(stackNodes#0) <= Seq#Rank($decr_init$loop#01) + && (Seq#Rank(stackNodes#0) == Seq#Rank($decr_init$loop#01) + ==> Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited) + <= $decr_init$loop#02 + && (Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited) + == $decr_init$loop#02 + ==> true))); + { + if (!$w$loop#0) + { + assert {:subsumption 0} root#0 != null; + if (read($Heap, root#0, _module.Node.marked)) + { + } + + if (read($Heap, root#0, _module.Node.marked) && S#0[$Box(t#0)]) + { + } + + assume true; + assume read($Heap, root#0, _module.Node.marked) + && S#0[$Box(t#0)] + && !Seq#Contains(stackNodes#0, $Box(t#0)); + // Begin Comprehension WF check + havoc i#0; + havoc j#0; + if (true) + { + if (LitInt(0) <= i#0) + { + } + + if (LitInt(0) <= i#0 && i#0 < j#0) + { + } + + if (LitInt(0) <= i#0 && i#0 < j#0 && j#0 < Seq#Length(stackNodes#0)) + { + assert {:subsumption 0} 0 <= i#0 && i#0 < Seq#Length(stackNodes#0); + assert {:subsumption 0} 0 <= j#0 && j#0 < Seq#Length(stackNodes#0); + } + } + + // End Comprehension WF check + assume true; + assume (forall i#1: int, j#1: int :: + { $Unbox(Seq#Index(stackNodes#0, j#1)): ref, $Unbox(Seq#Index(stackNodes#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < j#1 && j#1 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(stackNodes#0, i#1)): ref + != $Unbox(Seq#Index(stackNodes#0, j#1)): ref); + // Begin Comprehension WF check + havoc n#8; + if ($Is(n#8, Tclass._module.Node()) && $IsAlloc(n#8, Tclass._module.Node(), $Heap)) + { + if (Seq#Contains(stackNodes#0, $Box(n#8))) + { + } + } + + // End Comprehension WF check + assume true; + assume (forall n#9: ref :: + { S#0[$Box(n#9)] } { Seq#Contains(stackNodes#0, $Box(n#9)) } + $Is(n#9, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#9)) + ==> S#0[$Box(n#9)]); + // Begin Comprehension WF check + havoc n#10; + if ($Is(n#10, Tclass._module.Node()) && $IsAlloc(n#10, Tclass._module.Node(), $Heap)) + { + if (!Seq#Contains(stackNodes#0, $Box(n#10))) + { + } + + if (Seq#Contains(stackNodes#0, $Box(n#10)) || n#10 == t#0) + { + assert {:subsumption 0} n#10 != null; + if (read($Heap, n#10, _module.Node.marked)) + { + assert {:subsumption 0} n#10 != null; + if (LitInt(0) <= read($Heap, n#10, _module.Node.childrenVisited)) + { + assert {:subsumption 0} n#10 != null; + assert {:subsumption 0} n#10 != null; + } + } + + if (read($Heap, n#10, _module.Node.marked) + && + LitInt(0) <= read($Heap, n#10, _module.Node.childrenVisited) + && read($Heap, n#10, _module.Node.childrenVisited) + <= Seq#Length(read($Heap, n#10, _module.Node.children))) + { + // Begin Comprehension WF check + havoc j#2; + if (true) + { + if (LitInt(0) <= j#2) + { + assert {:subsumption 0} n#10 != null; + } + + if (LitInt(0) <= j#2 && j#2 < read($Heap, n#10, _module.Node.childrenVisited)) + { + assert {:subsumption 0} n#10 != null; + assert {:subsumption 0} 0 <= j#2 && j#2 < Seq#Length(read($Heap, n#10, _module.Node.children)); + newtype$check#2 := null; + if ($Unbox(Seq#Index(read($Heap, n#10, _module.Node.children), j#2)): ref != null) + { + assert {:subsumption 0} n#10 != null; + assert {:subsumption 0} 0 <= j#2 && j#2 < Seq#Length(read($Heap, n#10, _module.Node.children)); + assert {:subsumption 0} $Unbox(Seq#Index(read($Heap, n#10, _module.Node.children), j#2)): ref != null; + } + } + } + + // End Comprehension WF check + } + } + } + + // End Comprehension WF check + assume true; + assume (forall n#11: ref :: + { read($Heap, n#11, _module.Node.marked) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#11)) || n#11 == t#0 + ==> read($Heap, n#11, _module.Node.marked)) + && (forall n#11: ref :: + { read($Heap, n#11, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#11)) || n#11 == t#0 + ==> LitInt(0) <= read($Heap, n#11, _module.Node.childrenVisited)) + && (forall n#11: ref :: + { read($Heap, n#11, _module.Node.children) } + { read($Heap, n#11, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> (Seq#Contains(stackNodes#0, $Box(n#11)) || n#11 == t#0 + ==> read($Heap, n#11, _module.Node.childrenVisited) + <= Seq#Length(read($Heap, n#11, _module.Node.children))) + && (Seq#Contains(stackNodes#0, $Box(n#11)) || n#11 == t#0 + ==> (forall j#3: int :: + { $Unbox(Seq#Index(read($Heap, n#11, _module.Node.children), j#3)): ref } + true + ==> + LitInt(0) <= j#3 && j#3 < read($Heap, n#11, _module.Node.childrenVisited) + ==> $Unbox(Seq#Index(read($Heap, n#11, _module.Node.children), j#3)): ref == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, n#11, _module.Node.children), j#3)): ref, + _module.Node.marked)))); + // Begin Comprehension WF check + havoc n#12; + if ($Is(n#12, Tclass._module.Node()) && $IsAlloc(n#12, Tclass._module.Node(), $Heap)) + { + if (Seq#Contains(stackNodes#0, $Box(n#12))) + { + assert {:subsumption 0} n#12 != null; + assert {:subsumption 0} n#12 != null; + } + } + + // End Comprehension WF check + assume true; + assume (forall n#13: ref :: + { read($Heap, n#13, _module.Node.children) } + { read($Heap, n#13, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#13)) } + $Is(n#13, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#13)) + ==> read($Heap, n#13, _module.Node.childrenVisited) + < Seq#Length(read($Heap, n#13, _module.Node.children))); + // Begin Comprehension WF check + havoc j#4; + if (true) + { + if (LitInt(0) <= j#4) + { + } + + if (LitInt(0) <= j#4 && j#4 + 1 < Seq#Length(stackNodes#0)) + { + assert {:subsumption 0} 0 <= j#4 && j#4 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, j#4)): ref != null; + assert {:subsumption 0} 0 <= j#4 && j#4 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, j#4)): ref != null; + assert {:subsumption 0} 0 + <= read($Heap, $Unbox(Seq#Index(stackNodes#0, j#4)): ref, _module.Node.childrenVisited) + && read($Heap, $Unbox(Seq#Index(stackNodes#0, j#4)): ref, _module.Node.childrenVisited) + < Seq#Length(read($Heap, $Unbox(Seq#Index(stackNodes#0, j#4)): ref, _module.Node.children)); + assert {:subsumption 0} 0 <= j#4 + 1 && j#4 + 1 < Seq#Length(stackNodes#0); + } + } + + // End Comprehension WF check + assume true; + assume (forall j#5: int, _t#0#0: int :: + { $Unbox(Seq#Index(stackNodes#0, _t#0#0)): ref, $Unbox(Seq#Index(stackNodes#0, j#5)): ref } + _t#0#0 == j#5 + 1 + ==> + LitInt(0) <= j#5 && _t#0#0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, $Unbox(Seq#Index(stackNodes#0, j#5)): ref, _module.Node.children), + read($Heap, $Unbox(Seq#Index(stackNodes#0, j#5)): ref, _module.Node.childrenVisited))): ref + == $Unbox(Seq#Index(stackNodes#0, _t#0#0)): ref); + if (0 < Seq#Length(stackNodes#0)) + { + assert {:subsumption 0} 0 <= Seq#Length(stackNodes#0) - 1 + && Seq#Length(stackNodes#0) - 1 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref != null; + assert {:subsumption 0} 0 <= Seq#Length(stackNodes#0) - 1 + && Seq#Length(stackNodes#0) - 1 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref != null; + assert {:subsumption 0} 0 + <= read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited) + && read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited) + < Seq#Length(read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.children)); + } + + assume true; + assume 0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.children), + read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited))): ref + == t#0; + // Begin Comprehension WF check + havoc n#14; + if ($Is(n#14, Tclass._module.Node()) && $IsAlloc(n#14, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#14)]) + { + assert {:subsumption 0} n#14 != null; + } + + if (S#0[$Box(n#14)] && read($Heap, n#14, _module.Node.marked)) + { + } + + if (S#0[$Box(n#14)] + && read($Heap, n#14, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#14))) + { + } + + if (S#0[$Box(n#14)] + && read($Heap, n#14, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#14)) + && n#14 != t#0) + { + // Begin Comprehension WF check + havoc ch#6; + if ($Is(ch#6, Tclass._module.Node?()) + && $IsAlloc(ch#6, Tclass._module.Node?(), $Heap)) + { + assert {:subsumption 0} n#14 != null; + if (Seq#Contains(read($Heap, n#14, _module.Node.children), $Box(ch#6))) + { + newtype$check#3 := null; + } + + if (Seq#Contains(read($Heap, n#14, _module.Node.children), $Box(ch#6)) + && ch#6 != null) + { + assert {:subsumption 0} ch#6 != null; + } + } + + // End Comprehension WF check + } + } + + // End Comprehension WF check + assume true; + assume (forall n#15: ref :: + { read($Heap, n#15, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#15)) } + { read($Heap, n#15, _module.Node.marked) } + { S#0[$Box(n#15)] } + $Is(n#15, Tclass._module.Node()) + ==> + S#0[$Box(n#15)] + && read($Heap, n#15, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#15)) + && n#15 != t#0 + ==> (forall ch#7: ref :: + { read($Heap, ch#7, _module.Node.marked) } + { Seq#Contains(read($Heap, n#15, _module.Node.children), $Box(ch#7)) } + $Is(ch#7, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#15, _module.Node.children), $Box(ch#7)) + && ch#7 != null + ==> read($Heap, ch#7, _module.Node.marked))); + // Begin Comprehension WF check + havoc n#16; + if ($Is(n#16, Tclass._module.Node()) && $IsAlloc(n#16, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#16)]) + { + } + + if (S#0[$Box(n#16)] && !Seq#Contains(stackNodes#0, $Box(n#16))) + { + } + + if (S#0[$Box(n#16)] && !Seq#Contains(stackNodes#0, $Box(n#16)) && n#16 != t#0) + { + assert {:subsumption 0} n#16 != null; + assert {:subsumption 0} n#16 != null; + assert $IsAlloc(n#16, Tclass._module.Node(), old($Heap)); + } + } + + // End Comprehension WF check + assume true; + assume (forall n#17: ref :: + { read(old($Heap), n#17, _module.Node.childrenVisited) } + { read($Heap, n#17, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#17)) } + { S#0[$Box(n#17)] } + $Is(n#17, Tclass._module.Node()) + ==> + S#0[$Box(n#17)] && !Seq#Contains(stackNodes#0, $Box(n#17)) && n#17 != t#0 + ==> read($Heap, n#17, _module.Node.childrenVisited) + == read(old($Heap), n#17, _module.Node.childrenVisited)); + // Begin Comprehension WF check + havoc n#18; + if ($Is(n#18, Tclass._module.Node()) && $IsAlloc(n#18, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#18)]) + { + assert {:subsumption 0} n#18 != null; + assert {:subsumption 0} n#18 != null; + assert $IsAlloc(n#18, Tclass._module.Node(), old($Heap)); + } + } + + // End Comprehension WF check + assume true; + assume (forall n#19: ref :: + { read(old($Heap), n#19, _module.Node.children) } + { read($Heap, n#19, _module.Node.children) } + { S#0[$Box(n#19)] } + $Is(n#19, Tclass._module.Node()) + ==> + S#0[$Box(n#19)] + ==> Seq#Equal(read($Heap, n#19, _module.Node.children), + read(old($Heap), n#19, _module.Node.children))); + // Begin Comprehension WF check + havoc n#20; + if ($Is(n#20, Tclass._module.Node()) && $IsAlloc(n#20, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#20)]) + { + assert {:subsumption 0} n#20 != null; + } + + if (S#0[$Box(n#20)] && !read($Heap, n#20, _module.Node.marked)) + { + } + } + + // End Comprehension WF check + assume true; + assume (forall n#21: ref :: + { unmarkedNodes#0[$Box(n#21)] } + { read($Heap, n#21, _module.Node.marked) } + { S#0[$Box(n#21)] } + $Is(n#21, Tclass._module.Node()) + ==> + S#0[$Box(n#21)] && !read($Heap, n#21, _module.Node.marked) + ==> unmarkedNodes#0[$Box(n#21)]); + assume true; + assume true; + assert t#0 != null; + assert t#0 != null; + assume true; + assume false; + } + + assume true; + if (!Lit(true)) + { + break; + } + + $decr$loop#00 := unmarkedNodes#0; + $decr$loop#01 := stackNodes#0; + $decr$loop#02 := Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(128,5) + assert t#0 != null; + assert t#0 != null; + assume true; + if (read($Heap, t#0, _module.Node.childrenVisited) + == Seq#Length(read($Heap, t#0, _module.Node.children))) + { + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(129,7) + assume true; + assert {:focus} Lit(true); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(131,25) + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.childrenVisited]; + assume true; + assert $Is(LitInt(0), Tclass._System.nat()); + $rhs#0_0_0 := LitInt(0); + $Heap := update($Heap, t#0, _module.Node.childrenVisited, $rhs#0_0_0); + assume $IsGoodHeap($Heap); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(132,7) + assume true; + if (Seq#Length(stackNodes#0) == LitInt(0)) + { + // ----- return statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(133,9) + return; + } + else + { + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(135,9) + assume true; + assert 0 <= Seq#Length(stackNodes#0) - 1 + && Seq#Length(stackNodes#0) - 1 < Seq#Length(stackNodes#0); + assume true; + t#0 := $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(136,18) + assume true; + assert 0 <= Seq#Length(stackNodes#0) - 1 + && Seq#Length(stackNodes#0) - 1 <= Seq#Length(stackNodes#0); + assume true; + stackNodes#0 := Seq#Take(stackNodes#0, Seq#Length(stackNodes#0) - 1); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(137,25) + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.childrenVisited]; + assert t#0 != null; + assume true; + assert $Is(read($Heap, t#0, _module.Node.childrenVisited) + 1, Tclass._System.nat()); + $rhs#0_0_1 := read($Heap, t#0, _module.Node.childrenVisited) + 1; + $Heap := update($Heap, t#0, _module.Node.childrenVisited, $rhs#0_0_1); + assume $IsGoodHeap($Heap); + } + else + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(138,12) + assert t#0 != null; + assert t#0 != null; + assert 0 <= read($Heap, t#0, _module.Node.childrenVisited) + && read($Heap, t#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, t#0, _module.Node.children)); + newtype$check#0_1_0 := null; + if ($Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref + != null) + { + assert t#0 != null; + assert t#0 != null; + assert 0 <= read($Heap, t#0, _module.Node.childrenVisited) + && read($Heap, t#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, t#0, _module.Node.children)); + assert $Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref + != null; + } + + assume true; + if ($Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref + == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref, + _module.Node.marked)) + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(140,25) + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.childrenVisited]; + assert t#0 != null; + assume true; + assert $Is(read($Heap, t#0, _module.Node.childrenVisited) + 1, Tclass._System.nat()); + $rhs#0_1_0_0 := read($Heap, t#0, _module.Node.childrenVisited) + 1; + $Heap := update($Heap, t#0, _module.Node.childrenVisited, $rhs#0_1_0_0); + assume $IsGoodHeap($Heap); + } + else + { + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(142,7) + assume true; + assert {:focus} Lit(true); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(144,18) + assume true; + assume true; + assert $Is(Seq#Append(stackNodes#0, Seq#Build(Seq#Empty(): Seq Box, $Box(t#0))), + TSeq(Tclass._module.Node())); + stackNodes#0 := Seq#Append(stackNodes#0, Seq#Build(Seq#Empty(): Seq Box, $Box(t#0))); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(145,9) + assume true; + assert t#0 != null; + assert t#0 != null; + assert 0 <= read($Heap, t#0, _module.Node.childrenVisited) + && read($Heap, t#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, t#0, _module.Node.children)); + assume true; + t#0 := $Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(146,16) + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.marked]; + assume true; + $rhs#0_1_1_0 := Lit(true); + $Heap := update($Heap, t#0, _module.Node.marked, $rhs#0_1_1_0); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(147,21) + assume true; + assume true; + unmarkedNodes#0 := Set#Difference(unmarkedNodes#0, Set#UnionOne(Set#Empty(): Set Box, $Box(t#0))); + } + } + + // ----- loop termination check ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(103,3) + assert 0 <= $decr$loop#02 + || (Set#Subset(unmarkedNodes#0, $decr$loop#00) + && !Set#Subset($decr$loop#00, unmarkedNodes#0)) + || Seq#Rank(stackNodes#0) < Seq#Rank($decr$loop#01) + || Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited) + == $decr$loop#02; + assert (Set#Subset(unmarkedNodes#0, $decr$loop#00) + && !Set#Subset($decr$loop#00, unmarkedNodes#0)) + || (Set#Equal(unmarkedNodes#0, $decr$loop#00) + && (Seq#Rank(stackNodes#0) < Seq#Rank($decr$loop#01) + || (Seq#Rank(stackNodes#0) == Seq#Rank($decr$loop#01) + && Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited) + < $decr$loop#02))); + assume true; + } +} + + + +// function declaration for _module._default.Reachable +function _module.__default.Reachable($heap: Heap, source#0: ref, sink#0: ref, S#0: Set Box) : bool; + +function _module.__default.Reachable#canCall($heap: Heap, source#0: ref, sink#0: ref, S#0: Set Box) : bool; + +// frame axiom for _module.__default.Reachable +axiom (forall $h0: Heap, $h1: Heap, source#0: ref, sink#0: ref, S#0: Set Box :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.__default.Reachable($h1, source#0, sink#0, S#0) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && (_module.__default.Reachable#canCall($h0, source#0, sink#0, S#0) + || ( + $Is(source#0, Tclass._module.Node()) + && $Is(sink#0, Tclass._module.Node()) + && $Is(S#0, TSet(Tclass._module.Node())))) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && S#0[$Box($o)] ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.__default.Reachable($h0, source#0, sink#0, S#0) + == _module.__default.Reachable($h1, source#0, sink#0, S#0)); + +// consequence axiom for _module.__default.Reachable +axiom 3 <= $FunctionContextHeight + ==> (forall $Heap: Heap, source#0: ref, sink#0: ref, S#0: Set Box :: + { _module.__default.Reachable($Heap, source#0, sink#0, S#0) } + _module.__default.Reachable#canCall($Heap, source#0, sink#0, S#0) + || (3 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && $Is(source#0, Tclass._module.Node()) + && $Is(sink#0, Tclass._module.Node()) + && $Is(S#0, TSet(Tclass._module.Node()))) + ==> true); + +function _module.__default.Reachable#requires(Heap, ref, ref, Set Box) : bool; + +// #requires axiom for _module.__default.Reachable +axiom (forall $Heap: Heap, source#0: ref, sink#0: ref, S#0: Set Box :: + { _module.__default.Reachable#requires($Heap, source#0, sink#0, S#0), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && $Is(source#0, Tclass._module.Node()) + && $Is(sink#0, Tclass._module.Node()) + && $Is(S#0, TSet(Tclass._module.Node())) + ==> _module.__default.Reachable#requires($Heap, source#0, sink#0, S#0) == true); + +// definition axiom for _module.__default.Reachable (revealed) +axiom 3 <= $FunctionContextHeight + ==> (forall $Heap: Heap, source#0: ref, sink#0: ref, S#0: Set Box :: + { _module.__default.Reachable($Heap, source#0, sink#0, S#0), $IsGoodHeap($Heap) } + _module.__default.Reachable#canCall($Heap, source#0, sink#0, S#0) + || (3 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && $Is(source#0, Tclass._module.Node()) + && $Is(sink#0, Tclass._module.Node()) + && $Is(S#0, TSet(Tclass._module.Node()))) + ==> (forall via#0: DatatypeType :: + { _module.__default.ReachableVia($LS($LZ), $Heap, source#0, via#0, sink#0, S#0) } + $Is(via#0, Tclass._module.Path()) + ==> _module.__default.ReachableVia#canCall($Heap, source#0, via#0, sink#0, S#0)) + && _module.__default.Reachable($Heap, source#0, sink#0, S#0) + == (exists via#0: DatatypeType :: + { _module.__default.ReachableVia($LS($LZ), $Heap, source#0, via#0, sink#0, S#0) } + $Is(via#0, Tclass._module.Path()) + && _module.__default.ReachableVia($LS($LZ), $Heap, source#0, via#0, sink#0, S#0))); + +procedure {:verboseName "Reachable (well-formedness)"} CheckWellformed$$_module.__default.Reachable(source#0: ref where $Is(source#0, Tclass._module.Node()), + sink#0: ref where $Is(sink#0, Tclass._module.Node()), + S#0: Set Box where $Is(S#0, TSet(Tclass._module.Node()))); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Reachable (well-formedness)"} CheckWellformed$$_module.__default.Reachable(source#0: ref, sink#0: ref, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var via#1: DatatypeType; + var ##source#0: ref; + var ##p#0: DatatypeType; + var ##sink#0: ref; + var ##S#0: Set Box; + var b$reqreads#0: bool; + + b$reqreads#0 := true; + + // AddWellformednessCheck for function Reachable + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + // Begin Comprehension WF check + havoc via#1; + if ($Is(via#1, Tclass._module.Path()) + && $IsAlloc(via#1, Tclass._module.Path(), $Heap)) + { + ##source#0 := source#0; + // assume allocatedness for argument to function + assume $IsAlloc(##source#0, Tclass._module.Node(), $Heap); + ##p#0 := via#1; + // assume allocatedness for argument to function + assume $IsAlloc(##p#0, Tclass._module.Path(), $Heap); + ##sink#0 := sink#0; + // assume allocatedness for argument to function + assume $IsAlloc(##sink#0, Tclass._module.Node(), $Heap); + ##S#0 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#0, TSet(Tclass._module.Node()), $Heap); + b$reqreads#0 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && ##S#0[$Box($o)] ==> $_Frame[$o, $f]); + assume _module.__default.ReachableVia#canCall($Heap, source#0, via#1, sink#0, S#0); + } + + // End Comprehension WF check + assume _module.__default.Reachable($Heap, source#0, sink#0, S#0) + == (exists via#2: DatatypeType :: + { _module.__default.ReachableVia($LS($LZ), $Heap, source#0, via#2, sink#0, S#0) } + $Is(via#2, Tclass._module.Path()) + && _module.__default.ReachableVia($LS($LZ), $Heap, source#0, via#2, sink#0, S#0)); + assume (forall via#2: DatatypeType :: + { _module.__default.ReachableVia($LS($LZ), $Heap, source#0, via#2, sink#0, S#0) } + $Is(via#2, Tclass._module.Path()) + ==> _module.__default.ReachableVia#canCall($Heap, source#0, via#2, sink#0, S#0)); + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.Reachable($Heap, source#0, sink#0, S#0), TBool); + assert b$reqreads#0; + } +} + + + +// function declaration for _module._default.ReachableVia +function _module.__default.ReachableVia($ly: LayerType, + $heap: Heap, + source#0: ref, + p#0: DatatypeType, + sink#0: ref, + S#0: Set Box) + : bool; + +function _module.__default.ReachableVia#canCall($heap: Heap, source#0: ref, p#0: DatatypeType, sink#0: ref, S#0: Set Box) : bool; + +// layer synonym axiom +axiom (forall $ly: LayerType, + $Heap: Heap, + source#0: ref, + p#0: DatatypeType, + sink#0: ref, + S#0: Set Box :: + { _module.__default.ReachableVia($LS($ly), $Heap, source#0, p#0, sink#0, S#0) } + _module.__default.ReachableVia($LS($ly), $Heap, source#0, p#0, sink#0, S#0) + == _module.__default.ReachableVia($ly, $Heap, source#0, p#0, sink#0, S#0)); + +// fuel synonym axiom +axiom (forall $ly: LayerType, + $Heap: Heap, + source#0: ref, + p#0: DatatypeType, + sink#0: ref, + S#0: Set Box :: + { _module.__default.ReachableVia(AsFuelBottom($ly), $Heap, source#0, p#0, sink#0, S#0) } + _module.__default.ReachableVia($ly, $Heap, source#0, p#0, sink#0, S#0) + == _module.__default.ReachableVia($LZ, $Heap, source#0, p#0, sink#0, S#0)); + +// frame axiom for _module.__default.ReachableVia +axiom (forall $ly: LayerType, + $h0: Heap, + $h1: Heap, + source#0: ref, + p#0: DatatypeType, + sink#0: ref, + S#0: Set Box :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.__default.ReachableVia($ly, $h1, source#0, p#0, sink#0, S#0) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && (_module.__default.ReachableVia#canCall($h0, source#0, p#0, sink#0, S#0) + || ( + $Is(source#0, Tclass._module.Node()) + && $Is(p#0, Tclass._module.Path()) + && $Is(sink#0, Tclass._module.Node()) + && $Is(S#0, TSet(Tclass._module.Node())))) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && S#0[$Box($o)] ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.__default.ReachableVia($ly, $h0, source#0, p#0, sink#0, S#0) + == _module.__default.ReachableVia($ly, $h1, source#0, p#0, sink#0, S#0)); + +// consequence axiom for _module.__default.ReachableVia +axiom 2 <= $FunctionContextHeight + ==> (forall $ly: LayerType, + $Heap: Heap, + source#0: ref, + p#0: DatatypeType, + sink#0: ref, + S#0: Set Box :: + { _module.__default.ReachableVia($ly, $Heap, source#0, p#0, sink#0, S#0) } + _module.__default.ReachableVia#canCall($Heap, source#0, p#0, sink#0, S#0) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && $Is(source#0, Tclass._module.Node()) + && $Is(p#0, Tclass._module.Path()) + && $Is(sink#0, Tclass._module.Node()) + && $Is(S#0, TSet(Tclass._module.Node()))) + ==> (forall $olderHeap: Heap :: + { $OlderTag($olderHeap) } + $IsGoodHeap($olderHeap) + && $OlderTag($olderHeap) + && + _module.__default.ReachableVia($ly, $Heap, source#0, p#0, sink#0, S#0) + && + $IsAlloc(source#0, Tclass._module.Node(), $olderHeap) + && $IsAlloc(sink#0, Tclass._module.Node(), $olderHeap) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $olderHeap) + ==> $IsAlloc(p#0, Tclass._module.Path(), $olderHeap))); + +function _module.__default.ReachableVia#requires(LayerType, Heap, ref, DatatypeType, ref, Set Box) : bool; + +// #requires axiom for _module.__default.ReachableVia +axiom (forall $ly: LayerType, + $Heap: Heap, + source#0: ref, + p#0: DatatypeType, + sink#0: ref, + S#0: Set Box :: + { _module.__default.ReachableVia#requires($ly, $Heap, source#0, p#0, sink#0, S#0), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && $Is(source#0, Tclass._module.Node()) + && $Is(p#0, Tclass._module.Path()) + && $Is(sink#0, Tclass._module.Node()) + && $Is(S#0, TSet(Tclass._module.Node())) + ==> _module.__default.ReachableVia#requires($ly, $Heap, source#0, p#0, sink#0, S#0) + == true); + +// definition axiom for _module.__default.ReachableVia (revealed) +axiom 2 <= $FunctionContextHeight + ==> (forall $ly: LayerType, + $Heap: Heap, + source#0: ref, + p#0: DatatypeType, + sink#0: ref, + S#0: Set Box :: + { _module.__default.ReachableVia($LS($ly), $Heap, source#0, p#0, sink#0, S#0), $IsGoodHeap($Heap) } + _module.__default.ReachableVia#canCall($Heap, source#0, p#0, sink#0, S#0) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && $Is(source#0, Tclass._module.Node()) + && $Is(p#0, Tclass._module.Path()) + && $Is(sink#0, Tclass._module.Node()) + && $Is(S#0, TSet(Tclass._module.Node()))) + ==> (!_module.Path.Empty_q(p#0) + ==> (var n#1 := _module.Path._h1(p#0); + (var prefix#1 := _module.Path._h0(p#0); + S#0[$Box(n#1)] + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(sink#0)) + ==> _module.__default.ReachableVia#canCall($Heap, source#0, prefix#1, n#1, S#0)))) + && _module.__default.ReachableVia($LS($ly), $Heap, source#0, p#0, sink#0, S#0) + == (if _module.Path.Empty_q(p#0) + then source#0 == sink#0 + else (var n#0 := _module.Path._h1(p#0); + (var prefix#0 := _module.Path._h0(p#0); + S#0[$Box(n#0)] + && Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(sink#0)) + && _module.__default.ReachableVia($ly, $Heap, source#0, prefix#0, n#0, S#0))))); + +procedure {:verboseName "ReachableVia (well-formedness)"} CheckWellformed$$_module.__default.ReachableVia(source#0: ref where $Is(source#0, Tclass._module.Node()), + p#0: DatatypeType where $Is(p#0, Tclass._module.Path()), + sink#0: ref where $Is(sink#0, Tclass._module.Node()), + S#0: Set Box where $Is(S#0, TSet(Tclass._module.Node()))); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "ReachableVia (well-formedness)"} CheckWellformed$$_module.__default.ReachableVia(source#0: ref, p#0: DatatypeType, sink#0: ref, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var _mcc#0#0: DatatypeType; + var _mcc#1#0: ref; + var n#Z#0: ref; + var let#0#0#0: ref; + var prefix#Z#0: DatatypeType; + var let#1#0#0: DatatypeType; + var ##source#0: ref; + var ##p#0: DatatypeType; + var ##sink#0: ref; + var ##S#0: Set Box; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + + // AddWellformednessCheck for function ReachableVia + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + if (p#0 == #_module.Path.Empty()) + { + assume _module.__default.ReachableVia($LS($LZ), $Heap, source#0, p#0, sink#0, S#0) + == + (source#0 + == sink#0); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.ReachableVia($LS($LZ), $Heap, source#0, p#0, sink#0, S#0), + TBool); + } + else if (p#0 == #_module.Path.Extend(_mcc#0#0, _mcc#1#0)) + { + assume $Is(_mcc#0#0, Tclass._module.Path()); + assume $Is(_mcc#1#0, Tclass._module.Node()); + havoc n#Z#0; + assume $Is(n#Z#0, Tclass._module.Node()) + && $IsAlloc(n#Z#0, Tclass._module.Node(), $Heap); + assume let#0#0#0 == _mcc#1#0; + assume true; + // CheckWellformedWithResult: any expression + assume $Is(let#0#0#0, Tclass._module.Node()); + assume n#Z#0 == let#0#0#0; + havoc prefix#Z#0; + assume $Is(prefix#Z#0, Tclass._module.Path()) + && $IsAlloc(prefix#Z#0, Tclass._module.Path(), $Heap); + assume let#1#0#0 == _mcc#0#0; + assume true; + // CheckWellformedWithResult: any expression + assume $Is(let#1#0#0, Tclass._module.Path()); + assume prefix#Z#0 == let#1#0#0; + if (S#0[$Box(n#Z#0)]) + { + assert n#Z#0 != null; + b$reqreads#0 := $_Frame[n#Z#0, _module.Node.children]; + } + + if (S#0[$Box(n#Z#0)] + && Seq#Contains(read($Heap, n#Z#0, _module.Node.children), $Box(sink#0))) + { + ##source#0 := source#0; + // assume allocatedness for argument to function + assume $IsAlloc(##source#0, Tclass._module.Node(), $Heap); + ##p#0 := prefix#Z#0; + // assume allocatedness for argument to function + assume $IsAlloc(##p#0, Tclass._module.Path(), $Heap); + ##sink#0 := n#Z#0; + // assume allocatedness for argument to function + assume $IsAlloc(##sink#0, Tclass._module.Node(), $Heap); + ##S#0 := S#0; + // assume allocatedness for argument to function + assume $IsAlloc(##S#0, TSet(Tclass._module.Node()), $Heap); + b$reqreads#1 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && ##S#0[$Box($o)] ==> $_Frame[$o, $f]); + assert DtRank(##p#0) < DtRank(p#0); + assume _module.__default.ReachableVia#canCall($Heap, source#0, prefix#Z#0, n#Z#0, S#0); + } + + assume _module.__default.ReachableVia($LS($LZ), $Heap, source#0, p#0, sink#0, S#0) + == ( + S#0[$Box(n#Z#0)] + && Seq#Contains(read($Heap, n#Z#0, _module.Node.children), $Box(sink#0)) + && _module.__default.ReachableVia($LS($LZ), $Heap, source#0, prefix#Z#0, n#Z#0, S#0)); + assume S#0[$Box(n#Z#0)] + ==> + Seq#Contains(read($Heap, n#Z#0, _module.Node.children), $Box(sink#0)) + ==> _module.__default.ReachableVia#canCall($Heap, source#0, prefix#Z#0, n#Z#0, S#0); + // CheckWellformedWithResult: any expression + assume $Is(_module.__default.ReachableVia($LS($LZ), $Heap, source#0, p#0, sink#0, S#0), + TBool); + } + else + { + assume false; + } + + assert b$reqreads#0; + assert b$reqreads#1; + assert (forall $olderHeap: Heap :: + { $OlderTag($olderHeap) } + $IsGoodHeap($olderHeap) + && $OlderTag($olderHeap) + && + _module.__default.ReachableVia($LS($LZ), $Heap, source#0, p#0, sink#0, S#0) + && + $IsAlloc(source#0, Tclass._module.Node(), $olderHeap) + && $IsAlloc(sink#0, Tclass._module.Node(), $olderHeap) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $olderHeap) + ==> $IsAlloc(p#0, Tclass._module.Path(), $olderHeap)); + } +} + + + +procedure {:verboseName "SchorrWaite (well-formedness)"} CheckWellFormed$$_module.__default.SchorrWaite(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)); + free requires 4 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "SchorrWaite (well-formedness)"} CheckWellFormed$$_module.__default.SchorrWaite(root#0: ref, S#0: Set Box) +{ + var $_Frame: [ref,Field beta]bool; + var n#0: ref; + var ch#0: ref; + var newtype$check#0: ref; + var n#2: ref; + var n#4: ref; + var ch#3: ref; + var newtype$check#1: ref; + var n#6: ref; + var ##source#0: ref; + var ##sink#0: ref; + var ##S#0: Set Box; + var n#8: ref; + + // AddMethodImpl: SchorrWaite, CheckWellFormed$$_module.__default.SchorrWaite + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + assume S#0[$Box(root#0)]; + havoc n#0; + assume $Is(n#0, Tclass._module.Node()) && $IsAlloc(n#0, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#0)]; + havoc ch#0; + assume $Is(ch#0, Tclass._module.Node?()) + && $IsAlloc(ch#0, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#0 != null; + assume Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#0)); + if (*) + { + newtype$check#0 := null; + assume ch#0 == null; + } + else + { + assume ch#0 != null; + assume S#0[$Box(ch#0)]; + } + } + else + { + assume Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#0)) + ==> ch#0 == null || S#0[$Box(ch#0)]; + } + + assume (forall ch#1: ref :: + { S#0[$Box(ch#1)] } + { Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) } + $Is(ch#1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) + ==> ch#1 == null || S#0[$Box(ch#1)]); + } + else + { + assume S#0[$Box(n#0)] + ==> (forall ch#1: ref :: + { S#0[$Box(ch#1)] } + { Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) } + $Is(ch#1, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#0, _module.Node.children), $Box(ch#1)) + ==> ch#1 == null || S#0[$Box(ch#1)]); + } + + assume (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + havoc n#2; + assume $Is(n#2, Tclass._module.Node()) && $IsAlloc(n#2, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#2)]; + assert n#2 != null; + assume !read($Heap, n#2, _module.Node.marked); + assert n#2 != null; + assume read($Heap, n#2, _module.Node.childrenVisited) == LitInt(0); + } + else + { + assume S#0[$Box(n#2)] + ==> !read($Heap, n#2, _module.Node.marked) + && read($Heap, n#2, _module.Node.childrenVisited) == LitInt(0); + } + + assume (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + havoc $Heap; + assume (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + assume $HeapSucc(old($Heap), $Heap); + assert root#0 != null; + assume read($Heap, root#0, _module.Node.marked); + havoc n#4; + assume $Is(n#4, Tclass._module.Node()) && $IsAlloc(n#4, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#4)]; + assert n#4 != null; + assume read($Heap, n#4, _module.Node.marked); + havoc ch#3; + assume $Is(ch#3, Tclass._module.Node?()) + && $IsAlloc(ch#3, Tclass._module.Node?(), $Heap); + if (*) + { + assert n#4 != null; + assume Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#3)); + newtype$check#1 := null; + assume ch#3 != null; + assert ch#3 != null; + assume read($Heap, ch#3, _module.Node.marked); + } + else + { + assume Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#3)) + && ch#3 != null + ==> read($Heap, ch#3, _module.Node.marked); + } + + assume (forall ch#4: ref :: + { read($Heap, ch#4, _module.Node.marked) } + { Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) } + $Is(ch#4, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) + && ch#4 != null + ==> read($Heap, ch#4, _module.Node.marked)); + } + else + { + assume S#0[$Box(n#4)] && read($Heap, n#4, _module.Node.marked) + ==> (forall ch#4: ref :: + { read($Heap, ch#4, _module.Node.marked) } + { Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) } + $Is(ch#4, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#4, _module.Node.children), $Box(ch#4)) + && ch#4 != null + ==> read($Heap, ch#4, _module.Node.marked)); + } + + assume (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + havoc n#6; + assume $Is(n#6, Tclass._module.Node()) && $IsAlloc(n#6, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#6)]; + assert n#6 != null; + assume read($Heap, n#6, _module.Node.marked); + ##source#0 := root#0; + ##sink#0 := n#6; + ##S#0 := S#0; + assert $IsAlloc(root#0, Tclass._module.Node(), old($Heap)); + assert $IsAlloc(n#6, Tclass._module.Node(), old($Heap)); + assert $IsAlloc(S#0, TSet(Tclass._module.Node()), old($Heap)); + assume _module.__default.Reachable#canCall(old($Heap), root#0, n#6, S#0); + assume _module.__default.Reachable(old($Heap), root#0, n#6, S#0); + } + else + { + assume S#0[$Box(n#6)] && read($Heap, n#6, _module.Node.marked) + ==> _module.__default.Reachable(old($Heap), root#0, n#6, S#0); + } + + assume (forall n#7: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#7, S#0) } + { read($Heap, n#7, _module.Node.marked) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> + S#0[$Box(n#7)] && read($Heap, n#7, _module.Node.marked) + ==> _module.__default.Reachable(old($Heap), root#0, n#7, S#0)); + havoc n#8; + assume $Is(n#8, Tclass._module.Node()) && $IsAlloc(n#8, Tclass._module.Node(), $Heap); + if (*) + { + assume S#0[$Box(n#8)]; + assert n#8 != null; + assert n#8 != null; + assert $IsAlloc(n#8, Tclass._module.Node(), old($Heap)); + assume read($Heap, n#8, _module.Node.childrenVisited) + == read(old($Heap), n#8, _module.Node.childrenVisited); + assert n#8 != null; + assert n#8 != null; + assert $IsAlloc(n#8, Tclass._module.Node(), old($Heap)); + assume Seq#Equal(read($Heap, n#8, _module.Node.children), + read(old($Heap), n#8, _module.Node.children)); + } + else + { + assume S#0[$Box(n#8)] + ==> read($Heap, n#8, _module.Node.childrenVisited) + == read(old($Heap), n#8, _module.Node.childrenVisited) + && Seq#Equal(read($Heap, n#8, _module.Node.children), + read(old($Heap), n#8, _module.Node.children)); + } + + assume (forall n#9: ref :: + { read(old($Heap), n#9, _module.Node.children) } + { read($Heap, n#9, _module.Node.children) } + { read(old($Heap), n#9, _module.Node.childrenVisited) } + { read($Heap, n#9, _module.Node.childrenVisited) } + { S#0[$Box(n#9)] } + $Is(n#9, Tclass._module.Node()) + ==> (S#0[$Box(n#9)] + ==> read($Heap, n#9, _module.Node.childrenVisited) + == read(old($Heap), n#9, _module.Node.childrenVisited)) + && (S#0[$Box(n#9)] + ==> Seq#Equal(read($Heap, n#9, _module.Node.children), + read(old($Heap), n#9, _module.Node.children)))); +} + + + +procedure {:verboseName "SchorrWaite (call)"} Call$$_module.__default.SchorrWaite(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)); + // user-defined preconditions + requires S#0[$Box(root#0)]; + requires (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + requires (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, root#0, _module.Node.marked); + free ensures true; + ensures (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + free ensures (forall n#7: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#7, S#0) } + { read($Heap, n#7, _module.Node.marked) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> + S#0[$Box(n#7)] + ==> + read($Heap, n#7, _module.Node.marked) + ==> _module.__default.Reachable#canCall(old($Heap), root#0, n#7, S#0)); + ensures (forall n#7: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#7, S#0) } + { read($Heap, n#7, _module.Node.marked) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> + S#0[$Box(n#7)] && read($Heap, n#7, _module.Node.marked) + ==> _module.__default.Reachable(old($Heap), root#0, n#7, S#0)); + free ensures true; + ensures (forall n#9: ref :: + { read(old($Heap), n#9, _module.Node.children) } + { read($Heap, n#9, _module.Node.children) } + { read(old($Heap), n#9, _module.Node.childrenVisited) } + { read($Heap, n#9, _module.Node.childrenVisited) } + { S#0[$Box(n#9)] } + $Is(n#9, Tclass._module.Node()) + ==> (S#0[$Box(n#9)] + ==> read($Heap, n#9, _module.Node.childrenVisited) + == read(old($Heap), n#9, _module.Node.childrenVisited)) + && (S#0[$Box(n#9)] + ==> Seq#Equal(read($Heap, n#9, _module.Node.children), + read(old($Heap), n#9, _module.Node.children)))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "SchorrWaite (correctness)"} Impl$$_module.__default.SchorrWaite(root#0: ref + where $Is(root#0, Tclass._module.Node()) + && $IsAlloc(root#0, Tclass._module.Node(), $Heap), + S#0: Set Box + where $Is(S#0, TSet(Tclass._module.Node())) + && $IsAlloc(S#0, TSet(Tclass._module.Node()), $Heap)) + returns ($_reverifyPost: bool); + free requires 4 == $FunctionContextHeight; + // user-defined preconditions + requires S#0[$Box(root#0)]; + requires (forall n#1: ref :: + { read($Heap, n#1, _module.Node.children) } { S#0[$Box(n#1)] } + $Is(n#1, Tclass._module.Node()) + ==> + S#0[$Box(n#1)] + ==> (forall ch#2: ref :: + { S#0[$Box(ch#2)] } + { Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) } + $Is(ch#2, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#1, _module.Node.children), $Box(ch#2)) + ==> ch#2 == null || S#0[$Box(ch#2)])); + requires (forall n#3: ref :: + { read($Heap, n#3, _module.Node.childrenVisited) } + { read($Heap, n#3, _module.Node.marked) } + { S#0[$Box(n#3)] } + $Is(n#3, Tclass._module.Node()) + ==> (S#0[$Box(n#3)] ==> !read($Heap, n#3, _module.Node.marked)) + && (S#0[$Box(n#3)] ==> read($Heap, n#3, _module.Node.childrenVisited) == LitInt(0))); + modifies $Heap, $Tick; + // user-defined postconditions + free ensures true; + ensures read($Heap, root#0, _module.Node.marked); + free ensures true; + ensures (forall n#5: ref :: + { read($Heap, n#5, _module.Node.children) } + { read($Heap, n#5, _module.Node.marked) } + { S#0[$Box(n#5)] } + $Is(n#5, Tclass._module.Node()) + ==> + S#0[$Box(n#5)] && read($Heap, n#5, _module.Node.marked) + ==> (forall ch#5: ref :: + { read($Heap, ch#5, _module.Node.marked) } + { Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) } + $Is(ch#5, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#5, _module.Node.children), $Box(ch#5)) + && ch#5 != null + ==> read($Heap, ch#5, _module.Node.marked))); + free ensures (forall n#7: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#7, S#0) } + { read($Heap, n#7, _module.Node.marked) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> + S#0[$Box(n#7)] + ==> + read($Heap, n#7, _module.Node.marked) + ==> _module.__default.Reachable#canCall(old($Heap), root#0, n#7, S#0)); + ensures (forall n#7: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#7, S#0) } + { read($Heap, n#7, _module.Node.marked) } + { S#0[$Box(n#7)] } + $Is(n#7, Tclass._module.Node()) + ==> + S#0[$Box(n#7)] && read($Heap, n#7, _module.Node.marked) + ==> _module.__default.Reachable(old($Heap), root#0, n#7, S#0)); + free ensures true; + ensures (forall n#9: ref :: + { read(old($Heap), n#9, _module.Node.children) } + { read($Heap, n#9, _module.Node.children) } + { read(old($Heap), n#9, _module.Node.childrenVisited) } + { read($Heap, n#9, _module.Node.childrenVisited) } + { S#0[$Box(n#9)] } + $Is(n#9, Tclass._module.Node()) + ==> (S#0[$Box(n#9)] + ==> read($Heap, n#9, _module.Node.childrenVisited) + == read(old($Heap), n#9, _module.Node.childrenVisited)) + && (S#0[$Box(n#9)] + ==> Seq#Equal(read($Heap, n#9, _module.Node.children), + read(old($Heap), n#9, _module.Node.children)))); + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] || S#0[$Box($o)]); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "SchorrWaite (correctness)"} Impl$$_module.__default.SchorrWaite(root#0: ref, S#0: Set Box) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var defass#t#0: bool; + var t#0: ref + where defass#t#0 + ==> $Is(t#0, Tclass._module.Node()) && $IsAlloc(t#0, Tclass._module.Node(), $Heap); + var p#0: ref + where $Is(p#0, Tclass._module.Node?()) && $IsAlloc(p#0, Tclass._module.Node?(), $Heap); + var newtype$check#2: ref; + var path#0: DatatypeType + where $Is(path#0, Tclass._module.Path()) + && $IsAlloc(path#0, Tclass._module.Path(), $Heap); + var $rhs#0: bool; + var $rhs#1: DatatypeType; + var stackNodes#0: Seq Box + where $Is(stackNodes#0, TSeq(Tclass._module.Node())) + && $IsAlloc(stackNodes#0, TSeq(Tclass._module.Node()), $Heap); + var unmarkedNodes#0: Set Box + where $Is(unmarkedNodes#0, TSet(Tclass._module.Node())) + && $IsAlloc(unmarkedNodes#0, TSet(Tclass._module.Node()), $Heap); + var $PreLoopHeap$loop#0: Heap; + var preLoop$loop#0$defass#t#0: bool; + var $decr_init$loop#00: Set Box; + var $decr_init$loop#01: Seq Box; + var $decr_init$loop#02: int; + var $w$loop#0: bool; + var i#0: int; + var newtype$check#3: ref; + var n#10: ref; + var n#12: ref; + var n#14: ref; + var j#0: int; + var n#16: ref; + var newtype$check#4: ref; + var k#0: int; + var k#2: int; + var n#18: ref; + var ch#6: ref; + var newtype$check#5: ref; + var n#20: ref; + var j#2: int; + var newtype$check#6: ref; + var ##source#1: ref; + var ##p#0: DatatypeType; + var ##sink#1: ref; + var ##S#1: Set Box; + var n#24: ref; + var pth#Z#0: DatatypeType; + var let#0#0#0: DatatypeType; + var ##source#2: ref; + var ##p#1: DatatypeType; + var ##sink#2: ref; + var ##S#2: Set Box; + var n#26: ref; + var ##source#3: ref; + var ##sink#3: ref; + var ##S#3: Set Box; + var n#28: ref; + var $decr$loop#00: Set Box; + var $decr$loop#01: Seq Box; + var $decr$loop#02: int; + var $rhs#0_0_0: int; + var newtype$check#0_0_0: ref; + var oldP#0_0_0: ref + where $Is(oldP#0_0_0, Tclass._module.Node?()) + && $IsAlloc(oldP#0_0_0, Tclass._module.Node?(), $Heap); + var $rhs#0_0_1: Seq Box; + var $rhs#0_0_2: int; + var newtype$check#0_1_0: ref; + var $rhs#0_1_0_0: int; + var newT#0_1_1_0: ref + where $Is(newT#0_1_1_0, Tclass._module.Node?()) + && $IsAlloc(newT#0_1_1_0, Tclass._module.Node?(), $Heap); + var $rhs#0_1_1_0: Seq Box; + var $rhs#0_1_1_1: bool; + var $rhs#0_1_1_2: DatatypeType; + + // AddMethodImpl: SchorrWaite, Impl$$_module.__default.SchorrWaite + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> S#0[$Box($o)]); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(188,9) + assume true; + assume true; + t#0 := root#0; + defass#t#0 := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(189,16) + assume true; + newtype$check#2 := null; + assume true; + p#0 := null; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(190,18) + assume true; + assume true; + path#0 := Lit(#_module.Path.Empty()); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(191,12) + assert defass#t#0; + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.marked]; + assume true; + $rhs#0 := Lit(true); + $Heap := update($Heap, t#0, _module.Node.marked, $rhs#0); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(192,18) + assert defass#t#0; + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.pathFromRoot]; + assume true; + $rhs#1 := path#0; + $Heap := update($Heap, t#0, _module.Node.pathFromRoot, $rhs#1); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(193,35) + assume true; + assume true; + stackNodes#0 := Lit(Seq#Empty(): Seq Box); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(194,27) + assume true; + assert defass#t#0; + assume true; + unmarkedNodes#0 := Set#Difference(S#0, Set#UnionOne(Set#Empty(): Set Box, $Box(t#0))); + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(195,3) + // Assume Fuel Constant + $PreLoopHeap$loop#0 := $Heap; + preLoop$loop#0$defass#t#0 := defass#t#0; + $decr_init$loop#00 := unmarkedNodes#0; + $decr_init$loop#01 := stackNodes#0; + $decr_init$loop#02 := Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited); + havoc $w$loop#0; + while (true) + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall i#1: int :: + { $Unbox(Seq#Index(stackNodes#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < Seq#Length(stackNodes#0) + ==> S#0[Seq#Index(stackNodes#0, i#1)]); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 ==> S#0[$Box(t#0)]; + invariant $w$loop#0 ==> !Seq#Contains(stackNodes#0, $Box(t#0)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> p#0 + == (if Seq#Length(stackNodes#0) == LitInt(0) + then null + else $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#11: ref :: + { read($Heap, n#11, _module.Node.children) } + { read($Heap, n#11, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#11)) + ==> read($Heap, n#11, _module.Node.childrenVisited) + < Seq#Length(read($Heap, n#11, _module.Node.children))); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> read($Heap, t#0, _module.Node.childrenVisited) + <= Seq#Length(read($Heap, t#0, _module.Node.children)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#13: ref :: + { read($Heap, n#13, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#13)) } + { S#0[$Box(n#13)] } + $Is(n#13, Tclass._module.Node()) + ==> + S#0[$Box(n#13)] && !Seq#Contains(stackNodes#0, $Box(n#13)) && n#13 != t#0 + ==> read($Heap, n#13, _module.Node.childrenVisited) == LitInt(0)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#15: ref :: + { read($Heap, n#15, _module.Node.childrenVisited) } + { read(old($Heap), n#15, _module.Node.children) } + { read($Heap, n#15, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#15)) } + $Is(n#15, Tclass._module.Node()) + ==> (Seq#Contains(stackNodes#0, $Box(n#15)) + ==> Seq#Length(read($Heap, n#15, _module.Node.children)) + == Seq#Length(read(old($Heap), n#15, _module.Node.children))) + && (Seq#Contains(stackNodes#0, $Box(n#15)) + ==> (forall j#1: int :: + { $Unbox(Seq#Index(read(old($Heap), n#15, _module.Node.children), j#1)): ref } + { $Unbox(Seq#Index(read($Heap, n#15, _module.Node.children), j#1)): ref } + true + ==> + LitInt(0) <= j#1 && j#1 < Seq#Length(read($Heap, n#15, _module.Node.children)) + ==> j#1 == read($Heap, n#15, _module.Node.childrenVisited) + || $Unbox(Seq#Index(read($Heap, n#15, _module.Node.children), j#1)): ref + == $Unbox(Seq#Index(read(old($Heap), n#15, _module.Node.children), j#1)): ref))); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#17: ref :: + { read(old($Heap), n#17, _module.Node.children) } + { read($Heap, n#17, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#17)) } + { S#0[$Box(n#17)] } + $Is(n#17, Tclass._module.Node()) + ==> + S#0[$Box(n#17)] && !Seq#Contains(stackNodes#0, $Box(n#17)) + ==> Seq#Equal(read($Heap, n#17, _module.Node.children), + read(old($Heap), n#17, _module.Node.children))); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> + 0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, _module.Node.children), + read($Heap, + $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, + _module.Node.childrenVisited))): ref + == null; + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall k#1: int :: + {:matchinglooprewrite false} { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.childrenVisited) } + { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.children) } + true + ==> + 0 < k#1 && k#1 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.children), + read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.childrenVisited))): ref + == $Unbox(Seq#Index(stackNodes#0, k#1 - 1)): ref); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall k#3: int :: + {:matchinglooprewrite false} { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.childrenVisited) } + { $Unbox(Seq#Index(stackNodes#0, k#3)): ref } + true + ==> + LitInt(0) <= k#3 && k#3 < Seq#Length(stackNodes#0) - 1 + ==> $Unbox(Seq#Index(read(old($Heap), $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.children), + read($Heap, $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.childrenVisited))): ref + == $Unbox(Seq#Index(stackNodes#0, k#3 + 1)): ref); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> + 0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read(old($Heap), + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.children), + read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited))): ref + == t#0; + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 ==> read($Heap, root#0, _module.Node.marked); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#19: ref :: + { read($Heap, n#19, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#19)) } + { read($Heap, n#19, _module.Node.marked) } + { S#0[$Box(n#19)] } + $Is(n#19, Tclass._module.Node()) + ==> + S#0[$Box(n#19)] + && read($Heap, n#19, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#19)) + && n#19 != t#0 + ==> (forall ch#7: ref :: + { read($Heap, ch#7, _module.Node.marked) } + { Seq#Contains(read($Heap, n#19, _module.Node.children), $Box(ch#7)) } + $Is(ch#7, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#19, _module.Node.children), $Box(ch#7)) + && ch#7 != null + ==> read($Heap, ch#7, _module.Node.marked))); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#21: ref :: + { read($Heap, n#21, _module.Node.marked) } + { Seq#Contains(stackNodes#0, $Box(n#21)) } + $Is(n#21, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#21)) || n#21 == t#0 + ==> read($Heap, n#21, _module.Node.marked)); + invariant $w$loop#0 + ==> (forall n#21: ref :: + { read($Heap, n#21, _module.Node.children) } + { read($Heap, n#21, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#21)) } + $Is(n#21, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#21)) || n#21 == t#0 + ==> (forall j#3: int :: + { $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref } + true + ==> + LitInt(0) <= j#3 && j#3 < read($Heap, n#21, _module.Node.childrenVisited) + ==> $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref, + _module.Node.marked))); + free invariant $w$loop#0 + ==> + $IsAlloc(path#0, Tclass._module.Path(), old($Heap)) + ==> _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0); + invariant $w$loop#0 ==> $IsAlloc(path#0, Tclass._module.Path(), old($Heap)); + invariant $w$loop#0 + ==> + _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0) + ==> _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, path#0, t#0, S#0) + || (_module.Path.Empty_q(path#0) ==> root#0 == t#0); + invariant $w$loop#0 + ==> + _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0) + ==> _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, path#0, t#0, S#0) + || (!_module.Path.Empty_q(path#0) + ==> (var n#22 := _module.Path._h1(path#0); + (var prefix#0 := _module.Path._h0(path#0); S#0[$Box(n#22)]))); + invariant $w$loop#0 + ==> + _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0) + ==> _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, path#0, t#0, S#0) + || (!_module.Path.Empty_q(path#0) + ==> (var n#22 := _module.Path._h1(path#0); + (var prefix#0 := _module.Path._h0(path#0); + Seq#Contains(read(old($Heap), n#22, _module.Node.children), $Box(t#0))))); + invariant $w$loop#0 + ==> + _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0) + ==> _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, path#0, t#0, S#0) + || (!_module.Path.Empty_q(path#0) + ==> (var n#22 := _module.Path._h1(path#0); + (var prefix#0 := _module.Path._h0(path#0); + _module.__default.ReachableVia($LS($LS($LZ)), old($Heap), root#0, prefix#0, n#22, S#0)))); + free invariant $w$loop#0 + ==> _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0) + && + _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, path#0, t#0, S#0) + && (if _module.Path.Empty_q(path#0) + then root#0 == t#0 + else (var n#23 := _module.Path._h1(path#0); + (var prefix#1 := _module.Path._h0(path#0); + S#0[$Box(n#23)] + && Seq#Contains(read(old($Heap), n#23, _module.Node.children), $Box(t#0)) + && _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, prefix#1, n#23, S#0)))); + free invariant $w$loop#0 + ==> (forall n#25: ref :: + { _module.__default.ReachableVia($LS($LZ), + old($Heap), + root#0, + read(old($Heap), n#25, _module.Node.pathFromRoot), + n#25, + S#0) } + { read($Heap, n#25, _module.Node.pathFromRoot) } + { read($Heap, n#25, _module.Node.marked) } + { S#0[$Box(n#25)] } + $Is(n#25, Tclass._module.Node()) + ==> + S#0[$Box(n#25)] + ==> + read($Heap, n#25, _module.Node.marked) + ==> (var pth#0 := read($Heap, n#25, _module.Node.pathFromRoot); + $IsAlloc(pth#0, Tclass._module.Path(), old($Heap)) + ==> _module.__default.ReachableVia#canCall(old($Heap), root#0, pth#0, n#25, S#0))); + invariant $w$loop#0 + ==> (forall n#25: ref :: + { _module.__default.ReachableVia($LS($LZ), + old($Heap), + root#0, + read(old($Heap), n#25, _module.Node.pathFromRoot), + n#25, + S#0) } + { read($Heap, n#25, _module.Node.pathFromRoot) } + { read($Heap, n#25, _module.Node.marked) } + { S#0[$Box(n#25)] } + $Is(n#25, Tclass._module.Node()) + ==> + S#0[$Box(n#25)] && read($Heap, n#25, _module.Node.marked) + ==> (var pth#0 := read($Heap, n#25, _module.Node.pathFromRoot); + $IsAlloc(pth#0, Tclass._module.Path(), old($Heap)) + && _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, pth#0, n#25, S#0))); + free invariant $w$loop#0 + ==> (forall n#27: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#27, S#0) } + { read($Heap, n#27, _module.Node.marked) } + { S#0[$Box(n#27)] } + $Is(n#27, Tclass._module.Node()) + ==> + S#0[$Box(n#27)] + ==> + read($Heap, n#27, _module.Node.marked) + ==> _module.__default.Reachable#canCall(old($Heap), root#0, n#27, S#0)); + invariant $w$loop#0 + ==> (forall n#27: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#27, S#0) } + { read($Heap, n#27, _module.Node.marked) } + { S#0[$Box(n#27)] } + $Is(n#27, Tclass._module.Node()) + ==> + S#0[$Box(n#27)] && read($Heap, n#27, _module.Node.marked) + ==> _module.__default.Reachable(old($Heap), root#0, n#27, S#0)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> (forall n#29: ref :: + { unmarkedNodes#0[$Box(n#29)] } + { read($Heap, n#29, _module.Node.marked) } + { S#0[$Box(n#29)] } + $Is(n#29, Tclass._module.Node()) + ==> + S#0[$Box(n#29)] && !read($Heap, n#29, _module.Node.marked) + ==> unmarkedNodes#0[$Box(n#29)]); + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#0[$o] || S#0[$Box($o)]); + free invariant $HeapSucc($PreLoopHeap$loop#0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0, $o, $f) || $_Frame[$o, $f]); + free invariant preLoop$loop#0$defass#t#0 ==> defass#t#0; + free invariant Set#Subset(unmarkedNodes#0, $decr_init$loop#00) + && (Set#Equal(unmarkedNodes#0, $decr_init$loop#00) + ==> Seq#Rank(stackNodes#0) <= Seq#Rank($decr_init$loop#01) + && (Seq#Rank(stackNodes#0) == Seq#Rank($decr_init$loop#01) + ==> Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited) + <= $decr_init$loop#02 + && (Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited) + == $decr_init$loop#02 + ==> true))); + { + if (!$w$loop#0) + { + // Begin Comprehension WF check + havoc i#0; + if (true) + { + if (LitInt(0) <= i#0) + { + } + + if (LitInt(0) <= i#0 && i#0 < Seq#Length(stackNodes#0)) + { + assert {:subsumption 0} 0 <= i#0 && i#0 < Seq#Length(stackNodes#0); + } + } + + // End Comprehension WF check + assume true; + assume (forall i#1: int :: + { $Unbox(Seq#Index(stackNodes#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < Seq#Length(stackNodes#0) + ==> S#0[Seq#Index(stackNodes#0, i#1)]); + assert defass#t#0; + if (S#0[$Box(t#0)]) + { + assert defass#t#0; + } + + assume true; + assume S#0[$Box(t#0)] && !Seq#Contains(stackNodes#0, $Box(t#0)); + if (Seq#Length(stackNodes#0) == LitInt(0)) + { + newtype$check#3 := null; + } + else + { + assert {:subsumption 0} 0 <= Seq#Length(stackNodes#0) - 1 + && Seq#Length(stackNodes#0) - 1 < Seq#Length(stackNodes#0); + } + + assume true; + assume p#0 + == (if Seq#Length(stackNodes#0) == LitInt(0) + then null + else $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref); + // Begin Comprehension WF check + havoc n#10; + if ($Is(n#10, Tclass._module.Node()) && $IsAlloc(n#10, Tclass._module.Node(), $Heap)) + { + if (Seq#Contains(stackNodes#0, $Box(n#10))) + { + assert {:subsumption 0} n#10 != null; + assert {:subsumption 0} n#10 != null; + } + } + + // End Comprehension WF check + assume true; + assume (forall n#11: ref :: + { read($Heap, n#11, _module.Node.children) } + { read($Heap, n#11, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#11)) + ==> read($Heap, n#11, _module.Node.childrenVisited) + < Seq#Length(read($Heap, n#11, _module.Node.children))); + assert defass#t#0; + assert {:subsumption 0} t#0 != null; + assert defass#t#0; + assert {:subsumption 0} t#0 != null; + assume true; + assume read($Heap, t#0, _module.Node.childrenVisited) + <= Seq#Length(read($Heap, t#0, _module.Node.children)); + // Begin Comprehension WF check + havoc n#12; + if ($Is(n#12, Tclass._module.Node()) && $IsAlloc(n#12, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#12)]) + { + } + + if (S#0[$Box(n#12)] && !Seq#Contains(stackNodes#0, $Box(n#12))) + { + assert defass#t#0; + } + + if (S#0[$Box(n#12)] && !Seq#Contains(stackNodes#0, $Box(n#12)) && n#12 != t#0) + { + assert {:subsumption 0} n#12 != null; + } + } + + // End Comprehension WF check + assume true; + assume (forall n#13: ref :: + { read($Heap, n#13, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#13)) } + { S#0[$Box(n#13)] } + $Is(n#13, Tclass._module.Node()) + ==> + S#0[$Box(n#13)] && !Seq#Contains(stackNodes#0, $Box(n#13)) && n#13 != t#0 + ==> read($Heap, n#13, _module.Node.childrenVisited) == LitInt(0)); + // Begin Comprehension WF check + havoc n#14; + if ($Is(n#14, Tclass._module.Node()) && $IsAlloc(n#14, Tclass._module.Node(), $Heap)) + { + if (Seq#Contains(stackNodes#0, $Box(n#14))) + { + assert {:subsumption 0} n#14 != null; + assert {:subsumption 0} n#14 != null; + assert $IsAlloc(n#14, Tclass._module.Node(), old($Heap)); + if (Seq#Length(read($Heap, n#14, _module.Node.children)) + == Seq#Length(read(old($Heap), n#14, _module.Node.children))) + { + // Begin Comprehension WF check + havoc j#0; + if (true) + { + if (LitInt(0) <= j#0) + { + assert {:subsumption 0} n#14 != null; + } + + if (LitInt(0) <= j#0 && j#0 < Seq#Length(read($Heap, n#14, _module.Node.children))) + { + assert {:subsumption 0} n#14 != null; + if (j#0 != read($Heap, n#14, _module.Node.childrenVisited)) + { + assert {:subsumption 0} n#14 != null; + assert {:subsumption 0} 0 <= j#0 && j#0 < Seq#Length(read($Heap, n#14, _module.Node.children)); + assert {:subsumption 0} n#14 != null; + assert $IsAlloc(n#14, Tclass._module.Node(), old($Heap)); + assert {:subsumption 0} 0 <= j#0 && j#0 < Seq#Length(read(old($Heap), n#14, _module.Node.children)); + } + } + } + + // End Comprehension WF check + } + } + } + + // End Comprehension WF check + assume true; + assume (forall n#15: ref :: + { read($Heap, n#15, _module.Node.childrenVisited) } + { read(old($Heap), n#15, _module.Node.children) } + { read($Heap, n#15, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#15)) } + $Is(n#15, Tclass._module.Node()) + ==> (Seq#Contains(stackNodes#0, $Box(n#15)) + ==> Seq#Length(read($Heap, n#15, _module.Node.children)) + == Seq#Length(read(old($Heap), n#15, _module.Node.children))) + && (Seq#Contains(stackNodes#0, $Box(n#15)) + ==> (forall j#1: int :: + { $Unbox(Seq#Index(read(old($Heap), n#15, _module.Node.children), j#1)): ref } + { $Unbox(Seq#Index(read($Heap, n#15, _module.Node.children), j#1)): ref } + true + ==> + LitInt(0) <= j#1 && j#1 < Seq#Length(read($Heap, n#15, _module.Node.children)) + ==> j#1 == read($Heap, n#15, _module.Node.childrenVisited) + || $Unbox(Seq#Index(read($Heap, n#15, _module.Node.children), j#1)): ref + == $Unbox(Seq#Index(read(old($Heap), n#15, _module.Node.children), j#1)): ref))); + // Begin Comprehension WF check + havoc n#16; + if ($Is(n#16, Tclass._module.Node()) && $IsAlloc(n#16, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#16)]) + { + } + + if (S#0[$Box(n#16)] && !Seq#Contains(stackNodes#0, $Box(n#16))) + { + assert {:subsumption 0} n#16 != null; + assert {:subsumption 0} n#16 != null; + assert $IsAlloc(n#16, Tclass._module.Node(), old($Heap)); + } + } + + // End Comprehension WF check + assume true; + assume (forall n#17: ref :: + { read(old($Heap), n#17, _module.Node.children) } + { read($Heap, n#17, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#17)) } + { S#0[$Box(n#17)] } + $Is(n#17, Tclass._module.Node()) + ==> + S#0[$Box(n#17)] && !Seq#Contains(stackNodes#0, $Box(n#17)) + ==> Seq#Equal(read($Heap, n#17, _module.Node.children), + read(old($Heap), n#17, _module.Node.children))); + if (0 < Seq#Length(stackNodes#0)) + { + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref != null; + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(231,40) + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) < Seq#Length(stackNodes#0); + assume true; + assert Seq#Contains(stackNodes#0, Seq#Index(stackNodes#0, LitInt(0))); + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(231,76) + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref != null; + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref != null; + assume true; + assert read($Heap, + $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, + _module.Node.childrenVisited) + < Seq#Length(read($Heap, $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, _module.Node.children)); + assert {:subsumption 0} 0 <= LitInt(0) && LitInt(0) < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref != null; + assert {:subsumption 0} 0 + <= read($Heap, + $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, + _module.Node.childrenVisited) + && read($Heap, + $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, + _module.Node.childrenVisited) + < Seq#Length(read($Heap, $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, _module.Node.children)); + newtype$check#4 := null; + } + + assume true; + assume 0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, _module.Node.children), + read($Heap, + $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, + _module.Node.childrenVisited))): ref + == null; + // Begin Comprehension WF check + havoc k#0; + if (true) + { + if (0 < k#0) + { + } + + if (0 < k#0 && k#0 < Seq#Length(stackNodes#0)) + { + assert {:subsumption 0} 0 <= k#0 && k#0 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, k#0)): ref != null; + assert {:subsumption 0} 0 <= k#0 && k#0 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, k#0)): ref != null; + assert {:subsumption 0} 0 + <= read($Heap, $Unbox(Seq#Index(stackNodes#0, k#0)): ref, _module.Node.childrenVisited) + && read($Heap, $Unbox(Seq#Index(stackNodes#0, k#0)): ref, _module.Node.childrenVisited) + < Seq#Length(read($Heap, $Unbox(Seq#Index(stackNodes#0, k#0)): ref, _module.Node.children)); + assert {:subsumption 0} 0 <= k#0 - 1 && k#0 - 1 < Seq#Length(stackNodes#0); + } + } + + // End Comprehension WF check + assume true; + assume (forall k#1: int :: + {:matchinglooprewrite false} { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.childrenVisited) } + { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.children) } + true + ==> + 0 < k#1 && k#1 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.children), + read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.childrenVisited))): ref + == $Unbox(Seq#Index(stackNodes#0, k#1 - 1)): ref); + // Begin Comprehension WF check + havoc k#2; + if (true) + { + if (LitInt(0) <= k#2) + { + } + + if (LitInt(0) <= k#2 && k#2 < Seq#Length(stackNodes#0) - 1) + { + assert {:subsumption 0} 0 <= k#2 && k#2 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, k#2)): ref != null; + assert $IsAlloc($Unbox(Seq#Index(stackNodes#0, k#2)): ref, Tclass._module.Node(), old($Heap)); + assert {:subsumption 0} 0 <= k#2 && k#2 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, k#2)): ref != null; + assert {:subsumption 0} 0 + <= read($Heap, $Unbox(Seq#Index(stackNodes#0, k#2)): ref, _module.Node.childrenVisited) + && read($Heap, $Unbox(Seq#Index(stackNodes#0, k#2)): ref, _module.Node.childrenVisited) + < Seq#Length(read(old($Heap), $Unbox(Seq#Index(stackNodes#0, k#2)): ref, _module.Node.children)); + assert {:subsumption 0} 0 <= k#2 + 1 && k#2 + 1 < Seq#Length(stackNodes#0); + } + } + + // End Comprehension WF check + assume true; + assume (forall k#3: int :: + {:matchinglooprewrite false} { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.childrenVisited) } + { $Unbox(Seq#Index(stackNodes#0, k#3)): ref } + true + ==> + LitInt(0) <= k#3 && k#3 < Seq#Length(stackNodes#0) - 1 + ==> $Unbox(Seq#Index(read(old($Heap), $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.children), + read($Heap, $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.childrenVisited))): ref + == $Unbox(Seq#Index(stackNodes#0, k#3 + 1)): ref); + if (0 < Seq#Length(stackNodes#0)) + { + assert {:subsumption 0} 0 <= Seq#Length(stackNodes#0) - 1 + && Seq#Length(stackNodes#0) - 1 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref != null; + assert $IsAlloc($Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + Tclass._module.Node(), + old($Heap)); + assert {:subsumption 0} 0 <= Seq#Length(stackNodes#0) - 1 + && Seq#Length(stackNodes#0) - 1 < Seq#Length(stackNodes#0); + assert {:subsumption 0} $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref != null; + assert {:subsumption 0} 0 + <= read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited) + && read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited) + < Seq#Length(read(old($Heap), + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.children)); + assert defass#t#0; + } + + assume true; + assume 0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read(old($Heap), + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.children), + read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited))): ref + == t#0; + assert {:subsumption 0} root#0 != null; + assume true; + assume read($Heap, root#0, _module.Node.marked); + // Begin Comprehension WF check + havoc n#18; + if ($Is(n#18, Tclass._module.Node()) && $IsAlloc(n#18, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#18)]) + { + assert {:subsumption 0} n#18 != null; + } + + if (S#0[$Box(n#18)] && read($Heap, n#18, _module.Node.marked)) + { + } + + if (S#0[$Box(n#18)] + && read($Heap, n#18, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#18))) + { + assert defass#t#0; + } + + if (S#0[$Box(n#18)] + && read($Heap, n#18, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#18)) + && n#18 != t#0) + { + // Begin Comprehension WF check + havoc ch#6; + if ($Is(ch#6, Tclass._module.Node?()) + && $IsAlloc(ch#6, Tclass._module.Node?(), $Heap)) + { + assert {:subsumption 0} n#18 != null; + if (Seq#Contains(read($Heap, n#18, _module.Node.children), $Box(ch#6))) + { + newtype$check#5 := null; + } + + if (Seq#Contains(read($Heap, n#18, _module.Node.children), $Box(ch#6)) + && ch#6 != null) + { + assert {:subsumption 0} ch#6 != null; + } + } + + // End Comprehension WF check + } + } + + // End Comprehension WF check + assume true; + assume (forall n#19: ref :: + { read($Heap, n#19, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#19)) } + { read($Heap, n#19, _module.Node.marked) } + { S#0[$Box(n#19)] } + $Is(n#19, Tclass._module.Node()) + ==> + S#0[$Box(n#19)] + && read($Heap, n#19, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#19)) + && n#19 != t#0 + ==> (forall ch#7: ref :: + { read($Heap, ch#7, _module.Node.marked) } + { Seq#Contains(read($Heap, n#19, _module.Node.children), $Box(ch#7)) } + $Is(ch#7, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#19, _module.Node.children), $Box(ch#7)) + && ch#7 != null + ==> read($Heap, ch#7, _module.Node.marked))); + // Begin Comprehension WF check + havoc n#20; + if ($Is(n#20, Tclass._module.Node()) && $IsAlloc(n#20, Tclass._module.Node(), $Heap)) + { + if (!Seq#Contains(stackNodes#0, $Box(n#20))) + { + assert defass#t#0; + } + + if (Seq#Contains(stackNodes#0, $Box(n#20)) || n#20 == t#0) + { + assert {:subsumption 0} n#20 != null; + if (read($Heap, n#20, _module.Node.marked)) + { + // Begin Comprehension WF check + havoc j#2; + if (true) + { + if (LitInt(0) <= j#2) + { + assert {:subsumption 0} n#20 != null; + } + + if (LitInt(0) <= j#2 && j#2 < read($Heap, n#20, _module.Node.childrenVisited)) + { + assert {:subsumption 0} n#20 != null; + assert {:subsumption 0} 0 <= j#2 && j#2 < Seq#Length(read($Heap, n#20, _module.Node.children)); + newtype$check#6 := null; + if ($Unbox(Seq#Index(read($Heap, n#20, _module.Node.children), j#2)): ref != null) + { + assert {:subsumption 0} n#20 != null; + assert {:subsumption 0} 0 <= j#2 && j#2 < Seq#Length(read($Heap, n#20, _module.Node.children)); + assert {:subsumption 0} $Unbox(Seq#Index(read($Heap, n#20, _module.Node.children), j#2)): ref != null; + } + } + } + + // End Comprehension WF check + } + } + } + + // End Comprehension WF check + assume true; + assume (forall n#21: ref :: + { read($Heap, n#21, _module.Node.marked) } + { Seq#Contains(stackNodes#0, $Box(n#21)) } + $Is(n#21, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#21)) || n#21 == t#0 + ==> read($Heap, n#21, _module.Node.marked)) + && (forall n#21: ref :: + { read($Heap, n#21, _module.Node.children) } + { read($Heap, n#21, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#21)) } + $Is(n#21, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#21)) || n#21 == t#0 + ==> (forall j#3: int :: + { $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref } + true + ==> + LitInt(0) <= j#3 && j#3 < read($Heap, n#21, _module.Node.childrenVisited) + ==> $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref, + _module.Node.marked))); + if ($IsAlloc(path#0, Tclass._module.Path(), old($Heap))) + { + assert defass#t#0; + ##source#1 := root#0; + ##p#0 := path#0; + ##sink#1 := t#0; + ##S#1 := S#0; + assert $IsAlloc(root#0, Tclass._module.Node(), old($Heap)); + assert $IsAlloc(path#0, Tclass._module.Path(), old($Heap)); + assert $IsAlloc(t#0, Tclass._module.Node(), old($Heap)); + assert $IsAlloc(S#0, TSet(Tclass._module.Node()), old($Heap)); + assume _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0); + } + + assume $IsAlloc(path#0, Tclass._module.Path(), old($Heap)) + ==> _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0); + assume $IsAlloc(path#0, Tclass._module.Path(), old($Heap)) + && _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, path#0, t#0, S#0); + // Begin Comprehension WF check + havoc n#24; + if ($Is(n#24, Tclass._module.Node()) && $IsAlloc(n#24, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#24)]) + { + assert {:subsumption 0} n#24 != null; + } + + if (S#0[$Box(n#24)] && read($Heap, n#24, _module.Node.marked)) + { + havoc pth#Z#0; + assume $Is(pth#Z#0, Tclass._module.Path()) + && $IsAlloc(pth#Z#0, Tclass._module.Path(), $Heap); + assert {:subsumption 0} n#24 != null; + assume let#0#0#0 == read($Heap, n#24, _module.Node.pathFromRoot); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(let#0#0#0, Tclass._module.Path()); + assume pth#Z#0 == let#0#0#0; + if ($IsAlloc(pth#Z#0, Tclass._module.Path(), old($Heap))) + { + ##source#2 := root#0; + ##p#1 := pth#Z#0; + ##sink#2 := n#24; + ##S#2 := S#0; + assert $IsAlloc(root#0, Tclass._module.Node(), old($Heap)); + assert $IsAlloc(pth#Z#0, Tclass._module.Path(), old($Heap)); + assert $IsAlloc(n#24, Tclass._module.Node(), old($Heap)); + assert $IsAlloc(S#0, TSet(Tclass._module.Node()), old($Heap)); + assume _module.__default.ReachableVia#canCall(old($Heap), root#0, pth#Z#0, n#24, S#0); + } + } + } + + // End Comprehension WF check + assume (forall n#25: ref :: + { _module.__default.ReachableVia($LS($LZ), + old($Heap), + root#0, + read(old($Heap), n#25, _module.Node.pathFromRoot), + n#25, + S#0) } + { read($Heap, n#25, _module.Node.pathFromRoot) } + { read($Heap, n#25, _module.Node.marked) } + { S#0[$Box(n#25)] } + $Is(n#25, Tclass._module.Node()) + ==> + S#0[$Box(n#25)] + ==> + read($Heap, n#25, _module.Node.marked) + ==> (var pth#0 := read($Heap, n#25, _module.Node.pathFromRoot); + $IsAlloc(pth#0, Tclass._module.Path(), old($Heap)) + ==> _module.__default.ReachableVia#canCall(old($Heap), root#0, pth#0, n#25, S#0))); + assume (forall n#25: ref :: + { _module.__default.ReachableVia($LS($LZ), + old($Heap), + root#0, + read(old($Heap), n#25, _module.Node.pathFromRoot), + n#25, + S#0) } + { read($Heap, n#25, _module.Node.pathFromRoot) } + { read($Heap, n#25, _module.Node.marked) } + { S#0[$Box(n#25)] } + $Is(n#25, Tclass._module.Node()) + ==> + S#0[$Box(n#25)] && read($Heap, n#25, _module.Node.marked) + ==> (var pth#0 := read($Heap, n#25, _module.Node.pathFromRoot); + $IsAlloc(pth#0, Tclass._module.Path(), old($Heap)) + && _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, pth#0, n#25, S#0))); + // Begin Comprehension WF check + havoc n#26; + if ($Is(n#26, Tclass._module.Node()) && $IsAlloc(n#26, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#26)]) + { + assert {:subsumption 0} n#26 != null; + } + + if (S#0[$Box(n#26)] && read($Heap, n#26, _module.Node.marked)) + { + ##source#3 := root#0; + ##sink#3 := n#26; + ##S#3 := S#0; + assert $IsAlloc(root#0, Tclass._module.Node(), old($Heap)); + assert $IsAlloc(n#26, Tclass._module.Node(), old($Heap)); + assert $IsAlloc(S#0, TSet(Tclass._module.Node()), old($Heap)); + assume _module.__default.Reachable#canCall(old($Heap), root#0, n#26, S#0); + } + } + + // End Comprehension WF check + assume (forall n#27: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#27, S#0) } + { read($Heap, n#27, _module.Node.marked) } + { S#0[$Box(n#27)] } + $Is(n#27, Tclass._module.Node()) + ==> + S#0[$Box(n#27)] + ==> + read($Heap, n#27, _module.Node.marked) + ==> _module.__default.Reachable#canCall(old($Heap), root#0, n#27, S#0)); + assume (forall n#27: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#27, S#0) } + { read($Heap, n#27, _module.Node.marked) } + { S#0[$Box(n#27)] } + $Is(n#27, Tclass._module.Node()) + ==> + S#0[$Box(n#27)] && read($Heap, n#27, _module.Node.marked) + ==> _module.__default.Reachable(old($Heap), root#0, n#27, S#0)); + // Begin Comprehension WF check + havoc n#28; + if ($Is(n#28, Tclass._module.Node()) && $IsAlloc(n#28, Tclass._module.Node(), $Heap)) + { + if (S#0[$Box(n#28)]) + { + assert {:subsumption 0} n#28 != null; + } + + if (S#0[$Box(n#28)] && !read($Heap, n#28, _module.Node.marked)) + { + } + } + + // End Comprehension WF check + assume true; + assume (forall n#29: ref :: + { unmarkedNodes#0[$Box(n#29)] } + { read($Heap, n#29, _module.Node.marked) } + { S#0[$Box(n#29)] } + $Is(n#29, Tclass._module.Node()) + ==> + S#0[$Box(n#29)] && !read($Heap, n#29, _module.Node.marked) + ==> unmarkedNodes#0[$Box(n#29)]); + assume true; + assume true; + assert defass#t#0; + assert t#0 != null; + assert defass#t#0; + assert t#0 != null; + assume true; + assume false; + } + + assume true; + if (!Lit(true)) + { + break; + } + + $decr$loop#00 := unmarkedNodes#0; + $decr$loop#01 := stackNodes#0; + $decr$loop#02 := Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(258,5) + assert defass#t#0; + assert t#0 != null; + assert defass#t#0; + assert t#0 != null; + assume true; + if (read($Heap, t#0, _module.Node.childrenVisited) + == Seq#Length(read($Heap, t#0, _module.Node.children))) + { + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(259,7) + assume true; + assert {:focus} Lit(true); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(261,25) + assert defass#t#0; + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.childrenVisited]; + assume true; + assert $Is(LitInt(0), Tclass._System.nat()); + $rhs#0_0_0 := LitInt(0); + $Heap := update($Heap, t#0, _module.Node.childrenVisited, $rhs#0_0_0); + assume $IsGoodHeap($Heap); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(262,7) + newtype$check#0_0_0 := null; + assume true; + if (p#0 == null) + { + // ----- return statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(263,9) + return; + } + else + { + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(265,16) + assume true; + assert p#0 != null; + assert p#0 != null; + assert 0 <= read($Heap, p#0, _module.Node.childrenVisited) + && read($Heap, p#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, p#0, _module.Node.children)); + assume true; + oldP#0_0_0 := $Unbox(Seq#Index(read($Heap, p#0, _module.Node.children), + read($Heap, p#0, _module.Node.childrenVisited))): ref; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(266,18) + assert p#0 != null; + assume true; + assert $_Frame[p#0, _module.Node.children]; + assert p#0 != null; + assert p#0 != null; + assert 0 <= read($Heap, p#0, _module.Node.childrenVisited) + && read($Heap, p#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, p#0, _module.Node.children)); + assert defass#t#0; + assume true; + $rhs#0_0_1 := Seq#Update(read($Heap, p#0, _module.Node.children), + read($Heap, p#0, _module.Node.childrenVisited), + $Box(t#0)); + $Heap := update($Heap, p#0, _module.Node.children, $rhs#0_0_1); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(267,9) + assume true; + assume true; + assert $Is(p#0, Tclass._module.Node()); + t#0 := p#0; + defass#t#0 := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(268,9) + assume true; + assume true; + p#0 := oldP#0_0_0; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(269,18) + assume true; + assert 0 <= Seq#Length(stackNodes#0) - 1 + && Seq#Length(stackNodes#0) - 1 <= Seq#Length(stackNodes#0); + assume true; + stackNodes#0 := Seq#Take(stackNodes#0, Seq#Length(stackNodes#0) - 1); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(270,25) + assert defass#t#0; + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.childrenVisited]; + assert defass#t#0; + assert t#0 != null; + assume true; + assert $Is(read($Heap, t#0, _module.Node.childrenVisited) + 1, Tclass._System.nat()); + $rhs#0_0_2 := read($Heap, t#0, _module.Node.childrenVisited) + 1; + $Heap := update($Heap, t#0, _module.Node.childrenVisited, $rhs#0_0_2); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(271,12) + assume true; + assert defass#t#0; + assert t#0 != null; + assume true; + path#0 := read($Heap, t#0, _module.Node.pathFromRoot); + } + else + { + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(273,12) + assert defass#t#0; + assert t#0 != null; + assert defass#t#0; + assert t#0 != null; + assert 0 <= read($Heap, t#0, _module.Node.childrenVisited) + && read($Heap, t#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, t#0, _module.Node.children)); + newtype$check#0_1_0 := null; + if ($Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref + != null) + { + assert defass#t#0; + assert t#0 != null; + assert defass#t#0; + assert t#0 != null; + assert 0 <= read($Heap, t#0, _module.Node.childrenVisited) + && read($Heap, t#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, t#0, _module.Node.children)); + assert $Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref + != null; + } + + assume true; + if ($Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref + == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref, + _module.Node.marked)) + { + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(274,7) + assume true; + assert {:focus} Lit(true); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(276,25) + assert defass#t#0; + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.childrenVisited]; + assert defass#t#0; + assert t#0 != null; + assume true; + assert $Is(read($Heap, t#0, _module.Node.childrenVisited) + 1, Tclass._System.nat()); + $rhs#0_1_0_0 := read($Heap, t#0, _module.Node.childrenVisited) + 1; + $Heap := update($Heap, t#0, _module.Node.childrenVisited, $rhs#0_1_0_0); + assume $IsGoodHeap($Heap); + } + else + { + // ----- assert statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(279,7) + assume true; + assert {:focus} Lit(true); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(282,16) + assume true; + assert defass#t#0; + assert t#0 != null; + assert defass#t#0; + assert t#0 != null; + assert 0 <= read($Heap, t#0, _module.Node.childrenVisited) + && read($Heap, t#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, t#0, _module.Node.children)); + assume true; + newT#0_1_1_0 := $Unbox(Seq#Index(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited))): ref; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(283,18) + assert defass#t#0; + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.children]; + assert defass#t#0; + assert t#0 != null; + assert defass#t#0; + assert t#0 != null; + assert 0 <= read($Heap, t#0, _module.Node.childrenVisited) + && read($Heap, t#0, _module.Node.childrenVisited) + < Seq#Length(read($Heap, t#0, _module.Node.children)); + assume true; + $rhs#0_1_1_0 := Seq#Update(read($Heap, t#0, _module.Node.children), + read($Heap, t#0, _module.Node.childrenVisited), + $Box(p#0)); + $Heap := update($Heap, t#0, _module.Node.children, $rhs#0_1_1_0); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(284,9) + assume true; + assert defass#t#0; + assume true; + p#0 := t#0; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(285,18) + assume true; + assert defass#t#0; + assume true; + stackNodes#0 := Seq#Append(stackNodes#0, Seq#Build(Seq#Empty(): Seq Box, $Box(t#0))); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(286,12) + assume true; + assert defass#t#0; + assume true; + path#0 := #_module.Path.Extend(path#0, t#0); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(287,9) + assume true; + assume true; + assert $Is(newT#0_1_1_0, Tclass._module.Node()); + t#0 := newT#0_1_1_0; + defass#t#0 := true; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(288,16) + assert defass#t#0; + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.marked]; + assume true; + $rhs#0_1_1_1 := Lit(true); + $Heap := update($Heap, t#0, _module.Node.marked, $rhs#0_1_1_1); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(289,22) + assert defass#t#0; + assert t#0 != null; + assume true; + assert $_Frame[t#0, _module.Node.pathFromRoot]; + assume true; + $rhs#0_1_1_2 := path#0; + $Heap := update($Heap, t#0, _module.Node.pathFromRoot, $rhs#0_1_1_2); + assume $IsGoodHeap($Heap); + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(290,21) + assume true; + assert defass#t#0; + assume true; + unmarkedNodes#0 := Set#Difference(unmarkedNodes#0, Set#UnionOne(Set#Empty(): Set Box, $Box(t#0))); + } + } + + // ----- loop termination check ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\SchorrWaite.dfy(195,3) + assert 0 <= $decr$loop#02 + || (Set#Subset(unmarkedNodes#0, $decr$loop#00) + && !Set#Subset($decr$loop#00, unmarkedNodes#0)) + || Seq#Rank(stackNodes#0) < Seq#Rank($decr$loop#01) + || Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited) + == $decr$loop#02; + assert (Set#Subset(unmarkedNodes#0, $decr$loop#00) + && !Set#Subset($decr$loop#00, unmarkedNodes#0)) + || (Set#Equal(unmarkedNodes#0, $decr$loop#00) + && (Seq#Rank(stackNodes#0) < Seq#Rank($decr$loop#01) + || (Seq#Rank(stackNodes#0) == Seq#Rank($decr$loop#01) + && Seq#Length(read($Heap, t#0, _module.Node.children)) + - read($Heap, t#0, _module.Node.childrenVisited) + < $decr$loop#02))); + assume (forall i#1: int :: + { $Unbox(Seq#Index(stackNodes#0, i#1)): ref } + true + ==> + LitInt(0) <= i#1 && i#1 < Seq#Length(stackNodes#0) + ==> S#0[Seq#Index(stackNodes#0, i#1)]) + ==> + S#0[$Box(t#0)] + ==> + !Seq#Contains(stackNodes#0, $Box(t#0)) + ==> + p#0 + == (if Seq#Length(stackNodes#0) == LitInt(0) + then null + else $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref) + ==> + (forall n#11: ref :: + { read($Heap, n#11, _module.Node.children) } + { read($Heap, n#11, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#11)) } + $Is(n#11, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#11)) + ==> read($Heap, n#11, _module.Node.childrenVisited) + < Seq#Length(read($Heap, n#11, _module.Node.children))) + ==> + read($Heap, t#0, _module.Node.childrenVisited) + <= Seq#Length(read($Heap, t#0, _module.Node.children)) + ==> + (forall n#13: ref :: + { read($Heap, n#13, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#13)) } + { S#0[$Box(n#13)] } + $Is(n#13, Tclass._module.Node()) + ==> + S#0[$Box(n#13)] && !Seq#Contains(stackNodes#0, $Box(n#13)) && n#13 != t#0 + ==> read($Heap, n#13, _module.Node.childrenVisited) == LitInt(0)) + ==> + (forall n#15: ref :: + { read($Heap, n#15, _module.Node.childrenVisited) } + { read(old($Heap), n#15, _module.Node.children) } + { read($Heap, n#15, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#15)) } + $Is(n#15, Tclass._module.Node()) + ==> (Seq#Contains(stackNodes#0, $Box(n#15)) + ==> Seq#Length(read($Heap, n#15, _module.Node.children)) + == Seq#Length(read(old($Heap), n#15, _module.Node.children))) + && (Seq#Contains(stackNodes#0, $Box(n#15)) + ==> (forall j#1: int :: + { $Unbox(Seq#Index(read(old($Heap), n#15, _module.Node.children), j#1)): ref } + { $Unbox(Seq#Index(read($Heap, n#15, _module.Node.children), j#1)): ref } + true + ==> + LitInt(0) <= j#1 && j#1 < Seq#Length(read($Heap, n#15, _module.Node.children)) + ==> j#1 == read($Heap, n#15, _module.Node.childrenVisited) + || $Unbox(Seq#Index(read($Heap, n#15, _module.Node.children), j#1)): ref + == $Unbox(Seq#Index(read(old($Heap), n#15, _module.Node.children), j#1)): ref))) + ==> + (forall n#17: ref :: + { read(old($Heap), n#17, _module.Node.children) } + { read($Heap, n#17, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#17)) } + { S#0[$Box(n#17)] } + $Is(n#17, Tclass._module.Node()) + ==> + S#0[$Box(n#17)] && !Seq#Contains(stackNodes#0, $Box(n#17)) + ==> Seq#Equal(read($Heap, n#17, _module.Node.children), + read(old($Heap), n#17, _module.Node.children))) + ==> + (0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, _module.Node.children), + read($Heap, + $Unbox(Seq#Index(stackNodes#0, LitInt(0))): ref, + _module.Node.childrenVisited))): ref + == null) + ==> + (forall k#1: int :: + {:matchinglooprewrite false} { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.childrenVisited) } + { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.children) } + true + ==> + 0 < k#1 && k#1 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.children), + read($Heap, $Unbox(Seq#Index(stackNodes#0, k#1)): ref, _module.Node.childrenVisited))): ref + == $Unbox(Seq#Index(stackNodes#0, k#1 - 1)): ref) + ==> + (forall k#3: int :: + {:matchinglooprewrite false} { read($Heap, $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.childrenVisited) } + { $Unbox(Seq#Index(stackNodes#0, k#3)): ref } + true + ==> + LitInt(0) <= k#3 && k#3 < Seq#Length(stackNodes#0) - 1 + ==> $Unbox(Seq#Index(read(old($Heap), $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.children), + read($Heap, $Unbox(Seq#Index(stackNodes#0, k#3)): ref, _module.Node.childrenVisited))): ref + == $Unbox(Seq#Index(stackNodes#0, k#3 + 1)): ref) + ==> + (0 < Seq#Length(stackNodes#0) + ==> $Unbox(Seq#Index(read(old($Heap), + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.children), + read($Heap, + $Unbox(Seq#Index(stackNodes#0, Seq#Length(stackNodes#0) - 1)): ref, + _module.Node.childrenVisited))): ref + == t#0) + ==> + read($Heap, root#0, _module.Node.marked) + ==> + (forall n#19: ref :: + { read($Heap, n#19, _module.Node.children) } + { Seq#Contains(stackNodes#0, $Box(n#19)) } + { read($Heap, n#19, _module.Node.marked) } + { S#0[$Box(n#19)] } + $Is(n#19, Tclass._module.Node()) + ==> + S#0[$Box(n#19)] + && read($Heap, n#19, _module.Node.marked) + && !Seq#Contains(stackNodes#0, $Box(n#19)) + && n#19 != t#0 + ==> (forall ch#7: ref :: + { read($Heap, ch#7, _module.Node.marked) } + { Seq#Contains(read($Heap, n#19, _module.Node.children), $Box(ch#7)) } + $Is(ch#7, Tclass._module.Node?()) + ==> + Seq#Contains(read($Heap, n#19, _module.Node.children), $Box(ch#7)) + && ch#7 != null + ==> read($Heap, ch#7, _module.Node.marked))) + ==> + (forall n#21: ref :: + { read($Heap, n#21, _module.Node.marked) } + { Seq#Contains(stackNodes#0, $Box(n#21)) } + $Is(n#21, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#21)) || n#21 == t#0 + ==> read($Heap, n#21, _module.Node.marked)) + && (forall n#21: ref :: + { read($Heap, n#21, _module.Node.children) } + { read($Heap, n#21, _module.Node.childrenVisited) } + { Seq#Contains(stackNodes#0, $Box(n#21)) } + $Is(n#21, Tclass._module.Node()) + ==> + Seq#Contains(stackNodes#0, $Box(n#21)) || n#21 == t#0 + ==> (forall j#3: int :: + { $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref } + true + ==> + LitInt(0) <= j#3 && j#3 < read($Heap, n#21, _module.Node.childrenVisited) + ==> $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref == null + || read($Heap, + $Unbox(Seq#Index(read($Heap, n#21, _module.Node.children), j#3)): ref, + _module.Node.marked))) + ==> + $IsAlloc(path#0, Tclass._module.Path(), old($Heap)) + ==> _module.__default.ReachableVia#canCall(old($Heap), root#0, path#0, t#0, S#0) + && (_module.__default.ReachableVia($LS($LZ), old($Heap), root#0, path#0, t#0, S#0) + ==> (forall n#25: ref :: + { _module.__default.ReachableVia($LS($LZ), + old($Heap), + root#0, + read(old($Heap), n#25, _module.Node.pathFromRoot), + n#25, + S#0) } + { read($Heap, n#25, _module.Node.pathFromRoot) } + { read($Heap, n#25, _module.Node.marked) } + { S#0[$Box(n#25)] } + $Is(n#25, Tclass._module.Node()) + ==> + S#0[$Box(n#25)] + ==> + read($Heap, n#25, _module.Node.marked) + ==> (var pth#0 := read($Heap, n#25, _module.Node.pathFromRoot); + $IsAlloc(pth#0, Tclass._module.Path(), old($Heap)) + ==> _module.__default.ReachableVia#canCall(old($Heap), root#0, pth#0, n#25, S#0))) + && ((forall n#25: ref :: + { _module.__default.ReachableVia($LS($LZ), + old($Heap), + root#0, + read(old($Heap), n#25, _module.Node.pathFromRoot), + n#25, + S#0) } + { read($Heap, n#25, _module.Node.pathFromRoot) } + { read($Heap, n#25, _module.Node.marked) } + { S#0[$Box(n#25)] } + $Is(n#25, Tclass._module.Node()) + ==> + S#0[$Box(n#25)] && read($Heap, n#25, _module.Node.marked) + ==> (var pth#0 := read($Heap, n#25, _module.Node.pathFromRoot); + $IsAlloc(pth#0, Tclass._module.Path(), old($Heap)) + && _module.__default.ReachableVia($LS($LZ), old($Heap), root#0, pth#0, n#25, S#0))) + ==> (forall n#27: ref :: + { _module.__default.Reachable(old($Heap), root#0, n#27, S#0) } + { read($Heap, n#27, _module.Node.marked) } + { S#0[$Box(n#27)] } + $Is(n#27, Tclass._module.Node()) + ==> + S#0[$Box(n#27)] + ==> + read($Heap, n#27, _module.Node.marked) + ==> _module.__default.Reachable#canCall(old($Heap), root#0, n#27, S#0)))); + } +} + + + +const unique tytagFamily$nat: TyTagFamily; + +const unique tytagFamily$object: TyTagFamily; + +const unique tytagFamily$array: TyTagFamily; + +const unique tytagFamily$_#Func1: TyTagFamily; + +const unique tytagFamily$_#PartialFunc1: TyTagFamily; + +const unique tytagFamily$_#TotalFunc1: TyTagFamily; + +const unique tytagFamily$_#Func0: TyTagFamily; + +const unique tytagFamily$_#PartialFunc0: TyTagFamily; + +const unique tytagFamily$_#TotalFunc0: TyTagFamily; + +const unique tytagFamily$_#Func3: TyTagFamily; + +const unique tytagFamily$_#PartialFunc3: TyTagFamily; + +const unique tytagFamily$_#TotalFunc3: TyTagFamily; + +const unique tytagFamily$_#Func4: TyTagFamily; + +const unique tytagFamily$_#PartialFunc4: TyTagFamily; + +const unique tytagFamily$_#TotalFunc4: TyTagFamily; + +const unique tytagFamily$_tuple#2: TyTagFamily; + +const unique tytagFamily$_tuple#0: TyTagFamily; + +const unique tytagFamily$Node: TyTagFamily; + +const unique tytagFamily$Path: TyTagFamily; + +const unique tytagFamily$_default: TyTagFamily; + +const unique field$children: NameFamily; + +const unique field$marked: NameFamily; + +const unique field$childrenVisited: NameFamily; + +const unique field$pathFromRoot: NameFamily; diff --git a/Test/monomorphize/dafny/TreeBarrier.dfy.bpl b/Test/monomorphize/dafny/TreeBarrier.dfy.bpl new file mode 100644 index 000000000..b0a6c2294 --- /dev/null +++ b/Test/monomorphize/dafny/TreeBarrier.dfy.bpl @@ -0,0 +1,6421 @@ +// Dafny 3.7.3.40719 +// Command Line Options: /compile:0 /print:TreeBarrier.dfy.bpl +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +type Ty; + +type TyTag; + +type TyTagFamily; + +type char; + +type ref; + +type Box; + +type ClassName; + +type HandleType; + +type DatatypeType; + +type DtCtorId; + +type LayerType; + +type Field _; + +type NameFamily; + +type TickType; + +type Seq _; + +type Map _ _; + +type IMap _ _; + +const $$Language$Dafny: bool; + +axiom $$Language$Dafny; + +type Bv0 = int; + +const unique TBool: Ty; + +axiom Tag(TBool) == TagBool; + +const unique TChar: Ty; + +axiom Tag(TChar) == TagChar; + +const unique TInt: Ty; + +axiom Tag(TInt) == TagInt; + +const unique TReal: Ty; + +axiom Tag(TReal) == TagReal; + +const unique TORDINAL: Ty; + +axiom Tag(TORDINAL) == TagORDINAL; + +axiom (forall w: int :: { TBitvector(w) } Inv0_TBitvector(TBitvector(w)) == w); + +function TBitvector(int) : Ty; + +axiom (forall t: Ty :: { TSet(t) } Inv0_TSet(TSet(t)) == t); + +axiom (forall t: Ty :: { TSet(t) } Tag(TSet(t)) == TagSet); + +function TSet(Ty) : Ty; + +axiom (forall t: Ty :: { TISet(t) } Inv0_TISet(TISet(t)) == t); + +axiom (forall t: Ty :: { TISet(t) } Tag(TISet(t)) == TagISet); + +function TISet(Ty) : Ty; + +axiom (forall t: Ty :: { TMultiSet(t) } Inv0_TMultiSet(TMultiSet(t)) == t); + +axiom (forall t: Ty :: { TMultiSet(t) } Tag(TMultiSet(t)) == TagMultiSet); + +function TMultiSet(Ty) : Ty; + +axiom (forall t: Ty :: { TSeq(t) } Inv0_TSeq(TSeq(t)) == t); + +axiom (forall t: Ty :: { TSeq(t) } Tag(TSeq(t)) == TagSeq); + +function TSeq(Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv0_TMap(TMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Inv1_TMap(TMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TMap(t, u) } Tag(TMap(t, u)) == TagMap); + +function TMap(Ty, Ty) : Ty; + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv0_TIMap(TIMap(t, u)) == t); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Inv1_TIMap(TIMap(t, u)) == u); + +axiom (forall t: Ty, u: Ty :: { TIMap(t, u) } Tag(TIMap(t, u)) == TagIMap); + +function TIMap(Ty, Ty) : Ty; + +function Inv0_TBitvector(Ty) : int; + +function Inv0_TSet(Ty) : Ty; + +function Inv0_TISet(Ty) : Ty; + +function Inv0_TSeq(Ty) : Ty; + +function Inv0_TMultiSet(Ty) : Ty; + +function Inv0_TMap(Ty) : Ty; + +function Inv1_TMap(Ty) : Ty; + +function Inv0_TIMap(Ty) : Ty; + +function Inv1_TIMap(Ty) : Ty; + +function Tag(Ty) : TyTag; + +const unique TagBool: TyTag; + +const unique TagChar: TyTag; + +const unique TagInt: TyTag; + +const unique TagReal: TyTag; + +const unique TagORDINAL: TyTag; + +const unique TagSet: TyTag; + +const unique TagISet: TyTag; + +const unique TagMultiSet: TyTag; + +const unique TagSeq: TyTag; + +const unique TagMap: TyTag; + +const unique TagIMap: TyTag; + +const unique TagClass: TyTag; + +function TagFamily(Ty) : TyTagFamily; + +axiom (forall x: T :: { $Box(Lit(x)) } $Box(Lit(x)) == Lit($Box(x))); + +function {:identity} Lit(x: T) : T; + +axiom (forall x: T :: {:identity} { Lit(x): T } Lit(x): T == x); + +axiom (forall x: int :: { $Box(LitInt(x)) } $Box(LitInt(x)) == Lit($Box(x))); + +function {:identity} LitInt(x: int) : int; + +axiom (forall x: int :: {:identity} { LitInt(x): int } LitInt(x): int == x); + +axiom (forall x: real :: { $Box(LitReal(x)) } $Box(LitReal(x)) == Lit($Box(x))); + +function {:identity} LitReal(x: real) : real; + +axiom (forall x: real :: {:identity} { LitReal(x): real } LitReal(x): real == x); + +axiom (forall n: int :: + { char#FromInt(n) } + 0 <= n && n < 65536 ==> char#ToInt(char#FromInt(n)) == n); + +function char#FromInt(int) : char; + +axiom (forall ch: char :: + { char#ToInt(ch) } + char#FromInt(char#ToInt(ch)) == ch + && 0 <= char#ToInt(ch) + && char#ToInt(ch) < 65536); + +function char#ToInt(char) : int; + +axiom (forall a: char, b: char :: + { char#Plus(a, b) } + char#Plus(a, b) == char#FromInt(char#ToInt(a) + char#ToInt(b))); + +function char#Plus(char, char) : char; + +axiom (forall a: char, b: char :: + { char#Minus(a, b) } + char#Minus(a, b) == char#FromInt(char#ToInt(a) - char#ToInt(b))); + +function char#Minus(char, char) : char; + +const null: ref; + +const $ArbitraryBoxValue: Box; + +axiom (forall x: T :: { $Box(x) } $Unbox($Box(x)) == x); + +function $Box(T) : Box; + +function $Unbox(Box) : T; + +function $IsBox(T, Ty) : bool; + +function $IsAllocBox(T, Ty, Heap) : bool; + +axiom (forall bx: Box :: + { $IsBox(bx, TInt) } + $IsBox(bx, TInt) ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, TInt)); + +axiom (forall bx: Box :: + { $IsBox(bx, TReal) } + $IsBox(bx, TReal) + ==> $Box($Unbox(bx): real) == bx && $Is($Unbox(bx): real, TReal)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBool) } + $IsBox(bx, TBool) + ==> $Box($Unbox(bx): bool) == bx && $Is($Unbox(bx): bool, TBool)); + +axiom (forall bx: Box :: + { $IsBox(bx, TChar) } + $IsBox(bx, TChar) + ==> $Box($Unbox(bx): char) == bx && $Is($Unbox(bx): char, TChar)); + +axiom (forall bx: Box :: + { $IsBox(bx, TBitvector(0)) } + $IsBox(bx, TBitvector(0)) + ==> $Box($Unbox(bx): Bv0) == bx && $Is($Unbox(bx): Set Box, TBitvector(0))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSet(t)) } + $IsBox(bx, TSet(t)) + ==> $Box($Unbox(bx): Set Box) == bx && $Is($Unbox(bx): Set Box, TSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TISet(t)) } + $IsBox(bx, TISet(t)) + ==> $Box($Unbox(bx): ISet Box) == bx && $Is($Unbox(bx): ISet Box, TISet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TMultiSet(t)) } + $IsBox(bx, TMultiSet(t)) + ==> $Box($Unbox(bx): MultiSet Box) == bx + && $Is($Unbox(bx): MultiSet Box, TMultiSet(t))); + +axiom (forall bx: Box, t: Ty :: + { $IsBox(bx, TSeq(t)) } + $IsBox(bx, TSeq(t)) + ==> $Box($Unbox(bx): Seq Box) == bx && $Is($Unbox(bx): Seq Box, TSeq(t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TMap(s, t)) } + $IsBox(bx, TMap(s, t)) + ==> $Box($Unbox(bx): Map Box Box) == bx && $Is($Unbox(bx): Map Box Box, TMap(s, t))); + +axiom (forall bx: Box, s: Ty, t: Ty :: + { $IsBox(bx, TIMap(s, t)) } + $IsBox(bx, TIMap(s, t)) + ==> $Box($Unbox(bx): IMap Box Box) == bx + && $Is($Unbox(bx): IMap Box Box, TIMap(s, t))); + +axiom (forall v: T, t: Ty :: + { $IsBox($Box(v), t) } + $IsBox($Box(v), t) <==> $Is(v, t)); + +axiom (forall v: T, t: Ty, h: Heap :: + { $IsAllocBox($Box(v), t, h) } + $IsAllocBox($Box(v), t, h) <==> $IsAlloc(v, t, h)); + +axiom (forall v: int :: { $Is(v, TInt) } $Is(v, TInt)); + +axiom (forall v: real :: { $Is(v, TReal) } $Is(v, TReal)); + +axiom (forall v: bool :: { $Is(v, TBool) } $Is(v, TBool)); + +axiom (forall v: char :: { $Is(v, TChar) } $Is(v, TChar)); + +axiom (forall v: ORDINAL :: { $Is(v, TORDINAL) } $Is(v, TORDINAL)); + +axiom (forall v: Bv0 :: { $Is(v, TBitvector(0)) } $Is(v, TBitvector(0))); + +axiom (forall v: Set Box, t0: Ty :: + { $Is(v, TSet(t0)) } + $Is(v, TSet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: ISet Box, t0: Ty :: + { $Is(v, TISet(t0)) } + $Is(v, TISet(t0)) <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsBox(bx, t0))); + +axiom (forall v: MultiSet Box, t0: Ty :: + { $Is(v, TMultiSet(t0)) } + $Is(v, TMultiSet(t0)) ==> $IsGoodMultiSet(v)); + +axiom (forall v: Seq Box, t0: Ty :: + { $Is(v, TSeq(t0)) } + $Is(v, TSeq(t0)) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsBox(Seq#Index(v, i), t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] ==> $IsBox(Map#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty :: + { $Is(v, TMap(t0, t1)) } + $Is(v, TMap(t0, t1)) + ==> $Is(Map#Domain(v), TSet(t0)) + && $Is(Map#Values(v), TSet(t1)) + && $Is(Map#Items(v), TSet(Tclass._System.Tuple2(t0, t1)))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] ==> $IsBox(IMap#Elements(v)[bx], t1) && $IsBox(bx, t0))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty :: + { $Is(v, TIMap(t0, t1)) } + $Is(v, TIMap(t0, t1)) + ==> $Is(IMap#Domain(v), TISet(t0)) + && $Is(IMap#Values(v), TISet(t1)) + && $Is(IMap#Items(v), TISet(Tclass._System.Tuple2(t0, t1)))); + +function $Is(T, Ty) : bool; + +axiom (forall h: Heap, v: int :: { $IsAlloc(v, TInt, h) } $IsAlloc(v, TInt, h)); + +axiom (forall h: Heap, v: real :: { $IsAlloc(v, TReal, h) } $IsAlloc(v, TReal, h)); + +axiom (forall h: Heap, v: bool :: { $IsAlloc(v, TBool, h) } $IsAlloc(v, TBool, h)); + +axiom (forall h: Heap, v: char :: { $IsAlloc(v, TChar, h) } $IsAlloc(v, TChar, h)); + +axiom (forall h: Heap, v: ORDINAL :: + { $IsAlloc(v, TORDINAL, h) } + $IsAlloc(v, TORDINAL, h)); + +axiom (forall v: Bv0, h: Heap :: + { $IsAlloc(v, TBitvector(0), h) } + $IsAlloc(v, TBitvector(0), h)); + +axiom (forall v: Set Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSet(t0), h) } + $IsAlloc(v, TSet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: ISet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TISet(t0), h) } + $IsAlloc(v, TISet(t0), h) + <==> (forall bx: Box :: { v[bx] } v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: MultiSet Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TMultiSet(t0), h) } + $IsAlloc(v, TMultiSet(t0), h) + <==> (forall bx: Box :: { v[bx] } 0 < v[bx] ==> $IsAllocBox(bx, t0, h))); + +axiom (forall v: Seq Box, t0: Ty, h: Heap :: + { $IsAlloc(v, TSeq(t0), h) } + $IsAlloc(v, TSeq(t0), h) + <==> (forall i: int :: + { Seq#Index(v, i) } + 0 <= i && i < Seq#Length(v) ==> $IsAllocBox(Seq#Index(v, i), t0, h))); + +axiom (forall v: Map Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TMap(t0, t1), h) } + $IsAlloc(v, TMap(t0, t1), h) + <==> (forall bx: Box :: + { Map#Elements(v)[bx] } { Map#Domain(v)[bx] } + Map#Domain(v)[bx] + ==> $IsAllocBox(Map#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +axiom (forall v: IMap Box Box, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(v, TIMap(t0, t1), h) } + $IsAlloc(v, TIMap(t0, t1), h) + <==> (forall bx: Box :: + { IMap#Elements(v)[bx] } { IMap#Domain(v)[bx] } + IMap#Domain(v)[bx] + ==> $IsAllocBox(IMap#Elements(v)[bx], t1, h) && $IsAllocBox(bx, t0, h))); + +function $IsAlloc(T, Ty, Heap) : bool; + +axiom (forall ty: Ty :: + { $AlwaysAllocated(ty) } + $AlwaysAllocated(ty) + ==> (forall h: Heap, v: Box :: + { $IsAllocBox(v, ty, h) } + $IsBox(v, ty) ==> $IsAllocBox(v, ty, h))); + +function $AlwaysAllocated(Ty) : bool; + +function $OlderTag(Heap) : bool; + +const unique class._System.int: ClassName; + +const unique class._System.bool: ClassName; + +const unique class._System.set: ClassName; + +const unique class._System.seq: ClassName; + +const unique class._System.multiset: ClassName; + +function Tclass._System.object?() : Ty; + +function Tclass._System.Tuple2(Ty, Ty) : Ty; + +function dtype(ref) : Ty; + +function TypeTuple(a: ClassName, b: ClassName) : ClassName; + +function TypeTupleCar(ClassName) : ClassName; + +function TypeTupleCdr(ClassName) : ClassName; + +axiom (forall a: ClassName, b: ClassName :: + { TypeTuple(a, b) } + TypeTupleCar(TypeTuple(a, b)) == a && TypeTupleCdr(TypeTuple(a, b)) == b); + +function SetRef_to_SetBox(s: [ref]bool) : Set Box; + +axiom (forall s: [ref]bool, bx: Box :: + { SetRef_to_SetBox(s)[bx] } + SetRef_to_SetBox(s)[bx] == s[$Unbox(bx): ref]); + +axiom (forall s: [ref]bool :: + { SetRef_to_SetBox(s) } + $Is(SetRef_to_SetBox(s), TSet(Tclass._System.object?()))); + +function Apply1(Ty, Ty, Heap, HandleType, Box) : Box; + +function DatatypeCtorId(DatatypeType) : DtCtorId; + +function DtRank(DatatypeType) : int; + +function BoxRank(Box) : int; + +axiom (forall d: DatatypeType :: { BoxRank($Box(d)) } BoxRank($Box(d)) == DtRank(d)); + +type ORDINAL = Box; + +function ORD#IsNat(ORDINAL) : bool; + +function ORD#Offset(ORDINAL) : int; + +axiom (forall o: ORDINAL :: { ORD#Offset(o) } 0 <= ORD#Offset(o)); + +function {:inline} ORD#IsLimit(o: ORDINAL) : bool +{ + ORD#Offset(o) == 0 +} + +function {:inline} ORD#IsSucc(o: ORDINAL) : bool +{ + 0 < ORD#Offset(o) +} + +function ORD#FromNat(int) : ORDINAL; + +axiom (forall n: int :: + { ORD#FromNat(n) } + 0 <= n ==> ORD#IsNat(ORD#FromNat(n)) && ORD#Offset(ORD#FromNat(n)) == n); + +axiom (forall o: ORDINAL :: + { ORD#Offset(o) } { ORD#IsNat(o) } + ORD#IsNat(o) ==> o == ORD#FromNat(ORD#Offset(o))); + +function ORD#Less(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p) } + (ORD#Less(o, p) ==> o != p) + && (ORD#IsNat(o) && !ORD#IsNat(p) ==> ORD#Less(o, p)) + && (ORD#IsNat(o) && ORD#IsNat(p) + ==> ORD#Less(o, p) == (ORD#Offset(o) < ORD#Offset(p))) + && (ORD#Less(o, p) && ORD#IsNat(p) ==> ORD#IsNat(o))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, o) } + ORD#Less(o, p) || o == p || ORD#Less(p, o)); + +axiom (forall o: ORDINAL, p: ORDINAL, r: ORDINAL :: + { ORD#Less(o, p), ORD#Less(p, r) } { ORD#Less(o, p), ORD#Less(o, r) } + ORD#Less(o, p) && ORD#Less(p, r) ==> ORD#Less(o, r)); + +function ORD#LessThanLimit(ORDINAL, ORDINAL) : bool; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#LessThanLimit(o, p) } + ORD#LessThanLimit(o, p) == ORD#Less(o, p)); + +function ORD#Plus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (ORD#IsNat(ORD#Plus(o, p)) ==> ORD#IsNat(o) && ORD#IsNat(p)) + && (ORD#IsNat(p) + ==> ORD#IsNat(ORD#Plus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Plus(o, p)) == ORD#Offset(o) + ORD#Offset(p))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#Plus(o, p) || ORD#Less(o, ORD#Plus(o, p))) + && (p == ORD#Plus(o, p) || ORD#Less(p, ORD#Plus(o, p)))); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Plus(o, p) } + (o == ORD#FromNat(0) ==> ORD#Plus(o, p) == p) + && (p == ORD#FromNat(0) ==> ORD#Plus(o, p) == o)); + +function ORD#Minus(ORDINAL, ORDINAL) : ORDINAL; + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> ORD#IsNat(ORD#Minus(o, p)) == ORD#IsNat(o) + && ORD#Offset(ORD#Minus(o, p)) == ORD#Offset(o) - ORD#Offset(p)); + +axiom (forall o: ORDINAL, p: ORDINAL :: + { ORD#Minus(o, p) } + ORD#IsNat(p) && ORD#Offset(p) <= ORD#Offset(o) + ==> (p == ORD#FromNat(0) && ORD#Minus(o, p) == o) + || (p != ORD#FromNat(0) && ORD#Less(ORD#Minus(o, p), o))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n + ==> ORD#Plus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && m + n <= ORD#Offset(o) + ==> ORD#Minus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m + n))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Minus(ORD#Plus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(n - m)))); + +axiom (forall o: ORDINAL, m: int, n: int :: + { ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) } + 0 <= m && 0 <= n && n <= ORD#Offset(o) + m + ==> (0 <= m - n + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Minus(o, ORD#FromNat(m - n))) + && (m - n <= 0 + ==> ORD#Plus(ORD#Minus(o, ORD#FromNat(m)), ORD#FromNat(n)) + == ORD#Plus(o, ORD#FromNat(n - m)))); + +const $ModuleContextHeight: int; + +const $FunctionContextHeight: int; + +const $LZ: LayerType; + +function $LS(LayerType) : LayerType; + +function AsFuelBottom(LayerType) : LayerType; + +function AtLayer([LayerType]A, LayerType) : A; + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, ly) } + AtLayer(f, ly) == f[ly]); + +axiom (forall f: [LayerType]A, ly: LayerType :: + { AtLayer(f, $LS(ly)) } + AtLayer(f, $LS(ly)) == AtLayer(f, ly)); + +axiom FDim(alloc) == 0; + +function FDim(Field T) : int; + +function IndexField(int) : Field Box; + +axiom (forall i: int :: { IndexField(i) } FDim(IndexField(i)) == 1); + +function IndexField_Inverse(Field T) : int; + +axiom (forall i: int :: { IndexField(i) } IndexField_Inverse(IndexField(i)) == i); + +function MultiIndexField(Field Box, int) : Field Box; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + FDim(MultiIndexField(f, i)) == FDim(f) + 1); + +function MultiIndexField_Inverse0(Field T) : Field T; + +function MultiIndexField_Inverse1(Field T) : int; + +axiom (forall f: Field Box, i: int :: + { MultiIndexField(f, i) } + MultiIndexField_Inverse0(MultiIndexField(f, i)) == f + && MultiIndexField_Inverse1(MultiIndexField(f, i)) == i); + +function DeclType(Field T) : ClassName; + +axiom DeclName(alloc) == allocName; + +function DeclName(Field T) : NameFamily; + +function FieldOfDecl(ClassName, NameFamily) : Field alpha; + +axiom (forall cl: ClassName, nm: NameFamily :: + { FieldOfDecl(cl, nm): Field T } + DeclType(FieldOfDecl(cl, nm): Field T) == cl + && DeclName(FieldOfDecl(cl, nm): Field T) == nm); + +axiom $IsGhostField(alloc); + +axiom (forall h: Heap, k: Heap :: + { $HeapSuccGhost(h, k) } + $HeapSuccGhost(h, k) + ==> $HeapSucc(h, k) + && (forall o: ref, f: Field alpha :: + { read(k, o, f) } + !$IsGhostField(f) ==> read(h, o, f) == read(k, o, f))); + +function $IsGhostField(Field T) : bool; + +axiom (forall h: Heap, k: Heap, v: T, t: Ty :: + { $HeapSucc(h, k), $IsAlloc(v, t, h) } + $HeapSucc(h, k) ==> $IsAlloc(v, t, h) ==> $IsAlloc(v, t, k)); + +axiom (forall h: Heap, k: Heap, bx: Box, t: Ty :: + { $HeapSucc(h, k), $IsAllocBox(bx, t, h) } + $HeapSucc(h, k) ==> $IsAllocBox(bx, t, h) ==> $IsAllocBox(bx, t, k)); + +const unique alloc: Field bool; + +const unique allocName: NameFamily; + +axiom (forall o: ref :: 0 <= _System.array.Length(o)); + +function _System.array.Length(a: ref) : int; + +function Int(x: real) : int; + +axiom (forall x: real :: { Int(x): int } Int(x): int == int(x)); + +function Real(x: int) : real; + +axiom (forall x: int :: { Real(x): real } Real(x): real == real(x)); + +axiom (forall i: int :: { Int(Real(i)) } Int(Real(i)) == i); + +function {:inline} _System.real.Floor(x: real) : int +{ + Int(x) +} + +type Heap = [ref][Field alpha]alpha; + +function {:inline} read(H: Heap, r: ref, f: Field alpha) : alpha +{ + H[r][f] +} + +function {:inline} update(H: Heap, r: ref, f: Field alpha, v: alpha) : Heap +{ + H[r := H[r][f := v]] +} + +function $IsGoodHeap(Heap) : bool; + +function $IsHeapAnchor(Heap) : bool; + +var $Heap: Heap where $IsGoodHeap($Heap) && $IsHeapAnchor($Heap); + +const $OneHeap: Heap; + +axiom $IsGoodHeap($OneHeap); + +function $HeapSucc(Heap, Heap) : bool; + +axiom (forall h: Heap, r: ref, f: Field alpha, x: alpha :: + { update(h, r, f, x) } + $IsGoodHeap(update(h, r, f, x)) ==> $HeapSucc(h, update(h, r, f, x))); + +axiom (forall a: Heap, b: Heap, c: Heap :: + { $HeapSucc(a, b), $HeapSucc(b, c) } + a != c ==> $HeapSucc(a, b) && $HeapSucc(b, c) ==> $HeapSucc(a, c)); + +axiom (forall h: Heap, k: Heap :: + { $HeapSucc(h, k) } + $HeapSucc(h, k) + ==> (forall o: ref :: { read(k, o, alloc) } read(h, o, alloc) ==> read(k, o, alloc))); + +function $HeapSuccGhost(Heap, Heap) : bool; + +var $Tick: TickType; + +procedure $YieldHavoc(this: ref, rds: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + $o == this || rds[$Box($o)] || nw[$Box($o)] + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc0(this: ref, rds: Set Box, modi: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> + rds[$Box($o)] && !modi[$Box($o)] && $o != this + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f)); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterHavoc1(this: ref, modi: Set Box, nw: Set Box); + modifies $Heap; + ensures (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read(old($Heap), $o, alloc) + ==> read($Heap, $o, $f) == read(old($Heap), $o, $f) + || $o == this + || modi[$Box($o)] + || nw[$Box($o)]); + ensures $HeapSucc(old($Heap), $Heap); + + + +procedure $IterCollectNewObjects(prevHeap: Heap, newHeap: Heap, this: ref, NW: Field (Set Box)) + returns (s: Set Box); + ensures (forall bx: Box :: + { s[bx] } + s[bx] + <==> read(newHeap, this, NW)[bx] + || ( + $Unbox(bx) != null + && !read(prevHeap, $Unbox(bx): ref, alloc) + && read(newHeap, $Unbox(bx): ref, alloc))); + + + +type Set T = [T]bool; + +function Set#Card(Set T) : int; + +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty() : Set T; + +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); + +axiom (forall s: Set T :: + { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) + && (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T) : Set T; + +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); + +axiom (forall r: T, o: T :: + { Set#Singleton(r)[o] } + Set#Singleton(r)[o] <==> r == o); + +axiom (forall r: T :: + { Set#Card(Set#Singleton(r)) } + Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T) : Set T; + +axiom (forall a: Set T, x: T, o: T :: + { Set#UnionOne(a, x)[o] } + Set#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } Set#UnionOne(a, x)[x]); + +axiom (forall a: Set T, x: T, y: T :: + { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); + +axiom (forall a: Set T, x: T :: + { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Union(a, b)[o] } + Set#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, b) } + Set#Disjoint(a, b) + ==> Set#Difference(Set#Union(a, b), a) == b + && Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Intersection(a, b)[o] } + Set#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Union(a, b)) } { Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) + == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T) : Set T; + +axiom (forall a: Set T, b: Set T, o: T :: + { Set#Difference(a, b)[o] } + Set#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: Set T, b: Set T, y: T :: + { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y]); + +axiom (forall a: Set T, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) + && Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Subset(a, b) } + Set#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function Set#Equal(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Equal(a, b) } + Set#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: Set T, b: Set T :: { Set#Equal(a, b) } Set#Equal(a, b) ==> a == b); + +function Set#Disjoint(Set T, Set T) : bool; + +axiom (forall a: Set T, b: Set T :: + { Set#Disjoint(a, b) } + Set#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +type ISet T = [T]bool; + +function ISet#Empty() : Set T; + +axiom (forall o: T :: { ISet#Empty()[o] } !ISet#Empty()[o]); + +function ISet#UnionOne(ISet T, T) : ISet T; + +axiom (forall a: ISet T, x: T, o: T :: + { ISet#UnionOne(a, x)[o] } + ISet#UnionOne(a, x)[o] <==> o == x || a[o]); + +axiom (forall a: ISet T, x: T :: { ISet#UnionOne(a, x) } ISet#UnionOne(a, x)[x]); + +axiom (forall a: ISet T, x: T, y: T :: + { ISet#UnionOne(a, x), a[y] } + a[y] ==> ISet#UnionOne(a, x)[y]); + +function ISet#Union(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Union(a, b)[o] } + ISet#Union(a, b)[o] <==> a[o] || b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Union(a, b), a[y] } + a[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: Set T, b: Set T, y: T :: + { ISet#Union(a, b), b[y] } + b[y] ==> ISet#Union(a, b)[y]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(a, b) } + ISet#Disjoint(a, b) + ==> ISet#Difference(ISet#Union(a, b), a) == b + && ISet#Difference(ISet#Union(a, b), b) == a); + +function ISet#Intersection(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Intersection(a, b)[o] } + ISet#Intersection(a, b)[o] <==> a[o] && b[o]); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Union(ISet#Union(a, b), b) } + ISet#Union(ISet#Union(a, b), b) == ISet#Union(a, b)); + +axiom (forall a: Set T, b: Set T :: + { ISet#Union(a, ISet#Union(a, b)) } + ISet#Union(a, ISet#Union(a, b)) == ISet#Union(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(ISet#Intersection(a, b), b) } + ISet#Intersection(ISet#Intersection(a, b), b) == ISet#Intersection(a, b)); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Intersection(a, ISet#Intersection(a, b)) } + ISet#Intersection(a, ISet#Intersection(a, b)) == ISet#Intersection(a, b)); + +function ISet#Difference(ISet T, ISet T) : ISet T; + +axiom (forall a: ISet T, b: ISet T, o: T :: + { ISet#Difference(a, b)[o] } + ISet#Difference(a, b)[o] <==> a[o] && !b[o]); + +axiom (forall a: ISet T, b: ISet T, y: T :: + { ISet#Difference(a, b), b[y] } + b[y] ==> !ISet#Difference(a, b)[y]); + +function ISet#Subset(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Subset(a, b) } + ISet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] ==> b[o])); + +function ISet#Equal(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <==> b[o])); + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Equal(a, b) } + ISet#Equal(a, b) ==> a == b); + +function ISet#Disjoint(ISet T, ISet T) : bool; + +axiom (forall a: ISet T, b: ISet T :: + { ISet#Disjoint(a, b) } + ISet#Disjoint(a, b) <==> (forall o: T :: { a[o] } { b[o] } !a[o] || !b[o])); + +function Math#min(a: int, b: int) : int; + +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); + +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); + +axiom (forall a: int, b: int :: + { Math#min(a, b) } + Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int) : int; + +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); + +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T = [T]int; + +function $IsGoodMultiSet(ms: MultiSet T) : bool; + +axiom (forall ms: MultiSet T :: + { $IsGoodMultiSet(ms) } + $IsGoodMultiSet(ms) + <==> (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +function MultiSet#Card(MultiSet T) : int; + +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); + +axiom (forall s: MultiSet T, x: T, n: int :: + { MultiSet#Card(s[x := n]) } + 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); + +function MultiSet#Empty() : MultiSet T; + +axiom (forall o: T :: { MultiSet#Empty()[o] } MultiSet#Empty()[o] == 0); + +axiom (forall s: MultiSet T :: + { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) + && (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < s[x]))); + +function MultiSet#Singleton(T) : MultiSet T; + +axiom (forall r: T, o: T :: + { MultiSet#Singleton(r)[o] } + (MultiSet#Singleton(r)[o] == 1 <==> r == o) + && (MultiSet#Singleton(r)[o] == 0 <==> r != o)); + +axiom (forall r: T :: + { MultiSet#Singleton(r) } + MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); + +function MultiSet#UnionOne(MultiSet T, T) : MultiSet T; + +axiom (forall a: MultiSet T, x: T, o: T :: + { MultiSet#UnionOne(a, x)[o] } + 0 < MultiSet#UnionOne(a, x)[o] <==> o == x || 0 < a[o]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#UnionOne(a, x) } + MultiSet#UnionOne(a, x)[x] == a[x] + 1); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + 0 < a[y] ==> 0 < MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T, y: T :: + { MultiSet#UnionOne(a, x), a[y] } + x != y ==> a[y] == MultiSet#UnionOne(a, x)[y]); + +axiom (forall a: MultiSet T, x: T :: + { MultiSet#Card(MultiSet#UnionOne(a, x)) } + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); + +function MultiSet#Union(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Union(a, b)[o] } + MultiSet#Union(a, b)[o] == a[o] + b[o]); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Union(a, b)) } + MultiSet#Card(MultiSet#Union(a, b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Intersection(a, b)[o] } + MultiSet#Intersection(a, b)[o] == Math#min(a[o], b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) + == MultiSet#Intersection(a, b)); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) + == MultiSet#Intersection(a, b)); + +function MultiSet#Difference(MultiSet T, MultiSet T) : MultiSet T; + +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: + { MultiSet#Difference(a, b)[o] } + MultiSet#Difference(a, b)[o] == Math#clip(a[o] - b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T, y: T :: + { MultiSet#Difference(a, b), b[y], a[y] } + a[y] <= b[y] ==> MultiSet#Difference(a, b)[y] == 0); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) + && MultiSet#Card(MultiSet#Difference(a, b)) + == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +function MultiSet#Subset(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Subset(a, b) } + MultiSet#Subset(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] <= b[o])); + +function MultiSet#Equal(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) <==> (forall o: T :: { a[o] } { b[o] } a[o] == b[o])); + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Equal(a, b) } + MultiSet#Equal(a, b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T) : bool; + +axiom (forall a: MultiSet T, b: MultiSet T :: + { MultiSet#Disjoint(a, b) } + MultiSet#Disjoint(a, b) + <==> (forall o: T :: { a[o] } { b[o] } a[o] == 0 || b[o] == 0)); + +function MultiSet#FromSet(Set T) : MultiSet T; + +axiom (forall s: Set T, a: T :: + { MultiSet#FromSet(s)[a] } + (MultiSet#FromSet(s)[a] == 0 <==> !s[a]) + && (MultiSet#FromSet(s)[a] == 1 <==> s[a])); + +axiom (forall s: Set T :: + { MultiSet#Card(MultiSet#FromSet(s)) } + MultiSet#Card(MultiSet#FromSet(s)) == Set#Card(s)); + +axiom (forall :: + MultiSet#FromSeq(Seq#Empty(): Seq T) == MultiSet#Empty(): MultiSet T); + +function MultiSet#FromSeq(Seq T) : MultiSet T; + +axiom (forall s: Seq T :: + { MultiSet#FromSeq(s) } + $IsGoodMultiSet(MultiSet#FromSeq(s))); + +axiom (forall s: Seq T :: + { MultiSet#Card(MultiSet#FromSeq(s)) } + MultiSet#Card(MultiSet#FromSeq(s)) == Seq#Length(s)); + +axiom (forall s: Seq T, v: T :: + { MultiSet#FromSeq(Seq#Build(s, v)) } + MultiSet#FromSeq(Seq#Build(s, v)) == MultiSet#UnionOne(MultiSet#FromSeq(s), v)); + +axiom (forall a: Seq T, b: Seq T :: + { MultiSet#FromSeq(Seq#Append(a, b)) } + MultiSet#FromSeq(Seq#Append(a, b)) + == MultiSet#Union(MultiSet#FromSeq(a), MultiSet#FromSeq(b))); + +axiom (forall s: Seq T, i: int, v: T, x: T :: + { MultiSet#FromSeq(Seq#Update(s, i, v))[x] } + 0 <= i && i < Seq#Length(s) + ==> MultiSet#FromSeq(Seq#Update(s, i, v))[x] + == MultiSet#Union(MultiSet#Difference(MultiSet#FromSeq(s), MultiSet#Singleton(Seq#Index(s, i))), + MultiSet#Singleton(v))[x]); + +axiom (forall s: Seq T, x: T :: + { MultiSet#FromSeq(s)[x] } + (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && x == Seq#Index(s, i)) + <==> 0 < MultiSet#FromSeq(s)[x]); + +function Seq#Length(Seq T) : int; + +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty() : Seq T; + +axiom (forall :: { Seq#Empty(): Seq T } Seq#Length(Seq#Empty(): Seq T) == 0); + +axiom (forall s: Seq T :: + { Seq#Length(s) } + Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T) : Seq T; + +axiom (forall t: T :: + { Seq#Length(Seq#Singleton(t)) } + Seq#Length(Seq#Singleton(t)) == 1); + +function Seq#Build(s: Seq T, val: T) : Seq T; + +function Seq#Build_inv0(s: Seq T) : Seq T; + +function Seq#Build_inv1(s: Seq T) : T; + +axiom (forall s: Seq T, val: T :: + { Seq#Build(s, val) } + Seq#Build_inv0(Seq#Build(s, val)) == s + && Seq#Build_inv1(Seq#Build(s, val)) == val); + +axiom (forall s: Seq T, v: T :: + { Seq#Build(s, v) } + Seq#Length(Seq#Build(s, v)) == 1 + Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Index(Seq#Build(s, v), i) } + (i == Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == v) + && (i != Seq#Length(s) ==> Seq#Index(Seq#Build(s, v), i) == Seq#Index(s, i))); + +axiom (forall s: Seq Box, bx: Box, t: Ty :: + { $Is(Seq#Build(s, bx), TSeq(t)) } + $Is(s, TSeq(t)) && $IsBox(bx, t) ==> $Is(Seq#Build(s, bx), TSeq(t))); + +function Seq#Create(ty: Ty, heap: Heap, len: int, init: HandleType) : Seq Box; + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType :: + { Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) } + $IsGoodHeap(heap) && 0 <= len + ==> Seq#Length(Seq#Create(ty, heap, len, init): Seq Box) == len); + +axiom (forall ty: Ty, heap: Heap, len: int, init: HandleType, i: int :: + { Seq#Index(Seq#Create(ty, heap, len, init), i) } + $IsGoodHeap(heap) && 0 <= i && i < len + ==> Seq#Index(Seq#Create(ty, heap, len, init), i) + == Apply1(TInt, TSeq(ty), heap, init, $Box(i))); + +function Seq#Append(Seq T, Seq T) : Seq T; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Length(Seq#Append(s0, s1)) } + Seq#Length(Seq#Append(s0, s1)) == Seq#Length(s0) + Seq#Length(s1)); + +function Seq#Index(Seq T, int) : T; + +axiom (forall t: T :: + { Seq#Index(Seq#Singleton(t), 0) } + Seq#Index(Seq#Singleton(t), 0) == t); + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#Index(Seq#Append(s0, s1), n) } + (n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s0, n)) + && (Seq#Length(s0) <= n + ==> Seq#Index(Seq#Append(s0, s1), n) == Seq#Index(s1, n - Seq#Length(s0)))); + +function Seq#Update(Seq T, int, T) : Seq T; + +axiom (forall s: Seq T, i: int, v: T :: + { Seq#Length(Seq#Update(s, i, v)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s, i, v)) == Seq#Length(s)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Index(Seq#Update(s, i, v), n) } + 0 <= n && n < Seq#Length(s) + ==> (i == n ==> Seq#Index(Seq#Update(s, i, v), n) == v) + && (i != n ==> Seq#Index(Seq#Update(s, i, v), n) == Seq#Index(s, n))); + +function Seq#Contains(Seq T, T) : bool; + +axiom (forall s: Seq T, x: T :: + { Seq#Contains(s, x) } + Seq#Contains(s, x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) + <==> Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, v: T, x: T :: + { Seq#Contains(Seq#Build(s, v), x) } + Seq#Contains(Seq#Build(s, v), x) <==> v == x || Seq#Contains(s, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) + <==> (exists i: int :: + { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); + +function Seq#Equal(Seq T, Seq T) : bool; + +axiom (forall s0: Seq T, s1: Seq T :: + { Seq#Equal(s0, s1) } + Seq#Equal(s0, s1) + <==> Seq#Length(s0) == Seq#Length(s1) + && (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a, b) } Seq#Equal(a, b) ==> a == b); + +function Seq#SameUntil(Seq T, Seq T, int) : bool; + +axiom (forall s0: Seq T, s1: Seq T, n: int :: + { Seq#SameUntil(s0, s1, n) } + Seq#SameUntil(s0, s1, n) + <==> (forall j: int :: + { Seq#Index(s0, j) } { Seq#Index(s1, j) } + 0 <= j && j < n ==> Seq#Index(s0, j) == Seq#Index(s1, j))); + +function Seq#Take(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Take(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s, n)) == n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Take(s, n), j) } { Seq#Index(s, j), Seq#Take(s, n) } + 0 <= j && j < n && j < Seq#Length(s) + ==> Seq#Index(Seq#Take(s, n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int) : Seq T; + +axiom (forall s: Seq T, n: int :: + { Seq#Length(Seq#Drop(s, n)) } + 0 <= n && n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s, n)) == Seq#Length(s) - n); + +axiom (forall s: Seq T, n: int, j: int :: + {:weight 25} { Seq#Index(Seq#Drop(s, n), j) } + 0 <= n && 0 <= j && j < Seq#Length(s) - n + ==> Seq#Index(Seq#Drop(s, n), j) == Seq#Index(s, j + n)); + +axiom (forall s: Seq T, n: int, k: int :: + {:weight 25} { Seq#Index(s, k), Seq#Drop(s, n) } + 0 <= n && n <= k && k < Seq#Length(s) + ==> Seq#Index(Seq#Drop(s, n), k - n) == Seq#Index(s, k)); + +axiom (forall s: Seq T, t: Seq T, n: int :: + { Seq#Take(Seq#Append(s, t), n) } { Seq#Drop(Seq#Append(s, t), n) } + n == Seq#Length(s) + ==> Seq#Take(Seq#Append(s, t), n) == s && Seq#Drop(Seq#Append(s, t), n) == t); + +function Seq#FromArray(h: Heap, a: ref) : Seq Box; + +axiom (forall h: Heap, a: ref :: + { Seq#Length(Seq#FromArray(h, a)) } + Seq#Length(Seq#FromArray(h, a)) == _System.array.Length(a)); + +axiom (forall h: Heap, a: ref :: + { Seq#FromArray(h, a) } + (forall i: int :: + { read(h, a, IndexField(i)) } { Seq#Index(Seq#FromArray(h, a): Seq Box, i) } + 0 <= i && i < Seq#Length(Seq#FromArray(h, a)) + ==> Seq#Index(Seq#FromArray(h, a), i) == read(h, a, IndexField(i)))); + +axiom (forall h0: Heap, h1: Heap, a: ref :: + { Seq#FromArray(h1, a), $HeapSucc(h0, h1) } + $IsGoodHeap(h0) && $IsGoodHeap(h1) && $HeapSucc(h0, h1) && h0[a] == h1[a] + ==> Seq#FromArray(h0, a) == Seq#FromArray(h1, a)); + +axiom (forall h: Heap, i: int, v: Box, a: ref :: + { Seq#FromArray(update(h, a, IndexField(i), v), a) } + 0 <= i && i < _System.array.Length(a) + ==> Seq#FromArray(update(h, a, IndexField(i), v), a) + == Seq#Update(Seq#FromArray(h, a), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) + ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= n && n <= i && i < Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i - n, v)); + +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } + 0 <= i && i < n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + +axiom (forall h: Heap, a: ref, n0: int, n1: int :: + { Seq#Take(Seq#FromArray(h, a), n0), Seq#Take(Seq#FromArray(h, a), n1) } + n0 + 1 == n1 && 0 <= n0 && n1 <= _System.array.Length(a) + ==> Seq#Take(Seq#FromArray(h, a), n1) + == Seq#Build(Seq#Take(Seq#FromArray(h, a), n0), read(h, a, IndexField(n0): Field Box))); + +axiom (forall s: Seq T, v: T, n: int :: + { Seq#Drop(Seq#Build(s, v), n) } + 0 <= n && n <= Seq#Length(s) + ==> Seq#Drop(Seq#Build(s, v), n) == Seq#Build(Seq#Drop(s, n), v)); + +function Seq#Rank(Seq T) : int; + +axiom (forall s: Seq Box, i: int :: + { DtRank($Unbox(Seq#Index(s, i)): DatatypeType) } + 0 <= i && i < Seq#Length(s) + ==> DtRank($Unbox(Seq#Index(s, i)): DatatypeType) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Drop(s, i)) } + 0 < i && i <= Seq#Length(s) ==> Seq#Rank(Seq#Drop(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int :: + { Seq#Rank(Seq#Take(s, i)) } + 0 <= i && i < Seq#Length(s) ==> Seq#Rank(Seq#Take(s, i)) < Seq#Rank(s)); + +axiom (forall s: Seq T, i: int, j: int :: + { Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) } + 0 <= i && i < j && j <= Seq#Length(s) + ==> Seq#Rank(Seq#Append(Seq#Take(s, i), Seq#Drop(s, j))) < Seq#Rank(s)); + +axiom (forall s: Seq T, n: int :: + { Seq#Drop(s, n) } + n == 0 ==> Seq#Drop(s, n) == s); + +axiom (forall s: Seq T, n: int :: + { Seq#Take(s, n) } + n == 0 ==> Seq#Take(s, n) == Seq#Empty()); + +axiom (forall s: Seq T, m: int, n: int :: + { Seq#Drop(Seq#Drop(s, m), n) } + 0 <= m && 0 <= n && m + n <= Seq#Length(s) + ==> Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, m + n)); + +function Map#Domain(Map U V) : Set U; + +function Map#Elements(Map U V) : [U]V; + +function Map#Card(Map U V) : int; + +axiom (forall m: Map U V :: { Map#Card(m) } 0 <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Map#Card(m) } + Map#Card(m) == 0 <==> m == Map#Empty()); + +axiom (forall m: Map U V :: + { Map#Domain(m) } + m == Map#Empty() || (exists k: U :: Map#Domain(m)[k])); + +axiom (forall m: Map U V :: + { Map#Values(m) } + m == Map#Empty() || (exists v: V :: Map#Values(m)[v])); + +axiom (forall m: Map U V :: + { Map#Items(m) } + m == Map#Empty() + || (exists k: Box, v: Box :: Map#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: Map U V :: + { Set#Card(Map#Domain(m)) } + Set#Card(Map#Domain(m)) == Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Values(m)) } + Set#Card(Map#Values(m)) <= Map#Card(m)); + +axiom (forall m: Map U V :: + { Set#Card(Map#Items(m)) } + Set#Card(Map#Items(m)) == Map#Card(m)); + +function Map#Values(Map U V) : Set V; + +axiom (forall m: Map U V, v: V :: + { Map#Values(m)[v] } + Map#Values(m)[v] + == (exists u: U :: + { Map#Domain(m)[u] } { Map#Elements(m)[u] } + Map#Domain(m)[u] && v == Map#Elements(m)[u])); + +function Map#Items(Map U V) : Set Box; + +function #_System._tuple#2._#Make2(Box, Box) : DatatypeType; + +function _System.Tuple2._0(DatatypeType) : Box; + +function _System.Tuple2._1(DatatypeType) : Box; + +axiom (forall m: Map Box Box, item: Box :: + { Map#Items(m)[item] } + Map#Items(m)[item] + <==> Map#Domain(m)[_System.Tuple2._0($Unbox(item))] + && Map#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function Map#Empty() : Map U V; + +axiom (forall u: U :: + { Map#Domain(Map#Empty(): Map U V)[u] } + !Map#Domain(Map#Empty(): Map U V)[u]); + +function Map#Glue([U]bool, [U]V, Ty) : Map U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Domain(Map#Glue(a, b, t)) } + Map#Domain(Map#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { Map#Elements(Map#Glue(a, b, t)) } + Map#Elements(Map#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { Map#Glue(a, b, TMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TMap(t0, t1)), TMap(t0, t1))); + +function Map#Build(Map U V, U, V) : Map U V; + +axiom (forall m: Map U V, u: U, u': U, v: V :: + { Map#Domain(Map#Build(m, u, v))[u'] } { Map#Elements(Map#Build(m, u, v))[u'] } + (u' == u + ==> Map#Domain(Map#Build(m, u, v))[u'] && Map#Elements(Map#Build(m, u, v))[u'] == v) + && (u' != u + ==> Map#Domain(Map#Build(m, u, v))[u'] == Map#Domain(m)[u'] + && Map#Elements(Map#Build(m, u, v))[u'] == Map#Elements(m)[u'])); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m)); + +axiom (forall m: Map U V, u: U, v: V :: + { Map#Card(Map#Build(m, u, v)) } + !Map#Domain(m)[u] ==> Map#Card(Map#Build(m, u, v)) == Map#Card(m) + 1); + +function Map#Merge(Map U V, Map U V) : Map U V; + +axiom (forall m: Map U V, n: Map U V :: + { Map#Domain(Map#Merge(m, n)) } + Map#Domain(Map#Merge(m, n)) == Set#Union(Map#Domain(m), Map#Domain(n))); + +axiom (forall m: Map U V, n: Map U V, u: U :: + { Map#Elements(Map#Merge(m, n))[u] } + Map#Domain(Map#Merge(m, n))[u] + ==> (!Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(m)[u]) + && (Map#Domain(n)[u] ==> Map#Elements(Map#Merge(m, n))[u] == Map#Elements(n)[u])); + +function Map#Subtract(Map U V, Set U) : Map U V; + +axiom (forall m: Map U V, s: Set U :: + { Map#Domain(Map#Subtract(m, s)) } + Map#Domain(Map#Subtract(m, s)) == Set#Difference(Map#Domain(m), s)); + +axiom (forall m: Map U V, s: Set U, u: U :: + { Map#Elements(Map#Subtract(m, s))[u] } + Map#Domain(Map#Subtract(m, s))[u] + ==> Map#Elements(Map#Subtract(m, s))[u] == Map#Elements(m)[u]); + +function Map#Equal(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') + <==> (forall u: U :: Map#Domain(m)[u] == Map#Domain(m')[u]) + && (forall u: U :: Map#Domain(m)[u] ==> Map#Elements(m)[u] == Map#Elements(m')[u])); + +axiom (forall m: Map U V, m': Map U V :: + { Map#Equal(m, m') } + Map#Equal(m, m') ==> m == m'); + +function Map#Disjoint(Map U V, Map U V) : bool; + +axiom (forall m: Map U V, m': Map U V :: + { Map#Disjoint(m, m') } + Map#Disjoint(m, m') + <==> (forall o: U :: + { Map#Domain(m)[o] } { Map#Domain(m')[o] } + !Map#Domain(m)[o] || !Map#Domain(m')[o])); + +function IMap#Domain(IMap U V) : Set U; + +function IMap#Elements(IMap U V) : [U]V; + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() || (exists k: U :: IMap#Domain(m)[k])); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() || (exists v: V :: IMap#Values(m)[v])); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() + || (exists k: Box, v: Box :: IMap#Items(m)[$Box(#_System._tuple#2._#Make2(k, v))])); + +axiom (forall m: IMap U V :: + { IMap#Domain(m) } + m == IMap#Empty() <==> IMap#Domain(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Values(m) } + m == IMap#Empty() <==> IMap#Values(m) == ISet#Empty()); + +axiom (forall m: IMap U V :: + { IMap#Items(m) } + m == IMap#Empty() <==> IMap#Items(m) == ISet#Empty()); + +function IMap#Values(IMap U V) : Set V; + +axiom (forall m: IMap U V, v: V :: + { IMap#Values(m)[v] } + IMap#Values(m)[v] + == (exists u: U :: + { IMap#Domain(m)[u] } { IMap#Elements(m)[u] } + IMap#Domain(m)[u] && v == IMap#Elements(m)[u])); + +function IMap#Items(IMap U V) : Set Box; + +axiom (forall m: IMap Box Box, item: Box :: + { IMap#Items(m)[item] } + IMap#Items(m)[item] + <==> IMap#Domain(m)[_System.Tuple2._0($Unbox(item))] + && IMap#Elements(m)[_System.Tuple2._0($Unbox(item))] + == _System.Tuple2._1($Unbox(item))); + +function IMap#Empty() : IMap U V; + +axiom (forall u: U :: + { IMap#Domain(IMap#Empty(): IMap U V)[u] } + !IMap#Domain(IMap#Empty(): IMap U V)[u]); + +function IMap#Glue([U]bool, [U]V, Ty) : IMap U V; + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Domain(IMap#Glue(a, b, t)) } + IMap#Domain(IMap#Glue(a, b, t)) == a); + +axiom (forall a: [U]bool, b: [U]V, t: Ty :: + { IMap#Elements(IMap#Glue(a, b, t)) } + IMap#Elements(IMap#Glue(a, b, t)) == b); + +axiom (forall a: [Box]bool, b: [Box]Box, t0: Ty, t1: Ty :: + { IMap#Glue(a, b, TIMap(t0, t1)) } + (forall bx: Box :: a[bx] ==> $IsBox(bx, t0) && $IsBox(b[bx], t1)) + ==> $Is(Map#Glue(a, b, TIMap(t0, t1)), TIMap(t0, t1))); + +function IMap#Build(IMap U V, U, V) : IMap U V; + +axiom (forall m: IMap U V, u: U, u': U, v: V :: + { IMap#Domain(IMap#Build(m, u, v))[u'] } + { IMap#Elements(IMap#Build(m, u, v))[u'] } + (u' == u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == v) + && (u' != u + ==> IMap#Domain(IMap#Build(m, u, v))[u'] == IMap#Domain(m)[u'] + && IMap#Elements(IMap#Build(m, u, v))[u'] == IMap#Elements(m)[u'])); + +function IMap#Equal(IMap U V, IMap U V) : bool; + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') + <==> (forall u: U :: IMap#Domain(m)[u] == IMap#Domain(m')[u]) + && (forall u: U :: + IMap#Domain(m)[u] ==> IMap#Elements(m)[u] == IMap#Elements(m')[u])); + +axiom (forall m: IMap U V, m': IMap U V :: + { IMap#Equal(m, m') } + IMap#Equal(m, m') ==> m == m'); + +function IMap#Merge(IMap U V, IMap U V) : IMap U V; + +axiom (forall m: IMap U V, n: IMap U V :: + { IMap#Domain(IMap#Merge(m, n)) } + IMap#Domain(IMap#Merge(m, n)) == Set#Union(IMap#Domain(m), IMap#Domain(n))); + +axiom (forall m: IMap U V, n: IMap U V, u: U :: + { IMap#Elements(IMap#Merge(m, n))[u] } + IMap#Domain(IMap#Merge(m, n))[u] + ==> (!IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(m)[u]) + && (IMap#Domain(n)[u] + ==> IMap#Elements(IMap#Merge(m, n))[u] == IMap#Elements(n)[u])); + +function IMap#Subtract(IMap U V, Set U) : IMap U V; + +axiom (forall m: IMap U V, s: Set U :: + { IMap#Domain(IMap#Subtract(m, s)) } + IMap#Domain(IMap#Subtract(m, s)) == Set#Difference(IMap#Domain(m), s)); + +axiom (forall m: IMap U V, s: Set U, u: U :: + { IMap#Elements(IMap#Subtract(m, s))[u] } + IMap#Domain(IMap#Subtract(m, s))[u] + ==> IMap#Elements(IMap#Subtract(m, s))[u] == IMap#Elements(m)[u]); + +function INTERNAL_add_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_add_boogie(x, y): int } + INTERNAL_add_boogie(x, y): int == x + y); + +function INTERNAL_sub_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_sub_boogie(x, y): int } + INTERNAL_sub_boogie(x, y): int == x - y); + +function INTERNAL_mul_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mul_boogie(x, y): int } + INTERNAL_mul_boogie(x, y): int == x * y); + +function INTERNAL_div_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_div_boogie(x, y): int } + INTERNAL_div_boogie(x, y): int == x div y); + +function INTERNAL_mod_boogie(x: int, y: int) : int; + +axiom (forall x: int, y: int :: + { INTERNAL_mod_boogie(x, y): int } + INTERNAL_mod_boogie(x, y): int == x mod y); + +function {:never_pattern true} INTERNAL_lt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_lt_boogie(x, y): bool } + INTERNAL_lt_boogie(x, y): bool == (x < y)); + +function {:never_pattern true} INTERNAL_le_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_le_boogie(x, y): bool } + INTERNAL_le_boogie(x, y): bool == (x <= y)); + +function {:never_pattern true} INTERNAL_gt_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_gt_boogie(x, y): bool } + INTERNAL_gt_boogie(x, y): bool == (x > y)); + +function {:never_pattern true} INTERNAL_ge_boogie(x: int, y: int) : bool; + +axiom (forall x: int, y: int :: + {:never_pattern true} { INTERNAL_ge_boogie(x, y): bool } + INTERNAL_ge_boogie(x, y): bool == (x >= y)); + +function Mul(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mul(x, y): int } Mul(x, y): int == x * y); + +function Div(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Div(x, y): int } Div(x, y): int == x div y); + +function Mod(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Mod(x, y): int } Mod(x, y): int == x mod y); + +function Add(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Add(x, y): int } Add(x, y): int == x + y); + +function Sub(x: int, y: int) : int; + +axiom (forall x: int, y: int :: { Sub(x, y): int } Sub(x, y): int == x - y); + +function Tclass._System.nat() : Ty; + +const unique Tagclass._System.nat: TyTag; + +// Tclass._System.nat Tag +axiom Tag(Tclass._System.nat()) == Tagclass._System.nat + && TagFamily(Tclass._System.nat()) == tytagFamily$nat; + +// Box/unbox axiom for Tclass._System.nat +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.nat()) } + $IsBox(bx, Tclass._System.nat()) + ==> $Box($Unbox(bx): int) == bx && $Is($Unbox(bx): int, Tclass._System.nat())); + +// _System.nat: subset type $Is +axiom (forall x#0: int :: + { $Is(x#0, Tclass._System.nat()) } + $Is(x#0, Tclass._System.nat()) <==> LitInt(0) <= x#0); + +// _System.nat: subset type $IsAlloc +axiom (forall x#0: int, $h: Heap :: + { $IsAlloc(x#0, Tclass._System.nat(), $h) } + $IsAlloc(x#0, Tclass._System.nat(), $h)); + +const unique class._System.object?: ClassName; + +const unique Tagclass._System.object?: TyTag; + +// Tclass._System.object? Tag +axiom Tag(Tclass._System.object?()) == Tagclass._System.object? + && TagFamily(Tclass._System.object?()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object?()) } + $IsBox(bx, Tclass._System.object?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object?())); + +// object: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._System.object?()) } + $Is($o, Tclass._System.object?())); + +// object: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.object?(), $h) } + $IsAlloc($o, Tclass._System.object?(), $h) + <==> $o == null || read($h, $o, alloc)); + +function implements$_System.object(ty: Ty) : bool; + +function Tclass._System.object() : Ty; + +const unique Tagclass._System.object: TyTag; + +// Tclass._System.object Tag +axiom Tag(Tclass._System.object()) == Tagclass._System.object + && TagFamily(Tclass._System.object()) == tytagFamily$object; + +// Box/unbox axiom for Tclass._System.object +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.object()) } + $IsBox(bx, Tclass._System.object()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._System.object())); + +// _System.object: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._System.object()) } + $Is(c#0, Tclass._System.object()) + <==> $Is(c#0, Tclass._System.object?()) && c#0 != null); + +// _System.object: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.object(), $h) } + $IsAlloc(c#0, Tclass._System.object(), $h) + <==> $IsAlloc(c#0, Tclass._System.object?(), $h)); + +const unique class._System.array?: ClassName; + +function Tclass._System.array?(Ty) : Ty; + +const unique Tagclass._System.array?: TyTag; + +// Tclass._System.array? Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tag(Tclass._System.array?(_System.array$arg)) == Tagclass._System.array? + && TagFamily(Tclass._System.array?(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array?_0(Ty) : Ty; + +// Tclass._System.array? injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array?(_System.array$arg) } + Tclass._System.array?_0(Tclass._System.array?(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array? +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array?(_System.array$arg)) } + $IsBox(bx, Tclass._System.array?(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array?(_System.array$arg))); + +// array.: Type axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + ==> $IsBox(read($h, $o, IndexField($i0)), _System.array$arg)); + +// array.: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref, $i0: int :: + { read($h, $o, IndexField($i0)), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && + 0 <= $i0 + && $i0 < _System.array.Length($o) + && read($h, $o, alloc) + ==> $IsAllocBox(read($h, $o, IndexField($i0)), _System.array$arg, $h)); + +// array: Class $Is +axiom (forall _System.array$arg: Ty, $o: ref :: + { $Is($o, Tclass._System.array?(_System.array$arg)) } + $Is($o, Tclass._System.array?(_System.array$arg)) + <==> $o == null || dtype($o) == Tclass._System.array?(_System.array$arg)); + +// array: Class $IsAlloc +axiom (forall _System.array$arg: Ty, $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) } + $IsAlloc($o, Tclass._System.array?(_System.array$arg), $h) + <==> $o == null || read($h, $o, alloc)); + +// array.Length: Type axiom +axiom (forall _System.array$arg: Ty, $o: ref :: + { _System.array.Length($o), Tclass._System.array?(_System.array$arg) } + $o != null && dtype($o) == Tclass._System.array?(_System.array$arg) + ==> $Is(_System.array.Length($o), TInt)); + +// array.Length: Allocation axiom +axiom (forall _System.array$arg: Ty, $h: Heap, $o: ref :: + { _System.array.Length($o), read($h, $o, alloc), Tclass._System.array?(_System.array$arg) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._System.array?(_System.array$arg) + && read($h, $o, alloc) + ==> $IsAlloc(_System.array.Length($o), TInt, $h)); + +function Tclass._System.array(Ty) : Ty; + +const unique Tagclass._System.array: TyTag; + +// Tclass._System.array Tag +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tag(Tclass._System.array(_System.array$arg)) == Tagclass._System.array + && TagFamily(Tclass._System.array(_System.array$arg)) == tytagFamily$array); + +function Tclass._System.array_0(Ty) : Ty; + +// Tclass._System.array injectivity 0 +axiom (forall _System.array$arg: Ty :: + { Tclass._System.array(_System.array$arg) } + Tclass._System.array_0(Tclass._System.array(_System.array$arg)) + == _System.array$arg); + +// Box/unbox axiom for Tclass._System.array +axiom (forall _System.array$arg: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.array(_System.array$arg)) } + $IsBox(bx, Tclass._System.array(_System.array$arg)) + ==> $Box($Unbox(bx): ref) == bx + && $Is($Unbox(bx): ref, Tclass._System.array(_System.array$arg))); + +// _System.array: non-null type $Is +axiom (forall _System.array$arg: Ty, c#0: ref :: + { $Is(c#0, Tclass._System.array(_System.array$arg)) } + $Is(c#0, Tclass._System.array(_System.array$arg)) + <==> $Is(c#0, Tclass._System.array?(_System.array$arg)) && c#0 != null); + +// _System.array: non-null type $IsAlloc +axiom (forall _System.array$arg: Ty, c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) } + $IsAlloc(c#0, Tclass._System.array(_System.array$arg), $h) + <==> $IsAlloc(c#0, Tclass._System.array?(_System.array$arg), $h)); + +function Tclass._System.___hFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hFunc1: TyTag; + +// Tclass._System.___hFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tag(Tclass._System.___hFunc1(#$T0, #$R)) == Tagclass._System.___hFunc1 + && TagFamily(Tclass._System.___hFunc1(#$T0, #$R)) == tytagFamily$_#Func1); + +function Tclass._System.___hFunc1_0(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_0(Tclass._System.___hFunc1(#$T0, #$R)) == #$T0); + +function Tclass._System.___hFunc1_1(Ty) : Ty; + +// Tclass._System.___hFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hFunc1(#$T0, #$R) } + Tclass._System.___hFunc1_1(Tclass._System.___hFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc1(#$T0, #$R))); + +function Handle1([Heap,Box]Box, [Heap,Box]bool, [Heap,Box]Set Box) : HandleType; + +function Requires1(Ty, Ty, Heap, HandleType, Box) : bool; + +function Reads1(Ty, Ty, Heap, HandleType, Box) : Set Box; + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) } + Apply1(t0, t1, heap, Handle1(h, r, rd), bx0) == h[heap, bx0]); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box :: + { Requires1(t0, t1, heap, Handle1(h, r, rd), bx0) } + r[heap, bx0] ==> Requires1(t0, t1, heap, Handle1(h, r, rd), bx0)); + +axiom (forall t0: Ty, + t1: Ty, + heap: Heap, + h: [Heap,Box]Box, + r: [Heap,Box]bool, + rd: [Heap,Box]Set Box, + bx0: Box, + bx: Box :: + { Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] } + Reads1(t0, t1, heap, Handle1(h, r, rd), bx0)[bx] == rd[heap, bx0][bx]); + +function {:inline} Requires1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +function {:inline} Reads1#canCall(t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box) : bool +{ + true +} + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Reads1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Reads1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads1(t0, t1, h0, f, bx0) == Reads1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Requires1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Requires1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires1(t0, t1, h0, f, bx0) == Requires1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h0, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// frame axiom for Apply1 +axiom (forall t0: Ty, t1: Ty, h0: Heap, h1: Heap, f: HandleType, bx0: Box :: + { $HeapSucc(h0, h1), Apply1(t0, t1, h1, f, bx0) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall o: ref, fld: Field a :: + o != null && Reads1(t0, t1, h1, f, bx0)[$Box(o)] + ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply1(t0, t1, h0, f, bx0) == Apply1(t0, t1, h1, f, bx0)); + +// empty-reads property for Reads1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Reads1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Reads1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) && $IsBox(bx0, t0) && $Is(f, Tclass._System.___hFunc1(t0, t1)) + ==> (Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + <==> Set#Equal(Reads1(t0, t1, heap, f, bx0), Set#Empty(): Set Box))); + +// empty-reads property for Requires1 +axiom (forall t0: Ty, t1: Ty, heap: Heap, f: HandleType, bx0: Box :: + { Requires1(t0, t1, $OneHeap, f, bx0), $IsGoodHeap(heap) } + { Requires1(t0, t1, heap, f, bx0) } + $IsGoodHeap(heap) + && + $IsBox(bx0, t0) + && $Is(f, Tclass._System.___hFunc1(t0, t1)) + && Set#Equal(Reads1(t0, t1, $OneHeap, f, bx0), Set#Empty(): Set Box) + ==> Requires1(t0, t1, $OneHeap, f, bx0) == Requires1(t0, t1, heap, f, bx0)); + +axiom (forall f: HandleType, t0: Ty, t1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + <==> (forall h: Heap, bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsGoodHeap(h) && $IsBox(bx0, t0) && Requires1(t0, t1, h, f, bx0) + ==> $IsBox(Apply1(t0, t1, h, f, bx0), t1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, u0: Ty, u1: Ty :: + { $Is(f, Tclass._System.___hFunc1(t0, t1)), $Is(f, Tclass._System.___hFunc1(u0, u1)) } + $Is(f, Tclass._System.___hFunc1(t0, t1)) + && (forall bx: Box :: + { $IsBox(bx, u0) } { $IsBox(bx, t0) } + $IsBox(bx, u0) ==> $IsBox(bx, t0)) + && (forall bx: Box :: + { $IsBox(bx, t1) } { $IsBox(bx, u1) } + $IsBox(bx, t1) ==> $IsBox(bx, u1)) + ==> $Is(f, Tclass._System.___hFunc1(u0, u1))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + <==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } { Reads1(t0, t1, h, f, bx0) } + $IsBox(bx0, t0) && $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> (forall r: ref :: + { Reads1(t0, t1, h, f, bx0)[$Box(r)] } + r != null && Reads1(t0, t1, h, f, bx0)[$Box(r)] ==> read(h, r, alloc))))); + +axiom (forall f: HandleType, t0: Ty, t1: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc1(t0, t1), h) + ==> (forall bx0: Box :: + { Apply1(t0, t1, h, f, bx0) } + $IsAllocBox(bx0, t0, h) && Requires1(t0, t1, h, f, bx0) + ==> $IsAllocBox(Apply1(t0, t1, h, f, bx0), t1, h))); + +function Tclass._System.___hPartialFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc1: TyTag; + +// Tclass._System.___hPartialFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tag(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == Tagclass._System.___hPartialFunc1 + && TagFamily(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == tytagFamily$_#PartialFunc1); + +function Tclass._System.___hPartialFunc1_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_0(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hPartialFunc1_1(Ty) : Ty; + +// Tclass._System.___hPartialFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hPartialFunc1(#$T0, #$R) } + Tclass._System.___hPartialFunc1_1(Tclass._System.___hPartialFunc1(#$T0, #$R)) + == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc1(#$T0, #$R))); + +// _System._#PartialFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) + ==> Set#Equal(Reads1(#$T0, #$R, $OneHeap, f#0, x0#0), Set#Empty(): Set Box))); + +// _System._#PartialFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hTotalFunc1(Ty, Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc1: TyTag; + +// Tclass._System.___hTotalFunc1 Tag +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tag(Tclass._System.___hTotalFunc1(#$T0, #$R)) == Tagclass._System.___hTotalFunc1 + && TagFamily(Tclass._System.___hTotalFunc1(#$T0, #$R)) == tytagFamily$_#TotalFunc1); + +function Tclass._System.___hTotalFunc1_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 0 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_0(Tclass._System.___hTotalFunc1(#$T0, #$R)) + == #$T0); + +function Tclass._System.___hTotalFunc1_1(Ty) : Ty; + +// Tclass._System.___hTotalFunc1 injectivity 1 +axiom (forall #$T0: Ty, #$R: Ty :: + { Tclass._System.___hTotalFunc1(#$T0, #$R) } + Tclass._System.___hTotalFunc1_1(Tclass._System.___hTotalFunc1(#$T0, #$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc1 +axiom (forall #$T0: Ty, #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc1(#$T0, #$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc1(#$T0, #$R))); + +// _System._#TotalFunc1: subset type $Is +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) } + $Is(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R)) + && (forall x0#0: Box :: + $IsBox(x0#0, #$T0) ==> Requires1(#$T0, #$R, $OneHeap, f#0, x0#0))); + +// _System._#TotalFunc1: subset type $IsAlloc +axiom (forall #$T0: Ty, #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc1(#$T0, #$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc1(#$T0, #$R), $h)); + +function Tclass._System.___hFunc0(Ty) : Ty; + +const unique Tagclass._System.___hFunc0: TyTag; + +// Tclass._System.___hFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tag(Tclass._System.___hFunc0(#$R)) == Tagclass._System.___hFunc0 + && TagFamily(Tclass._System.___hFunc0(#$R)) == tytagFamily$_#Func0); + +function Tclass._System.___hFunc0_0(Ty) : Ty; + +// Tclass._System.___hFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hFunc0(#$R) } + Tclass._System.___hFunc0_0(Tclass._System.___hFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hFunc0(#$R))); + +function Handle0([Heap]Box, [Heap]bool, [Heap]Set Box) : HandleType; + +function Apply0(Ty, Heap, HandleType) : Box; + +function Requires0(Ty, Heap, HandleType) : bool; + +function Reads0(Ty, Heap, HandleType) : Set Box; + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Apply0(t0, heap, Handle0(h, r, rd)) } + Apply0(t0, heap, Handle0(h, r, rd)) == h[heap]); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box :: + { Requires0(t0, heap, Handle0(h, r, rd)) } + r[heap] ==> Requires0(t0, heap, Handle0(h, r, rd))); + +axiom (forall t0: Ty, heap: Heap, h: [Heap]Box, r: [Heap]bool, rd: [Heap]Set Box, bx: Box :: + { Reads0(t0, heap, Handle0(h, r, rd))[bx] } + Reads0(t0, heap, Handle0(h, r, rd))[bx] == rd[heap][bx]); + +function {:inline} Requires0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +function {:inline} Reads0#canCall(t0: Ty, heap: Heap, f: HandleType) : bool +{ + true +} + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Reads0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Reads0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Reads0(t0, h0, f) == Reads0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Requires0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Requires0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Requires0(t0, h0, f) == Requires0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h0, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// frame axiom for Apply0 +axiom (forall t0: Ty, h0: Heap, h1: Heap, f: HandleType :: + { $HeapSucc(h0, h1), Apply0(t0, h1, f) } + $HeapSucc(h0, h1) + && + $IsGoodHeap(h0) + && $IsGoodHeap(h1) + && $Is(f, Tclass._System.___hFunc0(t0)) + && (forall o: ref, fld: Field a :: + o != null && Reads0(t0, h1, f)[$Box(o)] ==> read(h0, o, fld) == read(h1, o, fld)) + ==> Apply0(t0, h0, f) == Apply0(t0, h1, f)); + +// empty-reads property for Reads0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Reads0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Reads0(t0, heap, f) } + $IsGoodHeap(heap) && $Is(f, Tclass._System.___hFunc0(t0)) + ==> (Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + <==> Set#Equal(Reads0(t0, heap, f), Set#Empty(): Set Box))); + +// empty-reads property for Requires0 +axiom (forall t0: Ty, heap: Heap, f: HandleType :: + { Requires0(t0, $OneHeap, f), $IsGoodHeap(heap) } { Requires0(t0, heap, f) } + $IsGoodHeap(heap) + && $Is(f, Tclass._System.___hFunc0(t0)) + && Set#Equal(Reads0(t0, $OneHeap, f), Set#Empty(): Set Box) + ==> Requires0(t0, $OneHeap, f) == Requires0(t0, heap, f)); + +axiom (forall f: HandleType, t0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + <==> (forall h: Heap :: + { Apply0(t0, h, f) } + $IsGoodHeap(h) && Requires0(t0, h, f) ==> $IsBox(Apply0(t0, h, f), t0))); + +axiom (forall f: HandleType, t0: Ty, u0: Ty :: + { $Is(f, Tclass._System.___hFunc0(t0)), $Is(f, Tclass._System.___hFunc0(u0)) } + $Is(f, Tclass._System.___hFunc0(t0)) + && (forall bx: Box :: + { $IsBox(bx, t0) } { $IsBox(bx, u0) } + $IsBox(bx, t0) ==> $IsBox(bx, u0)) + ==> $Is(f, Tclass._System.___hFunc0(u0))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) + ==> ($IsAlloc(f, Tclass._System.___hFunc0(t0), h) + <==> Requires0(t0, h, f) + ==> (forall r: ref :: + { Reads0(t0, h, f)[$Box(r)] } + r != null && Reads0(t0, h, f)[$Box(r)] ==> read(h, r, alloc)))); + +axiom (forall f: HandleType, t0: Ty, h: Heap :: + { $IsAlloc(f, Tclass._System.___hFunc0(t0), h) } + $IsGoodHeap(h) && $IsAlloc(f, Tclass._System.___hFunc0(t0), h) + ==> + Requires0(t0, h, f) + ==> $IsAllocBox(Apply0(t0, h, f), t0, h)); + +function Tclass._System.___hPartialFunc0(Ty) : Ty; + +const unique Tagclass._System.___hPartialFunc0: TyTag; + +// Tclass._System.___hPartialFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tag(Tclass._System.___hPartialFunc0(#$R)) == Tagclass._System.___hPartialFunc0 + && TagFamily(Tclass._System.___hPartialFunc0(#$R)) == tytagFamily$_#PartialFunc0); + +function Tclass._System.___hPartialFunc0_0(Ty) : Ty; + +// Tclass._System.___hPartialFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hPartialFunc0(#$R) } + Tclass._System.___hPartialFunc0_0(Tclass._System.___hPartialFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hPartialFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hPartialFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hPartialFunc0(#$R))); + +// _System._#PartialFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) } + $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hFunc0(#$R)) + && Set#Equal(Reads0(#$R, $OneHeap, f#0), Set#Empty(): Set Box)); + +// _System._#PartialFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hFunc0(#$R), $h)); + +function Tclass._System.___hTotalFunc0(Ty) : Ty; + +const unique Tagclass._System.___hTotalFunc0: TyTag; + +// Tclass._System.___hTotalFunc0 Tag +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tag(Tclass._System.___hTotalFunc0(#$R)) == Tagclass._System.___hTotalFunc0 + && TagFamily(Tclass._System.___hTotalFunc0(#$R)) == tytagFamily$_#TotalFunc0); + +function Tclass._System.___hTotalFunc0_0(Ty) : Ty; + +// Tclass._System.___hTotalFunc0 injectivity 0 +axiom (forall #$R: Ty :: + { Tclass._System.___hTotalFunc0(#$R) } + Tclass._System.___hTotalFunc0_0(Tclass._System.___hTotalFunc0(#$R)) == #$R); + +// Box/unbox axiom for Tclass._System.___hTotalFunc0 +axiom (forall #$R: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) } + $IsBox(bx, Tclass._System.___hTotalFunc0(#$R)) + ==> $Box($Unbox(bx): HandleType) == bx + && $Is($Unbox(bx): HandleType, Tclass._System.___hTotalFunc0(#$R))); + +// _System._#TotalFunc0: subset type $Is +axiom (forall #$R: Ty, f#0: HandleType :: + { $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) } + $Is(f#0, Tclass._System.___hTotalFunc0(#$R)) + <==> $Is(f#0, Tclass._System.___hPartialFunc0(#$R)) && Requires0(#$R, $OneHeap, f#0)); + +// _System._#TotalFunc0: subset type $IsAlloc +axiom (forall #$R: Ty, f#0: HandleType, $h: Heap :: + { $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) } + $IsAlloc(f#0, Tclass._System.___hTotalFunc0(#$R), $h) + <==> $IsAlloc(f#0, Tclass._System.___hPartialFunc0(#$R), $h)); + +// Constructor identifier +axiom (forall a#0#0#0: Box, a#0#1#0: Box :: + { #_System._tuple#2._#Make2(a#0#0#0, a#0#1#0) } + DatatypeCtorId(#_System._tuple#2._#Make2(a#0#0#0, a#0#1#0)) + == ##_System._tuple#2._#Make2); + +const unique ##_System._tuple#2._#Make2: DtCtorId; + +function _System.Tuple2.___hMake2_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#2._#Make2); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d) } + _System.Tuple2.___hMake2_q(d) + ==> (exists a#1#0#0: Box, a#1#1#0: Box :: + d == #_System._tuple#2._#Make2(a#1#0#0, a#1#1#0))); + +const unique Tagclass._System.Tuple2: TyTag; + +// Tclass._System.Tuple2 Tag +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tag(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == Tagclass._System.Tuple2 + && TagFamily(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == tytagFamily$_tuple#2); + +function Tclass._System.Tuple2_0(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 0 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_0(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T0); + +function Tclass._System.Tuple2_1(Ty) : Ty; + +// Tclass._System.Tuple2 injectivity 1 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty :: + { Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1) } + Tclass._System.Tuple2_1(Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + == _System._tuple#2$T1); + +// Box/unbox axiom for Tclass._System.Tuple2 +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, bx: Box :: + { $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $IsBox(bx, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1))); + +// Constructor $Is +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, a#2#0#0: Box, a#2#1#0: Box :: + { $Is(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + <==> $IsBox(a#2#0#0, _System._tuple#2$T0) && $IsBox(a#2#1#0, _System._tuple#2$T1)); + +// Constructor $IsAlloc +axiom (forall _System._tuple#2$T0: Ty, + _System._tuple#2$T1: Ty, + a#2#0#0: Box, + a#2#1#0: Box, + $h: Heap :: + { $IsAlloc(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) } + $IsGoodHeap($h) + ==> ($IsAlloc(#_System._tuple#2._#Make2(a#2#0#0, a#2#1#0), + Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), + $h) + <==> $IsAllocBox(a#2#0#0, _System._tuple#2$T0, $h) + && $IsAllocBox(a#2#1#0, _System._tuple#2$T1, $h))); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T0: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T1: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._0(d), _System._tuple#2$T0, $h)); + +// Destructor $IsAlloc +axiom (forall d: DatatypeType, _System._tuple#2$T1: Ty, $h: Heap :: + { $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h) } + $IsGoodHeap($h) + && + _System.Tuple2.___hMake2_q(d) + && (exists _System._tuple#2$T0: Ty :: + { $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h) } + $IsAlloc(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1), $h)) + ==> $IsAllocBox(_System.Tuple2._1(d), _System._tuple#2$T1, $h)); + +// Constructor literal +axiom (forall a#3#0#0: Box, a#3#1#0: Box :: + { #_System._tuple#2._#Make2(Lit(a#3#0#0), Lit(a#3#1#0)) } + #_System._tuple#2._#Make2(Lit(a#3#0#0), Lit(a#3#1#0)) + == Lit(#_System._tuple#2._#Make2(a#3#0#0, a#3#1#0))); + +// Constructor injectivity +axiom (forall a#4#0#0: Box, a#4#1#0: Box :: + { #_System._tuple#2._#Make2(a#4#0#0, a#4#1#0) } + _System.Tuple2._0(#_System._tuple#2._#Make2(a#4#0#0, a#4#1#0)) == a#4#0#0); + +// Inductive rank +axiom (forall a#5#0#0: Box, a#5#1#0: Box :: + { #_System._tuple#2._#Make2(a#5#0#0, a#5#1#0) } + BoxRank(a#5#0#0) < DtRank(#_System._tuple#2._#Make2(a#5#0#0, a#5#1#0))); + +// Constructor injectivity +axiom (forall a#6#0#0: Box, a#6#1#0: Box :: + { #_System._tuple#2._#Make2(a#6#0#0, a#6#1#0) } + _System.Tuple2._1(#_System._tuple#2._#Make2(a#6#0#0, a#6#1#0)) == a#6#1#0); + +// Inductive rank +axiom (forall a#7#0#0: Box, a#7#1#0: Box :: + { #_System._tuple#2._#Make2(a#7#0#0, a#7#1#0) } + BoxRank(a#7#1#0) < DtRank(#_System._tuple#2._#Make2(a#7#0#0, a#7#1#0))); + +// Depth-one case-split function +function $IsA#_System.Tuple2(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple2(d) } + $IsA#_System.Tuple2(d) ==> _System.Tuple2.___hMake2_q(d)); + +// Questionmark data type disjunctivity +axiom (forall _System._tuple#2$T0: Ty, _System._tuple#2$T1: Ty, d: DatatypeType :: + { _System.Tuple2.___hMake2_q(d), $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) } + $Is(d, Tclass._System.Tuple2(_System._tuple#2$T0, _System._tuple#2$T1)) + ==> _System.Tuple2.___hMake2_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple2#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#2._#Make2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + true + ==> (_System.Tuple2#Equal(a, b) + <==> _System.Tuple2._0(a) == _System.Tuple2._0(b) + && _System.Tuple2._1(a) == _System.Tuple2._1(b))); + +// Datatype extensionality axiom: _System._tuple#2 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple2#Equal(a, b) } + _System.Tuple2#Equal(a, b) <==> a == b); + +const unique class._System.Tuple2: ClassName; + +// Constructor function declaration +function #_System._tuple#0._#Make0() : DatatypeType; + +// Constructor identifier +axiom DatatypeCtorId(#_System._tuple#0._#Make0()) == ##_System._tuple#0._#Make0; + +const unique ##_System._tuple#0._#Make0: DtCtorId; + +function _System.Tuple0.___hMake0_q(DatatypeType) : bool; + +// Questionmark and identifier +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) + <==> DatatypeCtorId(d) == ##_System._tuple#0._#Make0); + +// Constructor questionmark has arguments +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d) } + _System.Tuple0.___hMake0_q(d) ==> d == #_System._tuple#0._#Make0()); + +function Tclass._System.Tuple0() : Ty; + +const unique Tagclass._System.Tuple0: TyTag; + +// Tclass._System.Tuple0 Tag +axiom Tag(Tclass._System.Tuple0()) == Tagclass._System.Tuple0 + && TagFamily(Tclass._System.Tuple0()) == tytagFamily$_tuple#0; + +// Box/unbox axiom for Tclass._System.Tuple0 +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._System.Tuple0()) } + $IsBox(bx, Tclass._System.Tuple0()) + ==> $Box($Unbox(bx): DatatypeType) == bx + && $Is($Unbox(bx): DatatypeType, Tclass._System.Tuple0())); + +// Constructor $Is +axiom $Is(#_System._tuple#0._#Make0(), Tclass._System.Tuple0()); + +// Constructor $IsAlloc +axiom (forall $h: Heap :: + { $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h) } + $IsGoodHeap($h) + ==> $IsAlloc(#_System._tuple#0._#Make0(), Tclass._System.Tuple0(), $h)); + +// Constructor literal +axiom #_System._tuple#0._#Make0() == Lit(#_System._tuple#0._#Make0()); + +// Depth-one case-split function +function $IsA#_System.Tuple0(DatatypeType) : bool; + +// Depth-one case-split axiom +axiom (forall d: DatatypeType :: + { $IsA#_System.Tuple0(d) } + $IsA#_System.Tuple0(d) ==> _System.Tuple0.___hMake0_q(d)); + +// Questionmark data type disjunctivity +axiom (forall d: DatatypeType :: + { _System.Tuple0.___hMake0_q(d), $Is(d, Tclass._System.Tuple0()) } + $Is(d, Tclass._System.Tuple0()) ==> _System.Tuple0.___hMake0_q(d)); + +// Datatype extensional equality declaration +function _System.Tuple0#Equal(DatatypeType, DatatypeType) : bool; + +// Datatype extensional equality definition: #_System._tuple#0._#Make0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + true ==> (_System.Tuple0#Equal(a, b) <==> true)); + +// Datatype extensionality axiom: _System._tuple#0 +axiom (forall a: DatatypeType, b: DatatypeType :: + { _System.Tuple0#Equal(a, b) } + _System.Tuple0#Equal(a, b) <==> a == b); + +const unique class._System.Tuple0: ClassName; + +const unique class._module.Node?: ClassName; + +function Tclass._module.Node?() : Ty; + +const unique Tagclass._module.Node?: TyTag; + +// Tclass._module.Node? Tag +axiom Tag(Tclass._module.Node?()) == Tagclass._module.Node? + && TagFamily(Tclass._module.Node?()) == tytagFamily$Node; + +// Box/unbox axiom for Tclass._module.Node? +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Node?()) } + $IsBox(bx, Tclass._module.Node?()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Node?())); + +// Node: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.Node?()) } + $Is($o, Tclass._module.Node?()) + <==> $o == null || dtype($o) == Tclass._module.Node?()); + +// Node: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.Node?(), $h) } + $IsAlloc($o, Tclass._module.Node?(), $h) <==> $o == null || read($h, $o, alloc)); + +axiom FDim(_module.Node.left) == 0 + && FieldOfDecl(class._module.Node?, field$left) == _module.Node.left + && !$IsGhostField(_module.Node.left); + +const _module.Node.left: Field ref; + +// Node.left: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.left) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.left), Tclass._module.Node?())); + +// Node.left: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.left) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.left), Tclass._module.Node?(), $h)); + +axiom FDim(_module.Node.right) == 0 + && FieldOfDecl(class._module.Node?, field$right) == _module.Node.right + && !$IsGhostField(_module.Node.right); + +const _module.Node.right: Field ref; + +// Node.right: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.right) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.right), Tclass._module.Node?())); + +// Node.right: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.right) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.right), Tclass._module.Node?(), $h)); + +axiom FDim(_module.Node.parent) == 0 + && FieldOfDecl(class._module.Node?, field$parent) == _module.Node.parent + && !$IsGhostField(_module.Node.parent); + +const _module.Node.parent: Field ref; + +// Node.parent: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.parent) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.parent), Tclass._module.Node?())); + +// Node.parent: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.parent) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.parent), Tclass._module.Node?(), $h)); + +axiom FDim(_module.Node.anc) == 0 + && FieldOfDecl(class._module.Node?, field$anc) == _module.Node.anc + && !$IsGhostField(_module.Node.anc); + +const _module.Node.anc: Field (Set Box); + +function Tclass._module.Node() : Ty; + +const unique Tagclass._module.Node: TyTag; + +// Tclass._module.Node Tag +axiom Tag(Tclass._module.Node()) == Tagclass._module.Node + && TagFamily(Tclass._module.Node()) == tytagFamily$Node; + +// Box/unbox axiom for Tclass._module.Node +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.Node()) } + $IsBox(bx, Tclass._module.Node()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.Node())); + +// Node.anc: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.anc) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.anc), TSet(Tclass._module.Node()))); + +// Node.anc: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.anc) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.anc), TSet(Tclass._module.Node()), $h)); + +axiom FDim(_module.Node.desc) == 0 + && FieldOfDecl(class._module.Node?, field$desc) == _module.Node.desc + && !$IsGhostField(_module.Node.desc); + +const _module.Node.desc: Field (Set Box); + +// Node.desc: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.desc) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.desc), TSet(Tclass._module.Node()))); + +// Node.desc: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.desc) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.desc), TSet(Tclass._module.Node()), $h)); + +axiom FDim(_module.Node.sense) == 0 + && FieldOfDecl(class._module.Node?, field$sense) == _module.Node.sense + && !$IsGhostField(_module.Node.sense); + +const _module.Node.sense: Field bool; + +// Node.sense: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.sense) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.sense), TBool)); + +// Node.sense: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.sense) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.sense), TBool, $h)); + +axiom FDim(_module.Node.pc) == 0 + && FieldOfDecl(class._module.Node?, field$pc) == _module.Node.pc + && !$IsGhostField(_module.Node.pc); + +const _module.Node.pc: Field int; + +// Node.pc: Type axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.pc) } + $IsGoodHeap($h) && $o != null && dtype($o) == Tclass._module.Node?() + ==> $Is(read($h, $o, _module.Node.pc), TInt)); + +// Node.pc: Allocation axiom +axiom (forall $h: Heap, $o: ref :: + { read($h, $o, _module.Node.pc) } + $IsGoodHeap($h) + && + $o != null + && dtype($o) == Tclass._module.Node?() + && read($h, $o, alloc) + ==> $IsAlloc(read($h, $o, _module.Node.pc), TInt, $h)); + +// function declaration for _module.Node.validDown +function _module.Node.validDown($ly: LayerType, $heap: Heap, this: ref) : bool; + +function _module.Node.validDown#canCall($heap: Heap, this: ref) : bool; + +// layer synonym axiom +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validDown($LS($ly), $Heap, this) } + _module.Node.validDown($LS($ly), $Heap, this) + == _module.Node.validDown($ly, $Heap, this)); + +// fuel synonym axiom +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validDown(AsFuelBottom($ly), $Heap, this) } + _module.Node.validDown($ly, $Heap, this) + == _module.Node.validDown($LZ, $Heap, this)); + +// frame axiom for _module.Node.validDown +axiom (forall $ly: LayerType, $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Node.validDown($ly, $h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Node()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && ($o == this || read($h0, this, _module.Node.desc)[$Box($o)]) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Node.validDown($ly, $h0, this) == _module.Node.validDown($ly, $h1, this)); + +// consequence axiom for _module.Node.validDown +axiom 1 <= $FunctionContextHeight + ==> (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validDown($ly, $Heap, this) } + _module.Node.validDown#canCall($Heap, this) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> true); + +function _module.Node.validDown#requires(LayerType, Heap, ref) : bool; + +// #requires axiom for _module.Node.validDown +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validDown#requires($ly, $Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap) + ==> _module.Node.validDown#requires($ly, $Heap, this) == true); + +// definition axiom for _module.Node.validDown (revealed) +axiom 1 <= $FunctionContextHeight + ==> (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validDown($LS($ly), $Heap, this), $IsGoodHeap($Heap) } + _module.Node.validDown#canCall($Heap, this) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> (!read($Heap, this, _module.Node.desc)[$Box(this)] + ==> + read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + ==> + (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + ==> (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + ==> + (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + ==> + (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + ==> _module.Node.validDown#canCall($Heap, read($Heap, this, _module.Node.left))) + && ( + (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($ly, $Heap, read($Heap, this, _module.Node.left))) + ==> + (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))) + ==> (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown#canCall($Heap, read($Heap, this, _module.Node.right))) + && ( + (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($ly, $Heap, read($Heap, this, _module.Node.right))) + ==> _module.Node.blocked#canCall($Heap, this) + && (_module.Node.blocked($Heap, this) + ==> (forall m#0: ref :: + { _module.Node.blocked($Heap, m#0) } + { read($Heap, this, _module.Node.desc)[$Box(m#0)] } + $Is(m#0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0)] + ==> _module.Node.blocked#canCall($Heap, m#0))) + && ( + (_module.Node.blocked($Heap, this) + ==> (forall m#0: ref :: + { _module.Node.blocked($Heap, m#0) } + { read($Heap, this, _module.Node.desc)[$Box(m#0)] } + $Is(m#0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0)] + ==> _module.Node.blocked($Heap, m#0))) + ==> _module.Node.after#canCall($Heap, this) + && (_module.Node.after($Heap, this) + ==> (forall m#1: ref :: + { _module.Node.after($Heap, m#1) } + { _module.Node.blocked($Heap, m#1) } + { read($Heap, this, _module.Node.desc)[$Box(m#1)] } + $Is(m#1, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1)] + ==> _module.Node.blocked#canCall($Heap, m#1) + && (!_module.Node.blocked($Heap, m#1) ==> _module.Node.after#canCall($Heap, m#1)))))))) + && _module.Node.validDown($LS($ly), $Heap, this) + == ( + !read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + && (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($ly, $Heap, read($Heap, this, _module.Node.left))) + && (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))) + && (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($ly, $Heap, read($Heap, this, _module.Node.right))) + && (_module.Node.blocked($Heap, this) + ==> (forall m#0: ref :: + { _module.Node.blocked($Heap, m#0) } + { read($Heap, this, _module.Node.desc)[$Box(m#0)] } + $Is(m#0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0)] + ==> _module.Node.blocked($Heap, m#0))) + && (_module.Node.after($Heap, this) + ==> (forall m#1: ref :: + { _module.Node.after($Heap, m#1) } + { _module.Node.blocked($Heap, m#1) } + { read($Heap, this, _module.Node.desc)[$Box(m#1)] } + $Is(m#1, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1)] + ==> _module.Node.blocked($Heap, m#1) || _module.Node.after($Heap, m#1))))); + +procedure {:verboseName "Node.validDown (well-formedness)"} CheckWellformed$$_module.Node.validDown(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Node.validDown (well-formedness)"} CheckWellformed$$_module.Node.validDown(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var newtype$check#0: ref; + var newtype$check#1: ref; + var newtype$check#2: ref; + var newtype$check#3: ref; + var newtype$check#4: ref; + var newtype$check#5: ref; + var newtype$check#6: ref; + var newtype$check#7: ref; + var m#2: ref; + var m#3: ref; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + var b$reqreads#5: bool; + var b$reqreads#6: bool; + var b$reqreads#7: bool; + var b$reqreads#8: bool; + var b$reqreads#9: bool; + var b$reqreads#10: bool; + var b$reqreads#11: bool; + var b$reqreads#12: bool; + var b$reqreads#13: bool; + var b$reqreads#14: bool; + var b$reqreads#15: bool; + var b$reqreads#16: bool; + var b$reqreads#17: bool; + var b$reqreads#18: bool; + var b$reqreads#19: bool; + var b$reqreads#20: bool; + var b$reqreads#21: bool; + var b$reqreads#22: bool; + var b$reqreads#23: bool; + var b$reqreads#24: bool; + var b$reqreads#25: bool; + var b$reqreads#26: bool; + var b$reqreads#27: bool; + var b$reqreads#28: bool; + var b$reqreads#29: bool; + var b$reqreads#30: bool; + var b$reqreads#31: bool; + var b$reqreads#32: bool; + var b$reqreads#33: bool; + var b$reqreads#34: bool; + var b$reqreads#35: bool; + var b$reqreads#36: bool; + var b$reqreads#37: bool; + var b$reqreads#38: bool; + var b$reqreads#39: bool; + var b$reqreads#40: bool; + var b$reqreads#41: bool; + var b$reqreads#42: bool; + var b$reqreads#43: bool; + var b$reqreads#44: bool; + var b$reqreads#45: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + b$reqreads#5 := true; + b$reqreads#6 := true; + b$reqreads#7 := true; + b$reqreads#8 := true; + b$reqreads#9 := true; + b$reqreads#10 := true; + b$reqreads#11 := true; + b$reqreads#12 := true; + b$reqreads#13 := true; + b$reqreads#14 := true; + b$reqreads#15 := true; + b$reqreads#16 := true; + b$reqreads#17 := true; + b$reqreads#18 := true; + b$reqreads#19 := true; + b$reqreads#20 := true; + b$reqreads#21 := true; + b$reqreads#22 := true; + b$reqreads#23 := true; + b$reqreads#24 := true; + b$reqreads#25 := true; + b$reqreads#26 := true; + b$reqreads#27 := true; + b$reqreads#28 := true; + b$reqreads#29 := true; + b$reqreads#30 := true; + b$reqreads#31 := true; + b$reqreads#32 := true; + b$reqreads#33 := true; + b$reqreads#34 := true; + b$reqreads#35 := true; + b$reqreads#36 := true; + b$reqreads#37 := true; + b$reqreads#38 := true; + b$reqreads#39 := true; + b$reqreads#40 := true; + b$reqreads#41 := true; + b$reqreads#42 := true; + b$reqreads#43 := true; + b$reqreads#44 := true; + b$reqreads#45 := true; + + // AddWellformednessCheck for function validDown + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Node.desc)[$Box($o)]); + b$reqreads#0 := $_Frame[this, _module.Node.desc]; + assert b$reqreads#0; + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Node.desc)[$Box($o)]); + b$reqreads#1 := $_Frame[this, _module.Node.desc]; + if (!read($Heap, this, _module.Node.desc)[$Box(this)]) + { + b$reqreads#2 := $_Frame[this, _module.Node.left]; + b$reqreads#3 := $_Frame[this, _module.Node.right]; + } + + if (!read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right)) + { + b$reqreads#4 := $_Frame[this, _module.Node.right]; + newtype$check#0 := null; + if (read($Heap, this, _module.Node.right) != null) + { + b$reqreads#5 := $_Frame[this, _module.Node.right]; + b$reqreads#6 := $_Frame[this, _module.Node.desc]; + if (read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))]) + { + b$reqreads#7 := $_Frame[this, _module.Node.left]; + b$reqreads#8 := $_Frame[this, _module.Node.right]; + assert read($Heap, this, _module.Node.right) != null; + b$reqreads#9 := $_Frame[read($Heap, this, _module.Node.right), _module.Node.desc]; + } + } + } + + if (!read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])) + { + b$reqreads#10 := $_Frame[this, _module.Node.left]; + newtype$check#1 := null; + if (read($Heap, this, _module.Node.left) != null) + { + b$reqreads#11 := $_Frame[this, _module.Node.left]; + b$reqreads#12 := $_Frame[this, _module.Node.desc]; + if (read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + { + b$reqreads#13 := $_Frame[this, _module.Node.right]; + newtype$check#2 := null; + if (read($Heap, this, _module.Node.right) != null) + { + b$reqreads#14 := $_Frame[this, _module.Node.desc]; + b$reqreads#15 := $_Frame[this, _module.Node.left]; + b$reqreads#16 := $_Frame[this, _module.Node.right]; + b$reqreads#17 := $_Frame[this, _module.Node.left]; + assert read($Heap, this, _module.Node.left) != null; + b$reqreads#18 := $_Frame[read($Heap, this, _module.Node.left), _module.Node.desc]; + b$reqreads#19 := $_Frame[this, _module.Node.right]; + assert read($Heap, this, _module.Node.right) != null; + b$reqreads#20 := $_Frame[read($Heap, this, _module.Node.right), _module.Node.desc]; + } + } + + if (read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))) + { + b$reqreads#21 := $_Frame[this, _module.Node.right]; + newtype$check#3 := null; + if (read($Heap, this, _module.Node.right) == null) + { + b$reqreads#22 := $_Frame[this, _module.Node.desc]; + b$reqreads#23 := $_Frame[this, _module.Node.left]; + b$reqreads#24 := $_Frame[this, _module.Node.left]; + assert read($Heap, this, _module.Node.left) != null; + b$reqreads#25 := $_Frame[read($Heap, this, _module.Node.left), _module.Node.desc]; + } + } + + if (read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc))))) + { + b$reqreads#26 := $_Frame[this, _module.Node.left]; + assert read($Heap, this, _module.Node.left) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Node.left), Tclass._module.Node?(), $Heap); + b$reqreads#27 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == read($Heap, this, _module.Node.left) + || read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)[$Box($o)]) + ==> $_Frame[$o, $f]); + assert Set#Subset(Set#Union(read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc), + Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left)))), + Set#Union(read($Heap, this, _module.Node.desc), + Set#UnionOne(Set#Empty(): Set Box, $Box(this)))) + && !Set#Subset(Set#Union(read($Heap, this, _module.Node.desc), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc), + Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))))); + assume _module.Node.validDown#canCall($Heap, read($Heap, this, _module.Node.left)); + } + } + } + + if (!read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + && (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.left)))) + { + b$reqreads#28 := $_Frame[this, _module.Node.left]; + newtype$check#4 := null; + if (read($Heap, this, _module.Node.left) == null) + { + b$reqreads#29 := $_Frame[this, _module.Node.right]; + newtype$check#5 := null; + if (read($Heap, this, _module.Node.right) != null) + { + b$reqreads#30 := $_Frame[this, _module.Node.desc]; + b$reqreads#31 := $_Frame[this, _module.Node.right]; + b$reqreads#32 := $_Frame[this, _module.Node.right]; + assert read($Heap, this, _module.Node.right) != null; + b$reqreads#33 := $_Frame[read($Heap, this, _module.Node.right), _module.Node.desc]; + } + + if (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + { + b$reqreads#34 := $_Frame[this, _module.Node.right]; + newtype$check#6 := null; + if (read($Heap, this, _module.Node.right) == null) + { + b$reqreads#35 := $_Frame[this, _module.Node.desc]; + } + } + } + } + + if (!read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + && (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.left))) + && (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box)))) + { + b$reqreads#36 := $_Frame[this, _module.Node.right]; + newtype$check#7 := null; + if (read($Heap, this, _module.Node.right) != null) + { + b$reqreads#37 := $_Frame[this, _module.Node.right]; + assert read($Heap, this, _module.Node.right) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Node.right), Tclass._module.Node?(), $Heap); + b$reqreads#38 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == read($Heap, this, _module.Node.right) + || read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box($o)]) + ==> $_Frame[$o, $f]); + assert Set#Subset(Set#Union(read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc), + Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right)))), + Set#Union(read($Heap, this, _module.Node.desc), + Set#UnionOne(Set#Empty(): Set Box, $Box(this)))) + && !Set#Subset(Set#Union(read($Heap, this, _module.Node.desc), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc), + Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))))); + assume _module.Node.validDown#canCall($Heap, read($Heap, this, _module.Node.right)); + } + } + + if (!read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + && (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.left))) + && (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))) + && (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.right)))) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + b$reqreads#39 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == this ==> $_Frame[$o, $f]); + assume _module.Node.blocked#canCall($Heap, this); + if (_module.Node.blocked($Heap, this)) + { + // Begin Comprehension WF check + havoc m#2; + if ($Is(m#2, Tclass._module.Node()) && $IsAlloc(m#2, Tclass._module.Node(), $Heap)) + { + b$reqreads#40 := $_Frame[this, _module.Node.desc]; + if (read($Heap, this, _module.Node.desc)[$Box(m#2)]) + { + assert m#2 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(m#2, Tclass._module.Node?(), $Heap); + b$reqreads#41 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == m#2 ==> $_Frame[$o, $f]); + assume _module.Node.blocked#canCall($Heap, m#2); + } + } + + // End Comprehension WF check + } + } + + if (!read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + && (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.left))) + && (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))) + && (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.right))) + && (_module.Node.blocked($Heap, this) + ==> (forall m#4: ref :: + { _module.Node.blocked($Heap, m#4) } + { read($Heap, this, _module.Node.desc)[$Box(m#4)] } + $Is(m#4, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#4)] + ==> _module.Node.blocked($Heap, m#4)))) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + b$reqreads#42 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == this ==> $_Frame[$o, $f]); + assume _module.Node.after#canCall($Heap, this); + if (_module.Node.after($Heap, this)) + { + // Begin Comprehension WF check + havoc m#3; + if ($Is(m#3, Tclass._module.Node()) && $IsAlloc(m#3, Tclass._module.Node(), $Heap)) + { + b$reqreads#43 := $_Frame[this, _module.Node.desc]; + if (read($Heap, this, _module.Node.desc)[$Box(m#3)]) + { + assert m#3 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(m#3, Tclass._module.Node?(), $Heap); + b$reqreads#44 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == m#3 ==> $_Frame[$o, $f]); + assume _module.Node.blocked#canCall($Heap, m#3); + if (!_module.Node.blocked($Heap, m#3)) + { + assert m#3 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(m#3, Tclass._module.Node?(), $Heap); + b$reqreads#45 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == m#3 ==> $_Frame[$o, $f]); + assume _module.Node.after#canCall($Heap, m#3); + } + } + } + + // End Comprehension WF check + } + } + + assume _module.Node.validDown($LS($LZ), $Heap, this) + == ( + !read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + && (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.left))) + && (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))) + && (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.right))) + && (_module.Node.blocked($Heap, this) + ==> (forall m#4: ref :: + { _module.Node.blocked($Heap, m#4) } + { read($Heap, this, _module.Node.desc)[$Box(m#4)] } + $Is(m#4, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#4)] + ==> _module.Node.blocked($Heap, m#4))) + && (_module.Node.after($Heap, this) + ==> (forall m#5: ref :: + { _module.Node.after($Heap, m#5) } + { _module.Node.blocked($Heap, m#5) } + { read($Heap, this, _module.Node.desc)[$Box(m#5)] } + $Is(m#5, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#5)] + ==> _module.Node.blocked($Heap, m#5) || _module.Node.after($Heap, m#5)))); + assume !read($Heap, this, _module.Node.desc)[$Box(this)] + ==> + read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + ==> + (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + ==> (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + ==> + (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + ==> + (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + ==> _module.Node.validDown#canCall($Heap, read($Heap, this, _module.Node.left))) + && ( + (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.left))) + ==> + (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))) + ==> (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown#canCall($Heap, read($Heap, this, _module.Node.right))) + && ( + (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.right))) + ==> _module.Node.blocked#canCall($Heap, this) + && (_module.Node.blocked($Heap, this) + ==> (forall m#4: ref :: + { _module.Node.blocked($Heap, m#4) } + { read($Heap, this, _module.Node.desc)[$Box(m#4)] } + $Is(m#4, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#4)] + ==> _module.Node.blocked#canCall($Heap, m#4))) + && ( + (_module.Node.blocked($Heap, this) + ==> (forall m#4: ref :: + { _module.Node.blocked($Heap, m#4) } + { read($Heap, this, _module.Node.desc)[$Box(m#4)] } + $Is(m#4, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#4)] + ==> _module.Node.blocked($Heap, m#4))) + ==> _module.Node.after#canCall($Heap, this) + && (_module.Node.after($Heap, this) + ==> (forall m#5: ref :: + { _module.Node.after($Heap, m#5) } + { _module.Node.blocked($Heap, m#5) } + { read($Heap, this, _module.Node.desc)[$Box(m#5)] } + $Is(m#5, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#5)] + ==> _module.Node.blocked#canCall($Heap, m#5) + && (!_module.Node.blocked($Heap, m#5) ==> _module.Node.after#canCall($Heap, m#5))))))); + // CheckWellformedWithResult: any expression + assume $Is(_module.Node.validDown($LS($LZ), $Heap, this), TBool); + assert b$reqreads#1; + assert b$reqreads#2; + assert b$reqreads#3; + assert b$reqreads#4; + assert b$reqreads#5; + assert b$reqreads#6; + assert b$reqreads#7; + assert b$reqreads#8; + assert b$reqreads#9; + assert b$reqreads#10; + assert b$reqreads#11; + assert b$reqreads#12; + assert b$reqreads#13; + assert b$reqreads#14; + assert b$reqreads#15; + assert b$reqreads#16; + assert b$reqreads#17; + assert b$reqreads#18; + assert b$reqreads#19; + assert b$reqreads#20; + assert b$reqreads#21; + assert b$reqreads#22; + assert b$reqreads#23; + assert b$reqreads#24; + assert b$reqreads#25; + assert b$reqreads#26; + assert b$reqreads#27; + assert b$reqreads#28; + assert b$reqreads#29; + assert b$reqreads#30; + assert b$reqreads#31; + assert b$reqreads#32; + assert b$reqreads#33; + assert b$reqreads#34; + assert b$reqreads#35; + assert b$reqreads#36; + assert b$reqreads#37; + assert b$reqreads#38; + assert b$reqreads#39; + assert b$reqreads#40; + assert b$reqreads#41; + assert b$reqreads#42; + assert b$reqreads#43; + assert b$reqreads#44; + assert b$reqreads#45; + } +} + + + +// function declaration for _module.Node.validUp +function _module.Node.validUp($ly: LayerType, $heap: Heap, this: ref) : bool; + +function _module.Node.validUp#canCall($heap: Heap, this: ref) : bool; + +// layer synonym axiom +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validUp($LS($ly), $Heap, this) } + _module.Node.validUp($LS($ly), $Heap, this) + == _module.Node.validUp($ly, $Heap, this)); + +// fuel synonym axiom +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validUp(AsFuelBottom($ly), $Heap, this) } + _module.Node.validUp($ly, $Heap, this) == _module.Node.validUp($LZ, $Heap, this)); + +// frame axiom for _module.Node.validUp +axiom (forall $ly: LayerType, $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Node.validUp($ly, $h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Node()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && ($o == this || read($h0, this, _module.Node.anc)[$Box($o)]) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Node.validUp($ly, $h0, this) == _module.Node.validUp($ly, $h1, this)); + +// consequence axiom for _module.Node.validUp +axiom 1 <= $FunctionContextHeight + ==> (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validUp($ly, $Heap, this) } + _module.Node.validUp#canCall($Heap, this) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> true); + +function _module.Node.validUp#requires(LayerType, Heap, ref) : bool; + +// #requires axiom for _module.Node.validUp +axiom (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validUp#requires($ly, $Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap) + ==> _module.Node.validUp#requires($ly, $Heap, this) == true); + +// definition axiom for _module.Node.validUp (revealed) +axiom 1 <= $FunctionContextHeight + ==> (forall $ly: LayerType, $Heap: Heap, this: ref :: + { _module.Node.validUp($LS($ly), $Heap, this), $IsGoodHeap($Heap) } + _module.Node.validUp#canCall($Heap, this) + || (1 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> (!read($Heap, this, _module.Node.anc)[$Box(this)] + ==> (read($Heap, this, _module.Node.parent) != null + ==> + read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + ==> + Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + ==> _module.Node.validUp#canCall($Heap, read($Heap, this, _module.Node.parent))) + && ( + (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + && Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + && _module.Node.validUp($ly, $Heap, read($Heap, this, _module.Node.parent))) + ==> + (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box)) + ==> _module.Node.after#canCall($Heap, this) + && (_module.Node.after($Heap, this) + ==> (forall m#0: ref :: + { _module.Node.after($Heap, m#0) } + { read($Heap, this, _module.Node.anc)[$Box(m#0)] } + $Is(m#0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#0)] + ==> _module.Node.after#canCall($Heap, m#0))))) + && _module.Node.validUp($LS($ly), $Heap, this) + == ( + !read($Heap, this, _module.Node.anc)[$Box(this)] + && (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + && Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + && _module.Node.validUp($ly, $Heap, read($Heap, this, _module.Node.parent))) + && (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box)) + && (_module.Node.after($Heap, this) + ==> (forall m#0: ref :: + { _module.Node.after($Heap, m#0) } + { read($Heap, this, _module.Node.anc)[$Box(m#0)] } + $Is(m#0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#0)] + ==> _module.Node.after($Heap, m#0))))); + +procedure {:verboseName "Node.validUp (well-formedness)"} CheckWellformed$$_module.Node.validUp(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)); + free requires 1 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Node.validUp (well-formedness)"} CheckWellformed$$_module.Node.validUp(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var newtype$check#0: ref; + var newtype$check#1: ref; + var m#1: ref; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + var b$reqreads#5: bool; + var b$reqreads#6: bool; + var b$reqreads#7: bool; + var b$reqreads#8: bool; + var b$reqreads#9: bool; + var b$reqreads#10: bool; + var b$reqreads#11: bool; + var b$reqreads#12: bool; + var b$reqreads#13: bool; + var b$reqreads#14: bool; + var b$reqreads#15: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + b$reqreads#5 := true; + b$reqreads#6 := true; + b$reqreads#7 := true; + b$reqreads#8 := true; + b$reqreads#9 := true; + b$reqreads#10 := true; + b$reqreads#11 := true; + b$reqreads#12 := true; + b$reqreads#13 := true; + b$reqreads#14 := true; + b$reqreads#15 := true; + + // AddWellformednessCheck for function validUp + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Node.anc)[$Box($o)]); + b$reqreads#0 := $_Frame[this, _module.Node.anc]; + assert b$reqreads#0; + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this || read($Heap, this, _module.Node.anc)[$Box($o)]); + b$reqreads#1 := $_Frame[this, _module.Node.anc]; + if (!read($Heap, this, _module.Node.anc)[$Box(this)]) + { + b$reqreads#2 := $_Frame[this, _module.Node.parent]; + newtype$check#0 := null; + if (read($Heap, this, _module.Node.parent) != null) + { + b$reqreads#3 := $_Frame[this, _module.Node.parent]; + b$reqreads#4 := $_Frame[this, _module.Node.anc]; + if (read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))]) + { + b$reqreads#5 := $_Frame[this, _module.Node.anc]; + b$reqreads#6 := $_Frame[this, _module.Node.parent]; + b$reqreads#7 := $_Frame[this, _module.Node.parent]; + assert read($Heap, this, _module.Node.parent) != null; + b$reqreads#8 := $_Frame[read($Heap, this, _module.Node.parent), _module.Node.anc]; + } + + if (read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + && Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc)))) + { + b$reqreads#9 := $_Frame[this, _module.Node.parent]; + assert read($Heap, this, _module.Node.parent) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Node.parent), Tclass._module.Node?(), $Heap); + b$reqreads#10 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == read($Heap, this, _module.Node.parent) + || read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc)[$Box($o)]) + ==> $_Frame[$o, $f]); + assert Set#Subset(Set#Union(read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc), + Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent)))), + Set#Union(read($Heap, this, _module.Node.anc), + Set#UnionOne(Set#Empty(): Set Box, $Box(this)))) + && !Set#Subset(Set#Union(read($Heap, this, _module.Node.anc), + Set#UnionOne(Set#Empty(): Set Box, $Box(this))), + Set#Union(read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc), + Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))))); + assume _module.Node.validUp#canCall($Heap, read($Heap, this, _module.Node.parent)); + } + } + } + + if (!read($Heap, this, _module.Node.anc)[$Box(this)] + && (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + && Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + && _module.Node.validUp($LS($LZ), $Heap, read($Heap, this, _module.Node.parent)))) + { + b$reqreads#11 := $_Frame[this, _module.Node.parent]; + newtype$check#1 := null; + if (read($Heap, this, _module.Node.parent) == null) + { + b$reqreads#12 := $_Frame[this, _module.Node.anc]; + } + } + + if (!read($Heap, this, _module.Node.anc)[$Box(this)] + && (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + && Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + && _module.Node.validUp($LS($LZ), $Heap, read($Heap, this, _module.Node.parent))) + && (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box))) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + b$reqreads#13 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == this ==> $_Frame[$o, $f]); + assume _module.Node.after#canCall($Heap, this); + if (_module.Node.after($Heap, this)) + { + // Begin Comprehension WF check + havoc m#1; + if ($Is(m#1, Tclass._module.Node()) && $IsAlloc(m#1, Tclass._module.Node(), $Heap)) + { + b$reqreads#14 := $_Frame[this, _module.Node.anc]; + if (read($Heap, this, _module.Node.anc)[$Box(m#1)]) + { + assert m#1 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(m#1, Tclass._module.Node?(), $Heap); + b$reqreads#15 := (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == m#1 ==> $_Frame[$o, $f]); + assume _module.Node.after#canCall($Heap, m#1); + } + } + + // End Comprehension WF check + } + } + + assume _module.Node.validUp($LS($LZ), $Heap, this) + == ( + !read($Heap, this, _module.Node.anc)[$Box(this)] + && (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + && Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + && _module.Node.validUp($LS($LZ), $Heap, read($Heap, this, _module.Node.parent))) + && (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box)) + && (_module.Node.after($Heap, this) + ==> (forall m#2: ref :: + { _module.Node.after($Heap, m#2) } + { read($Heap, this, _module.Node.anc)[$Box(m#2)] } + $Is(m#2, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#2)] + ==> _module.Node.after($Heap, m#2)))); + assume !read($Heap, this, _module.Node.anc)[$Box(this)] + ==> (read($Heap, this, _module.Node.parent) != null + ==> + read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + ==> + Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + ==> _module.Node.validUp#canCall($Heap, read($Heap, this, _module.Node.parent))) + && ( + (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + && Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + && _module.Node.validUp($LS($LZ), $Heap, read($Heap, this, _module.Node.parent))) + ==> + (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box)) + ==> _module.Node.after#canCall($Heap, this) + && (_module.Node.after($Heap, this) + ==> (forall m#2: ref :: + { _module.Node.after($Heap, m#2) } + { read($Heap, this, _module.Node.anc)[$Box(m#2)] } + $Is(m#2, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#2)] + ==> _module.Node.after#canCall($Heap, m#2)))); + // CheckWellformedWithResult: any expression + assume $Is(_module.Node.validUp($LS($LZ), $Heap, this), TBool); + assert b$reqreads#1; + assert b$reqreads#2; + assert b$reqreads#3; + assert b$reqreads#4; + assert b$reqreads#5; + assert b$reqreads#6; + assert b$reqreads#7; + assert b$reqreads#8; + assert b$reqreads#9; + assert b$reqreads#10; + assert b$reqreads#11; + assert b$reqreads#12; + assert b$reqreads#13; + assert b$reqreads#14; + assert b$reqreads#15; + } +} + + + +// function declaration for _module.Node.valid +function _module.Node.valid($heap: Heap, this: ref) : bool; + +function _module.Node.valid#canCall($heap: Heap, this: ref) : bool; + +// frame axiom for _module.Node.valid +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Node.valid($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Node()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null + && ( + $o == this + || read($h0, this, _module.Node.desc)[$Box($o)] + || read($h0, this, _module.Node.anc)[$Box($o)]) + ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Node.valid($h0, this) == _module.Node.valid($h1, this)); + +// consequence axiom for _module.Node.valid +axiom 2 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Node.valid($Heap, this) } + _module.Node.valid#canCall($Heap, this) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> true); + +function _module.Node.valid#requires(Heap, ref) : bool; + +// #requires axiom for _module.Node.valid +axiom (forall $Heap: Heap, this: ref :: + { _module.Node.valid#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap) + ==> _module.Node.valid#requires($Heap, this) == true); + +// definition axiom for _module.Node.valid (revealed) +axiom 2 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Node.valid($Heap, this), $IsGoodHeap($Heap) } + _module.Node.valid#canCall($Heap, this) + || (2 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> _module.Node.validUp#canCall($Heap, this) + && (_module.Node.validUp($LS($LZ), $Heap, this) + ==> _module.Node.validDown#canCall($Heap, this)) + && _module.Node.valid($Heap, this) + == ( + _module.Node.validUp($LS($LZ), $Heap, this) + && _module.Node.validDown($LS($LZ), $Heap, this) + && Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)))); + +procedure {:verboseName "Node.valid (well-formedness)"} CheckWellformed$$_module.Node.valid(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)); + free requires 2 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Node.valid (well-formedness)"} CheckWellformed$$_module.Node.valid(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + var b$reqreads#2: bool; + var b$reqreads#3: bool; + var b$reqreads#4: bool; + var b$reqreads#5: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + b$reqreads#2 := true; + b$reqreads#3 := true; + b$reqreads#4 := true; + b$reqreads#5 := true; + + // AddWellformednessCheck for function valid + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this + || read($Heap, this, _module.Node.desc)[$Box($o)] + || read($Heap, this, _module.Node.anc)[$Box($o)]); + b$reqreads#0 := $_Frame[this, _module.Node.desc]; + b$reqreads#1 := $_Frame[this, _module.Node.anc]; + assert b$reqreads#0; + assert b$reqreads#1; + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this + || read($Heap, this, _module.Node.desc)[$Box($o)] + || read($Heap, this, _module.Node.anc)[$Box($o)]); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + b$reqreads#2 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == this || read($Heap, this, _module.Node.anc)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Node.validUp#canCall($Heap, this); + if (_module.Node.validUp($LS($LZ), $Heap, this)) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + b$reqreads#3 := (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && ($o == this || read($Heap, this, _module.Node.desc)[$Box($o)]) + ==> $_Frame[$o, $f]); + assume _module.Node.validDown#canCall($Heap, this); + } + + if (_module.Node.validUp($LS($LZ), $Heap, this) + && _module.Node.validDown($LS($LZ), $Heap, this)) + { + b$reqreads#4 := $_Frame[this, _module.Node.desc]; + b$reqreads#5 := $_Frame[this, _module.Node.anc]; + } + + assume _module.Node.valid($Heap, this) + == ( + _module.Node.validUp($LS($LZ), $Heap, this) + && _module.Node.validDown($LS($LZ), $Heap, this) + && Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc))); + assume _module.Node.validUp#canCall($Heap, this) + && (_module.Node.validUp($LS($LZ), $Heap, this) + ==> _module.Node.validDown#canCall($Heap, this)); + // CheckWellformedWithResult: any expression + assume $Is(_module.Node.valid($Heap, this), TBool); + assert b$reqreads#2; + assert b$reqreads#3; + assert b$reqreads#4; + assert b$reqreads#5; + } +} + + + +// function declaration for _module.Node.before +function _module.Node.before($heap: Heap, this: ref) : bool; + +function _module.Node.before#canCall($heap: Heap, this: ref) : bool; + +// frame axiom for _module.Node.before +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Node.before($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Node()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && $o == this ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Node.before($h0, this) == _module.Node.before($h1, this)); + +// consequence axiom for _module.Node.before +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Node.before($Heap, this) } + _module.Node.before#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> true); + +function _module.Node.before#requires(Heap, ref) : bool; + +// #requires axiom for _module.Node.before +axiom (forall $Heap: Heap, this: ref :: + { _module.Node.before#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap) + ==> _module.Node.before#requires($Heap, this) == true); + +// definition axiom for _module.Node.before (revealed) +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Node.before($Heap, this), $IsGoodHeap($Heap) } + _module.Node.before#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> _module.Node.before($Heap, this) + == (!read($Heap, this, _module.Node.sense) + && read($Heap, this, _module.Node.pc) <= LitInt(2))); + +procedure {:verboseName "Node.before (well-formedness)"} CheckWellformed$$_module.Node.before(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Node.before (well-formedness)"} CheckWellformed$$_module.Node.before(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + + // AddWellformednessCheck for function before + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> $o == this); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> $o == this); + b$reqreads#0 := $_Frame[this, _module.Node.sense]; + if (!read($Heap, this, _module.Node.sense)) + { + b$reqreads#1 := $_Frame[this, _module.Node.pc]; + } + + assume _module.Node.before($Heap, this) + == (!read($Heap, this, _module.Node.sense) + && read($Heap, this, _module.Node.pc) <= LitInt(2)); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.Node.before($Heap, this), TBool); + assert b$reqreads#0; + assert b$reqreads#1; + } +} + + + +// function declaration for _module.Node.blocked +function _module.Node.blocked($heap: Heap, this: ref) : bool; + +function _module.Node.blocked#canCall($heap: Heap, this: ref) : bool; + +// frame axiom for _module.Node.blocked +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Node.blocked($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Node()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && $o == this ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Node.blocked($h0, this) == _module.Node.blocked($h1, this)); + +// consequence axiom for _module.Node.blocked +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Node.blocked($Heap, this) } + _module.Node.blocked#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> true); + +function _module.Node.blocked#requires(Heap, ref) : bool; + +// #requires axiom for _module.Node.blocked +axiom (forall $Heap: Heap, this: ref :: + { _module.Node.blocked#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap) + ==> _module.Node.blocked#requires($Heap, this) == true); + +// definition axiom for _module.Node.blocked (revealed) +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Node.blocked($Heap, this), $IsGoodHeap($Heap) } + _module.Node.blocked#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> _module.Node.blocked($Heap, this) == read($Heap, this, _module.Node.sense)); + +procedure {:verboseName "Node.blocked (well-formedness)"} CheckWellformed$$_module.Node.blocked(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Node.blocked (well-formedness)"} CheckWellformed$$_module.Node.blocked(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + + b$reqreads#0 := true; + + // AddWellformednessCheck for function blocked + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> $o == this); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> $o == this); + b$reqreads#0 := $_Frame[this, _module.Node.sense]; + assume _module.Node.blocked($Heap, this) == read($Heap, this, _module.Node.sense); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.Node.blocked($Heap, this), TBool); + assert b$reqreads#0; + } +} + + + +// function declaration for _module.Node.after +function _module.Node.after($heap: Heap, this: ref) : bool; + +function _module.Node.after#canCall($heap: Heap, this: ref) : bool; + +// frame axiom for _module.Node.after +axiom (forall $h0: Heap, $h1: Heap, this: ref :: + { $IsHeapAnchor($h0), $HeapSucc($h0, $h1), _module.Node.after($h1, this) } + $IsGoodHeap($h0) + && $IsGoodHeap($h1) + && + this != null + && $Is(this, Tclass._module.Node()) + && + $IsHeapAnchor($h0) + && $HeapSucc($h0, $h1) + ==> + (forall $o: ref, $f: Field alpha :: + $o != null && $o == this ==> read($h0, $o, $f) == read($h1, $o, $f)) + ==> _module.Node.after($h0, this) == _module.Node.after($h1, this)); + +// consequence axiom for _module.Node.after +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Node.after($Heap, this) } + _module.Node.after#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> true); + +function _module.Node.after#requires(Heap, ref) : bool; + +// #requires axiom for _module.Node.after +axiom (forall $Heap: Heap, this: ref :: + { _module.Node.after#requires($Heap, this), $IsGoodHeap($Heap) } + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap) + ==> _module.Node.after#requires($Heap, this) == true); + +// definition axiom for _module.Node.after (revealed) +axiom 0 <= $FunctionContextHeight + ==> (forall $Heap: Heap, this: ref :: + { _module.Node.after($Heap, this), $IsGoodHeap($Heap) } + _module.Node.after#canCall($Heap, this) + || (0 != $FunctionContextHeight + && + $IsGoodHeap($Heap) + && + this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + ==> _module.Node.after($Heap, this) + == (!read($Heap, this, _module.Node.sense) + && LitInt(3) <= read($Heap, this, _module.Node.pc))); + +procedure {:verboseName "Node.after (well-formedness)"} CheckWellformed$$_module.Node.after(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)); + free requires 0 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +implementation {:verboseName "Node.after (well-formedness)"} CheckWellformed$$_module.Node.after(this: ref) +{ + var $_Frame: [ref,Field beta]bool; + var b$reqreads#0: bool; + var b$reqreads#1: bool; + + b$reqreads#0 := true; + b$reqreads#1 := true; + + // AddWellformednessCheck for function after + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> $o == this); + if (*) + { + assume false; + } + else + { + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> $o == this); + b$reqreads#0 := $_Frame[this, _module.Node.sense]; + if (!read($Heap, this, _module.Node.sense)) + { + b$reqreads#1 := $_Frame[this, _module.Node.pc]; + } + + assume _module.Node.after($Heap, this) + == (!read($Heap, this, _module.Node.sense) + && LitInt(3) <= read($Heap, this, _module.Node.pc)); + assume true; + // CheckWellformedWithResult: any expression + assume $Is(_module.Node.after($Heap, this), TBool); + assert b$reqreads#0; + assert b$reqreads#1; + } +} + + + +procedure {:verboseName "Node.barrier (well-formedness)"} CheckWellFormed$$_module.Node.barrier(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)); + free requires 3 == $FunctionContextHeight; + modifies $Heap, $Tick; + + + +procedure {:verboseName "Node.barrier (call)"} Call$$_module.Node.barrier(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)); + // user-defined preconditions + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.anc)[$Box(this)]); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))])); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> _module.Node.validUp($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.parent)))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#0: ref :: + { _module.Node.after($Heap, m#0) } + { read($Heap, this, _module.Node.anc)[$Box(m#0)] } + $Is(m#0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#0)] + ==> _module.Node.after($Heap, m#0)))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.desc)[$Box(this)]); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right)); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))])); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc))))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.left)))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.right)))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.blocked($Heap, this) + ==> (forall m#1: ref :: + { _module.Node.blocked($Heap, m#1) } + { read($Heap, this, _module.Node.desc)[$Box(m#1)] } + $Is(m#1, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1)] + ==> _module.Node.blocked($Heap, m#1)))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#2: ref :: + { _module.Node.after($Heap, m#2) } + { _module.Node.blocked($Heap, m#2) } + { read($Heap, this, _module.Node.desc)[$Box(m#2)] } + $Is(m#2, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#2)] + ==> _module.Node.blocked($Heap, m#2) || _module.Node.after($Heap, m#2)))); + requires _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)); + requires _module.Node.before#canCall($Heap, this) + ==> _module.Node.before($Heap, this) || !read($Heap, this, _module.Node.sense); + requires _module.Node.before#canCall($Heap, this) + ==> _module.Node.before($Heap, this) + || read($Heap, this, _module.Node.pc) <= LitInt(2); + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || + $o == this + || $o == read(old($Heap), this, _module.Node.left) + || $o == read(old($Heap), this, _module.Node.right)); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +procedure {:verboseName "Node.barrier (correctness)"} Impl$$_module.Node.barrier(this: ref + where this != null + && + $Is(this, Tclass._module.Node()) + && $IsAlloc(this, Tclass._module.Node(), $Heap)) + returns ($_reverifyPost: bool); + free requires 3 == $FunctionContextHeight; + // user-defined preconditions + free requires _module.Node.valid#canCall($Heap, this) + && + _module.Node.valid($Heap, this) + && + _module.Node.validUp($LS($LZ), $Heap, this) + && _module.Node.validDown($LS($LZ), $Heap, this) + && Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)); + free requires _module.Node.before#canCall($Heap, this) + && + _module.Node.before($Heap, this) + && + !read($Heap, this, _module.Node.sense) + && read($Heap, this, _module.Node.pc) <= LitInt(2); + modifies $Heap, $Tick; + // frame condition: object granularity + free ensures (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == old($Heap)[$o] + || + $o == this + || $o == read(old($Heap), this, _module.Node.left) + || $o == read(old($Heap), this, _module.Node.right)); + // boilerplate + free ensures $HeapSucc(old($Heap), $Heap); + + + +implementation {:verboseName "Node.barrier (correctness)"} Impl$$_module.Node.barrier(this: ref) returns ($_reverifyPost: bool) +{ + var $_Frame: [ref,Field beta]bool; + var $rhs#0: int; + var newtype$check#0: ref; + var $PreLoopHeap$loop#0_0: Heap; + var $Frame$loop#0_0: [ref,Field beta]bool; + var $w$loop#0_0: bool; + var $rhs#0_0_0: bool; + var m#0_0_0: ref; + var newtype$check#1: ref; + var $PreLoopHeap$loop#1_0: Heap; + var $Frame$loop#1_0: [ref,Field beta]bool; + var $w$loop#1_0: bool; + var $rhs#1_0_0: bool; + var m#1_0_0: ref; + var $rhs#1: int; + var newtype$check#2: ref; + var $rhs#2_0: bool; + var $rhs#2: int; + var $PreLoopHeap$loop#0: Heap; + var $Frame$loop#0: [ref,Field beta]bool; + var $w$loop#0: bool; + var newtype$check#3: ref; + var $rhs#3_0: bool; + var $rhs#3: int; + var newtype$check#4: ref; + var $rhs#4_0: bool; + var $rhs#4: int; + var newtype$check#5: ref; + var $rhs#5_0: bool; + var $rhs#5: int; + + // AddMethodImpl: barrier, Impl$$_module.Node.barrier + $_Frame := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == this + || $o == read($Heap, this, _module.Node.left) + || $o == read($Heap, this, _module.Node.right)); + $_reverifyPost := false; + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(74,8) + assume true; + assert $_Frame[this, _module.Node.pc]; + assume true; + $rhs#0 := LitInt(1); + $Heap := update($Heap, this, _module.Node.pc, $rhs#0); + assume $IsGoodHeap($Heap); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(75,5) + newtype$check#0 := null; + assume true; + if (read($Heap, this, _module.Node.left) != null) + { + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(76,7) + // Assume Fuel Constant + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && $o == read($Heap, this, _module.Node.left) + ==> $_Frame[$o, $f]); + $Frame$loop#0_0 := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == read($Heap, this, _module.Node.left)); + $PreLoopHeap$loop#0_0 := $Heap; + havoc $w$loop#0_0; + while (true) + free invariant $w$loop#0_0 ==> _module.Node.validDown#canCall($Heap, this); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.desc)[$Box(this)]; + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))]); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.left))); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box)); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.right))); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.blocked($Heap, this) + ==> (forall m#0_0: ref :: + { _module.Node.blocked($Heap, m#0_0) } + { read($Heap, this, _module.Node.desc)[$Box(m#0_0)] } + $Is(m#0_0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0_0)] + ==> _module.Node.blocked($Heap, m#0_0))); + invariant $w$loop#0_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#0_1: ref :: + { _module.Node.after($Heap, m#0_1) } + { _module.Node.blocked($Heap, m#0_1) } + { read($Heap, this, _module.Node.desc)[$Box(m#0_1)] } + $Is(m#0_1, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0_1)] + ==> _module.Node.blocked($Heap, m#0_1) || _module.Node.after($Heap, m#0_1))); + free invariant $w$loop#0_0 + ==> _module.Node.validDown#canCall($Heap, this) + && + _module.Node.validDown($LS($LZ), $Heap, this) + && + !read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + && (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.left))) + && (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))) + && (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.right))) + && (_module.Node.blocked($Heap, this) + ==> (forall m#0_0: ref :: + { _module.Node.blocked($Heap, m#0_0) } + { read($Heap, this, _module.Node.desc)[$Box(m#0_0)] } + $Is(m#0_0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0_0)] + ==> _module.Node.blocked($Heap, m#0_0))) + && (_module.Node.after($Heap, this) + ==> (forall m#0_1: ref :: + { _module.Node.after($Heap, m#0_1) } + { _module.Node.blocked($Heap, m#0_1) } + { read($Heap, this, _module.Node.desc)[$Box(m#0_1)] } + $Is(m#0_1, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0_1)] + ==> _module.Node.blocked($Heap, m#0_1) || _module.Node.after($Heap, m#0_1))); + free invariant $w$loop#0_0 ==> _module.Node.valid#canCall($Heap, this); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.anc)[$Box(this)]); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))])); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> _module.Node.validUp($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.parent)))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#0_2: ref :: + { _module.Node.after($Heap, m#0_2) } + { read($Heap, this, _module.Node.anc)[$Box(m#0_2)] } + $Is(m#0_2, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#0_2)] + ==> _module.Node.after($Heap, m#0_2)))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.desc)[$Box(this)]); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right)); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))])); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc))))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.left)))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.right)))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.blocked($Heap, this) + ==> (forall m#0_3: ref :: + { _module.Node.blocked($Heap, m#0_3) } + { read($Heap, this, _module.Node.desc)[$Box(m#0_3)] } + $Is(m#0_3, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0_3)] + ==> _module.Node.blocked($Heap, m#0_3)))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#0_4: ref :: + { _module.Node.after($Heap, m#0_4) } + { _module.Node.blocked($Heap, m#0_4) } + { read($Heap, this, _module.Node.desc)[$Box(m#0_4)] } + $Is(m#0_4, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#0_4)] + ==> _module.Node.blocked($Heap, m#0_4) || _module.Node.after($Heap, m#0_4)))); + invariant $w$loop#0_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)); + free invariant $w$loop#0_0 + ==> _module.Node.valid#canCall($Heap, this) + && + _module.Node.valid($Heap, this) + && + _module.Node.validUp($LS($LZ), $Heap, this) + && _module.Node.validDown($LS($LZ), $Heap, this) + && Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)); + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#0_0[$o] + || + $o == this + || $o == read(old($Heap), this, _module.Node.left) + || $o == read(old($Heap), this, _module.Node.right)); + free invariant $HeapSucc($PreLoopHeap$loop#0_0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#0_0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0_0, $o, $f) + || $Frame$loop#0_0[$o, $f]); + { + if (!$w$loop#0_0) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + assume _module.Node.validDown#canCall($Heap, this); + assume _module.Node.validDown#canCall($Heap, this); + assume _module.Node.validDown($LS($LZ), $Heap, this); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + assume _module.Node.valid#canCall($Heap, this); + assume _module.Node.valid#canCall($Heap, this); + assume _module.Node.valid($Heap, this); + assume true; + assume false; + } + + assert read($Heap, this, _module.Node.left) != null; + assume true; + if (read($Heap, read($Heap, this, _module.Node.left), _module.Node.sense)) + { + break; + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(90,20) + assert read($Heap, this, _module.Node.left) != null; + assume true; + assert $Frame$loop#0_0[read($Heap, this, _module.Node.left), _module.Node.sense]; + havoc $rhs#0_0_0; + $Heap := update($Heap, read($Heap, this, _module.Node.left), _module.Node.sense, $rhs#0_0_0); + assume $IsGoodHeap($Heap); + // ----- assume statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(91,9) + assert {:subsumption 0} read($Heap, this, _module.Node.left) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Node.left), Tclass._module.Node?(), $Heap); + assume _module.Node.blocked#canCall($Heap, read($Heap, this, _module.Node.left)); + if (_module.Node.blocked($Heap, read($Heap, this, _module.Node.left))) + { + // Begin Comprehension WF check + havoc m#0_0_0; + if ($Is(m#0_0_0, Tclass._module.Node()) + && $IsAlloc(m#0_0_0, Tclass._module.Node(), $Heap)) + { + assert {:subsumption 0} read($Heap, this, _module.Node.left) != null; + if (read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)[$Box(m#0_0_0)]) + { + assert {:subsumption 0} m#0_0_0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(m#0_0_0, Tclass._module.Node?(), $Heap); + assume _module.Node.blocked#canCall($Heap, m#0_0_0); + } + } + + // End Comprehension WF check + } + + assume _module.Node.blocked#canCall($Heap, read($Heap, this, _module.Node.left)) + && (_module.Node.blocked($Heap, read($Heap, this, _module.Node.left)) + ==> (forall m#0_0_1: ref :: + { _module.Node.blocked($Heap, m#0_0_1) } + { read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)[$Box(m#0_0_1)] } + $Is(m#0_0_1, Tclass._module.Node()) + ==> + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)[$Box(m#0_0_1)] + ==> _module.Node.blocked#canCall($Heap, m#0_0_1))); + assume _module.Node.blocked($Heap, read($Heap, this, _module.Node.left)) + ==> (forall m#0_0_1: ref :: + { _module.Node.blocked($Heap, m#0_0_1) } + { read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)[$Box(m#0_0_1)] } + $Is(m#0_0_1, Tclass._module.Node()) + ==> + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)[$Box(m#0_0_1)] + ==> _module.Node.blocked($Heap, m#0_0_1)); + assume _module.Node.validDown#canCall($Heap, this) + && (_module.Node.validDown($LS($LZ), $Heap, this) + ==> _module.Node.valid#canCall($Heap, this)); + } + } + else + { + } + + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(94,5) + newtype$check#1 := null; + assume true; + if (read($Heap, this, _module.Node.right) != null) + { + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(95,7) + // Assume Fuel Constant + assert (forall $o: ref, $f: Field alpha :: + $o != null + && read($Heap, $o, alloc) + && $o == read($Heap, this, _module.Node.right) + ==> $_Frame[$o, $f]); + $Frame$loop#1_0 := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) + ==> $o == read($Heap, this, _module.Node.right)); + $PreLoopHeap$loop#1_0 := $Heap; + havoc $w$loop#1_0; + while (true) + free invariant $w$loop#1_0 ==> _module.Node.validDown#canCall($Heap, this); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.desc)[$Box(this)]; + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))]); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.left))); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box)); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.right))); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.blocked($Heap, this) + ==> (forall m#1_0: ref :: + { _module.Node.blocked($Heap, m#1_0) } + { read($Heap, this, _module.Node.desc)[$Box(m#1_0)] } + $Is(m#1_0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1_0)] + ==> _module.Node.blocked($Heap, m#1_0))); + invariant $w$loop#1_0 + ==> + _module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#1_1: ref :: + { _module.Node.after($Heap, m#1_1) } + { _module.Node.blocked($Heap, m#1_1) } + { read($Heap, this, _module.Node.desc)[$Box(m#1_1)] } + $Is(m#1_1, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1_1)] + ==> _module.Node.blocked($Heap, m#1_1) || _module.Node.after($Heap, m#1_1))); + free invariant $w$loop#1_0 + ==> _module.Node.validDown#canCall($Heap, this) + && + _module.Node.validDown($LS($LZ), $Heap, this) + && + !read($Heap, this, _module.Node.desc)[$Box(this)] + && read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right) + && (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))] + && !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))]) + && (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))] + && (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)))) + && _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.left))) + && (read($Heap, this, _module.Node.left) == null + ==> (read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)))) + && (read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))) + && (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LZ), $Heap, read($Heap, this, _module.Node.right))) + && (_module.Node.blocked($Heap, this) + ==> (forall m#1_0: ref :: + { _module.Node.blocked($Heap, m#1_0) } + { read($Heap, this, _module.Node.desc)[$Box(m#1_0)] } + $Is(m#1_0, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1_0)] + ==> _module.Node.blocked($Heap, m#1_0))) + && (_module.Node.after($Heap, this) + ==> (forall m#1_1: ref :: + { _module.Node.after($Heap, m#1_1) } + { _module.Node.blocked($Heap, m#1_1) } + { read($Heap, this, _module.Node.desc)[$Box(m#1_1)] } + $Is(m#1_1, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1_1)] + ==> _module.Node.blocked($Heap, m#1_1) || _module.Node.after($Heap, m#1_1))); + free invariant $w$loop#1_0 ==> _module.Node.valid#canCall($Heap, this); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.anc)[$Box(this)]); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))])); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> _module.Node.validUp($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.parent)))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#1_2: ref :: + { _module.Node.after($Heap, m#1_2) } + { read($Heap, this, _module.Node.anc)[$Box(m#1_2)] } + $Is(m#1_2, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#1_2)] + ==> _module.Node.after($Heap, m#1_2)))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.desc)[$Box(this)]); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right)); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))])); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc))))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.left)))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.right)))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.blocked($Heap, this) + ==> (forall m#1_3: ref :: + { _module.Node.blocked($Heap, m#1_3) } + { read($Heap, this, _module.Node.desc)[$Box(m#1_3)] } + $Is(m#1_3, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1_3)] + ==> _module.Node.blocked($Heap, m#1_3)))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#1_4: ref :: + { _module.Node.after($Heap, m#1_4) } + { _module.Node.blocked($Heap, m#1_4) } + { read($Heap, this, _module.Node.desc)[$Box(m#1_4)] } + $Is(m#1_4, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#1_4)] + ==> _module.Node.blocked($Heap, m#1_4) || _module.Node.after($Heap, m#1_4)))); + invariant $w$loop#1_0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)); + free invariant $w$loop#1_0 + ==> _module.Node.valid#canCall($Heap, this) + && + _module.Node.valid($Heap, this) + && + _module.Node.validUp($LS($LZ), $Heap, this) + && _module.Node.validDown($LS($LZ), $Heap, this) + && Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)); + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#1_0[$o] + || + $o == this + || $o == read(old($Heap), this, _module.Node.left) + || $o == read(old($Heap), this, _module.Node.right)); + free invariant $HeapSucc($PreLoopHeap$loop#1_0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#1_0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#1_0, $o, $f) + || $Frame$loop#1_0[$o, $f]); + { + if (!$w$loop#1_0) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + assume _module.Node.validDown#canCall($Heap, this); + assume _module.Node.validDown#canCall($Heap, this); + assume _module.Node.validDown($LS($LZ), $Heap, this); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + assume _module.Node.valid#canCall($Heap, this); + assume _module.Node.valid#canCall($Heap, this); + assume _module.Node.valid($Heap, this); + assume true; + assume false; + } + + assert read($Heap, this, _module.Node.right) != null; + assume true; + if (read($Heap, read($Heap, this, _module.Node.right), _module.Node.sense)) + { + break; + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(102,21) + assert read($Heap, this, _module.Node.right) != null; + assume true; + assert $Frame$loop#1_0[read($Heap, this, _module.Node.right), _module.Node.sense]; + havoc $rhs#1_0_0; + $Heap := update($Heap, read($Heap, this, _module.Node.right), _module.Node.sense, $rhs#1_0_0); + assume $IsGoodHeap($Heap); + // ----- assume statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(103,9) + assert {:subsumption 0} read($Heap, this, _module.Node.right) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Node.right), Tclass._module.Node?(), $Heap); + assume _module.Node.blocked#canCall($Heap, read($Heap, this, _module.Node.right)); + if (_module.Node.blocked($Heap, read($Heap, this, _module.Node.right))) + { + // Begin Comprehension WF check + havoc m#1_0_0; + if ($Is(m#1_0_0, Tclass._module.Node()) + && $IsAlloc(m#1_0_0, Tclass._module.Node(), $Heap)) + { + assert {:subsumption 0} read($Heap, this, _module.Node.right) != null; + if (read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(m#1_0_0)]) + { + assert {:subsumption 0} m#1_0_0 != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(m#1_0_0, Tclass._module.Node?(), $Heap); + assume _module.Node.blocked#canCall($Heap, m#1_0_0); + } + } + + // End Comprehension WF check + } + + assume _module.Node.blocked#canCall($Heap, read($Heap, this, _module.Node.right)) + && (_module.Node.blocked($Heap, read($Heap, this, _module.Node.right)) + ==> (forall m#1_0_1: ref :: + { _module.Node.blocked($Heap, m#1_0_1) } + { read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(m#1_0_1)] } + $Is(m#1_0_1, Tclass._module.Node()) + ==> + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(m#1_0_1)] + ==> _module.Node.blocked#canCall($Heap, m#1_0_1))); + assume _module.Node.blocked($Heap, read($Heap, this, _module.Node.right)) + ==> (forall m#1_0_1: ref :: + { _module.Node.blocked($Heap, m#1_0_1) } + { read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(m#1_0_1)] } + $Is(m#1_0_1, Tclass._module.Node()) + ==> + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(m#1_0_1)] + ==> _module.Node.blocked($Heap, m#1_0_1)); + assume _module.Node.validDown#canCall($Heap, this) + && (_module.Node.validDown($LS($LZ), $Heap, this) + ==> _module.Node.valid#canCall($Heap, this)); + } + } + else + { + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(108,8) + assume true; + assert $_Frame[this, _module.Node.pc]; + assume true; + $rhs#1 := LitInt(2); + $Heap := update($Heap, this, _module.Node.pc, $rhs#1); + assume $IsGoodHeap($Heap); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(109,5) + newtype$check#2 := null; + assume true; + if (read($Heap, this, _module.Node.parent) != null) + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(110,13) + assume true; + assert $_Frame[this, _module.Node.sense]; + assume true; + $rhs#2_0 := Lit(true); + $Heap := update($Heap, this, _module.Node.sense, $rhs#2_0); + assume $IsGoodHeap($Heap); + } + else + { + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(113,8) + assume true; + assert $_Frame[this, _module.Node.pc]; + assume true; + $rhs#2 := LitInt(3); + $Heap := update($Heap, this, _module.Node.pc, $rhs#2); + assume $IsGoodHeap($Heap); + // ----- while statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(114,5) + // Assume Fuel Constant + assert (forall $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) && $o == this ==> $_Frame[$o, $f]); + $Frame$loop#0 := (lambda $o: ref, $f: Field alpha :: + $o != null && read($Heap, $o, alloc) ==> $o == this); + $PreLoopHeap$loop#0 := $Heap; + havoc $w$loop#0; + while (true) + free invariant $w$loop#0 ==> _module.Node.validUp#canCall($Heap, this); + invariant $w$loop#0 + ==> + _module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.anc)[$Box(this)]; + invariant $w$loop#0 + ==> + _module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))]); + invariant $w$loop#0 + ==> + _module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc)))); + invariant $w$loop#0 + ==> + _module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> _module.Node.validUp($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.parent))); + invariant $w$loop#0 + ==> + _module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box)); + invariant $w$loop#0 + ==> + _module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#6: ref :: + { _module.Node.after($Heap, m#6) } + { read($Heap, this, _module.Node.anc)[$Box(m#6)] } + $Is(m#6, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#6)] + ==> _module.Node.after($Heap, m#6))); + free invariant $w$loop#0 + ==> _module.Node.validUp#canCall($Heap, this) + && + _module.Node.validUp($LS($LZ), $Heap, this) + && + !read($Heap, this, _module.Node.anc)[$Box(this)] + && (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))] + && Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))) + && _module.Node.validUp($LS($LZ), $Heap, read($Heap, this, _module.Node.parent))) + && (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box)) + && (_module.Node.after($Heap, this) + ==> (forall m#6: ref :: + { _module.Node.after($Heap, m#6) } + { read($Heap, this, _module.Node.anc)[$Box(m#6)] } + $Is(m#6, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#6)] + ==> _module.Node.after($Heap, m#6))); + free invariant $w$loop#0 ==> _module.Node.valid#canCall($Heap, this); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.anc)[$Box(this)]); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> read($Heap, this, _module.Node.anc)[$Box(read($Heap, this, _module.Node.parent))])); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> Set#Equal(read($Heap, this, _module.Node.anc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.parent))), + read($Heap, read($Heap, this, _module.Node.parent), _module.Node.anc))))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) != null + ==> _module.Node.validUp($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.parent)))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.parent) == null + ==> Set#Equal(read($Heap, this, _module.Node.anc), Set#Empty(): Set Box))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validUp#canCall($Heap, this) + ==> _module.Node.validUp($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#7: ref :: + { _module.Node.after($Heap, m#7) } + { read($Heap, this, _module.Node.anc)[$Box(m#7)] } + $Is(m#7, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.anc)[$Box(m#7)] + ==> _module.Node.after($Heap, m#7)))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || !read($Heap, this, _module.Node.desc)[$Box(this)]); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || read($Heap, this, _module.Node.left) != read($Heap, this, _module.Node.right)); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.right))])); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> !read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> read($Heap, this, _module.Node.desc)[$Box(read($Heap, this, _module.Node.left))])); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#Union(Set#UnionOne(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc)), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.left))), + read($Heap, read($Heap, this, _module.Node.left), _module.Node.desc))))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.left)))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) != null + ==> Set#Equal(read($Heap, this, _module.Node.desc), + Set#Union(Set#UnionOne(Set#Empty(): Set Box, $Box(read($Heap, this, _module.Node.right))), + read($Heap, read($Heap, this, _module.Node.right), _module.Node.desc))))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.left) == null + ==> + read($Heap, this, _module.Node.right) == null + ==> Set#Equal(read($Heap, this, _module.Node.desc), Set#Empty(): Set Box))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (read($Heap, this, _module.Node.right) != null + ==> _module.Node.validDown($LS($LS($LZ)), $Heap, read($Heap, this, _module.Node.right)))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.blocked($Heap, this) + ==> (forall m#8: ref :: + { _module.Node.blocked($Heap, m#8) } + { read($Heap, this, _module.Node.desc)[$Box(m#8)] } + $Is(m#8, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#8)] + ==> _module.Node.blocked($Heap, m#8)))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || (_module.Node.validDown#canCall($Heap, this) + ==> _module.Node.validDown($LS($LZ), $Heap, this) + || (_module.Node.after($Heap, this) + ==> (forall m#9: ref :: + { _module.Node.after($Heap, m#9) } + { _module.Node.blocked($Heap, m#9) } + { read($Heap, this, _module.Node.desc)[$Box(m#9)] } + $Is(m#9, Tclass._module.Node()) + ==> + read($Heap, this, _module.Node.desc)[$Box(m#9)] + ==> _module.Node.blocked($Heap, m#9) || _module.Node.after($Heap, m#9)))); + invariant $w$loop#0 + ==> + _module.Node.valid#canCall($Heap, this) + ==> _module.Node.valid($Heap, this) + || Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)); + free invariant $w$loop#0 + ==> _module.Node.valid#canCall($Heap, this) + && + _module.Node.valid($Heap, this) + && + _module.Node.validUp($LS($LZ), $Heap, this) + && _module.Node.validDown($LS($LZ), $Heap, this) + && Set#Disjoint(read($Heap, this, _module.Node.desc), read($Heap, this, _module.Node.anc)); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> read($Heap, this, _module.Node.left) + == read(old($Heap), this, _module.Node.left); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> read($Heap, this, _module.Node.right) + == read(old($Heap), this, _module.Node.right); + free invariant $w$loop#0 ==> true; + invariant $w$loop#0 + ==> + read($Heap, this, _module.Node.sense) + ==> read($Heap, this, _module.Node.parent) != null; + free invariant (forall $o: ref :: + { $Heap[$o] } + $o != null && read(old($Heap), $o, alloc) + ==> $Heap[$o] == $PreLoopHeap$loop#0[$o] + || + $o == this + || $o == read(old($Heap), this, _module.Node.left) + || $o == read(old($Heap), this, _module.Node.right)); + free invariant $HeapSucc($PreLoopHeap$loop#0, $Heap); + free invariant (forall $o: ref, $f: Field alpha :: + { read($Heap, $o, $f) } + $o != null && read($PreLoopHeap$loop#0, $o, alloc) + ==> read($Heap, $o, $f) == read($PreLoopHeap$loop#0, $o, $f) + || $Frame$loop#0[$o, $f]); + { + if (!$w$loop#0) + { + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + assume _module.Node.validUp#canCall($Heap, this); + assume _module.Node.validUp#canCall($Heap, this); + assume _module.Node.validUp($LS($LZ), $Heap, this); + // assume allocatedness for receiver argument to function + assume $IsAlloc(this, Tclass._module.Node?(), $Heap); + assume _module.Node.valid#canCall($Heap, this); + assume _module.Node.valid#canCall($Heap, this); + assume _module.Node.valid($Heap, this); + assert $IsAlloc(this, Tclass._module.Node(), old($Heap)); + assume true; + assume read($Heap, this, _module.Node.left) + == read(old($Heap), this, _module.Node.left); + assert $IsAlloc(this, Tclass._module.Node(), old($Heap)); + assume true; + assume read($Heap, this, _module.Node.right) + == read(old($Heap), this, _module.Node.right); + if (read($Heap, this, _module.Node.sense)) + { + newtype$check#3 := null; + } + + assume true; + assume read($Heap, this, _module.Node.sense) + ==> read($Heap, this, _module.Node.parent) != null; + assume true; + assume false; + } + + assume true; + if (!read($Heap, this, _module.Node.sense)) + { + break; + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(128,13) + assume true; + assert $Frame$loop#0[this, _module.Node.sense]; + havoc $rhs#3_0; + $Heap := update($Heap, this, _module.Node.sense, $rhs#3_0); + assume $IsGoodHeap($Heap); + // ----- assume statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(129,7) + if (!read($Heap, this, _module.Node.sense)) + { + assert {:subsumption 0} read($Heap, this, _module.Node.parent) != null; + // assume allocatedness for receiver argument to function + assume $IsAlloc(read($Heap, this, _module.Node.parent), Tclass._module.Node?(), $Heap); + assume _module.Node.after#canCall($Heap, read($Heap, this, _module.Node.parent)); + } + + assume !read($Heap, this, _module.Node.sense) + ==> _module.Node.after#canCall($Heap, read($Heap, this, _module.Node.parent)); + assume !read($Heap, this, _module.Node.sense) + ==> _module.Node.after($Heap, read($Heap, this, _module.Node.parent)); + assume _module.Node.validUp#canCall($Heap, this) + && (_module.Node.validUp($LS($LZ), $Heap, this) + ==> _module.Node.valid#canCall($Heap, this)); + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(132,8) + assume true; + assert $_Frame[this, _module.Node.pc]; + assume true; + $rhs#3 := LitInt(4); + $Heap := update($Heap, this, _module.Node.pc, $rhs#3); + assume $IsGoodHeap($Heap); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(133,5) + newtype$check#4 := null; + assume true; + if (read($Heap, this, _module.Node.left) != null) + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(134,18) + assert read($Heap, this, _module.Node.left) != null; + assume true; + assert $_Frame[read($Heap, this, _module.Node.left), _module.Node.sense]; + assume true; + $rhs#4_0 := Lit(false); + $Heap := update($Heap, read($Heap, this, _module.Node.left), _module.Node.sense, $rhs#4_0); + assume $IsGoodHeap($Heap); + } + else + { + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(137,8) + assume true; + assert $_Frame[this, _module.Node.pc]; + assume true; + $rhs#4 := LitInt(5); + $Heap := update($Heap, this, _module.Node.pc, $rhs#4); + assume $IsGoodHeap($Heap); + // ----- if statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(138,5) + newtype$check#5 := null; + assume true; + if (read($Heap, this, _module.Node.right) != null) + { + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(139,19) + assert read($Heap, this, _module.Node.right) != null; + assume true; + assert $_Frame[read($Heap, this, _module.Node.right), _module.Node.sense]; + assume true; + $rhs#5_0 := Lit(false); + $Heap := update($Heap, read($Heap, this, _module.Node.right), _module.Node.sense, $rhs#5_0); + assume $IsGoodHeap($Heap); + } + else + { + } + + // ----- assignment statement ----- C:\Users\Gaurav\Doktorat\viper_lab\monomorphization\shaz_files\dafny_test_suite_selection\TreeBarrier.dfy(142,8) + assume true; + assert $_Frame[this, _module.Node.pc]; + assume true; + $rhs#5 := LitInt(6); + $Heap := update($Heap, this, _module.Node.pc, $rhs#5); + assume $IsGoodHeap($Heap); +} + + + +// _module.Node: non-null type $Is +axiom (forall c#0: ref :: + { $Is(c#0, Tclass._module.Node()) } + $Is(c#0, Tclass._module.Node()) + <==> $Is(c#0, Tclass._module.Node?()) && c#0 != null); + +// _module.Node: non-null type $IsAlloc +axiom (forall c#0: ref, $h: Heap :: + { $IsAlloc(c#0, Tclass._module.Node(), $h) } + $IsAlloc(c#0, Tclass._module.Node(), $h) + <==> $IsAlloc(c#0, Tclass._module.Node?(), $h)); + +const unique class._module.__default: ClassName; + +function Tclass._module.__default() : Ty; + +const unique Tagclass._module.__default: TyTag; + +// Tclass._module.__default Tag +axiom Tag(Tclass._module.__default()) == Tagclass._module.__default + && TagFamily(Tclass._module.__default()) == tytagFamily$_default; + +// Box/unbox axiom for Tclass._module.__default +axiom (forall bx: Box :: + { $IsBox(bx, Tclass._module.__default()) } + $IsBox(bx, Tclass._module.__default()) + ==> $Box($Unbox(bx): ref) == bx && $Is($Unbox(bx): ref, Tclass._module.__default())); + +// _default: Class $Is +axiom (forall $o: ref :: + { $Is($o, Tclass._module.__default()) } + $Is($o, Tclass._module.__default()) + <==> $o == null || dtype($o) == Tclass._module.__default()); + +// _default: Class $IsAlloc +axiom (forall $o: ref, $h: Heap :: + { $IsAlloc($o, Tclass._module.__default(), $h) } + $IsAlloc($o, Tclass._module.__default(), $h) + <==> $o == null || read($h, $o, alloc)); + +const unique tytagFamily$nat: TyTagFamily; + +const unique tytagFamily$object: TyTagFamily; + +const unique tytagFamily$array: TyTagFamily; + +const unique tytagFamily$_#Func1: TyTagFamily; + +const unique tytagFamily$_#PartialFunc1: TyTagFamily; + +const unique tytagFamily$_#TotalFunc1: TyTagFamily; + +const unique tytagFamily$_#Func0: TyTagFamily; + +const unique tytagFamily$_#PartialFunc0: TyTagFamily; + +const unique tytagFamily$_#TotalFunc0: TyTagFamily; + +const unique tytagFamily$_tuple#2: TyTagFamily; + +const unique tytagFamily$_tuple#0: TyTagFamily; + +const unique tytagFamily$Node: TyTagFamily; + +const unique tytagFamily$_default: TyTagFamily; + +const unique field$left: NameFamily; + +const unique field$right: NameFamily; + +const unique field$parent: NameFamily; + +const unique field$anc: NameFamily; + +const unique field$desc: NameFamily; + +const unique field$sense: NameFamily; + +const unique field$pc: NameFamily; diff --git a/Test/monomorphize/monomorphize1.bpl b/Test/monomorphize/monomorphize1.bpl index 91dd7e9af..62f736e5e 100644 --- a/Test/monomorphize/monomorphize1.bpl +++ b/Test/monomorphize/monomorphize1.bpl @@ -1,4 +1,4 @@ -// RUN: %parallel-boogie -lib:base -monomorphize -useArrayTheory "%s" > "%t" +// RUN: %parallel-boogie -lib:base "%s" > "%t" // RUN: %diff "%s.expect" "%t" procedure add(set: [int]bool, elem: int) returns (set': [int]bool) diff --git a/Test/datatypes/polymap0.bpl b/Test/monomorphize/polymap0.bpl similarity index 99% rename from Test/datatypes/polymap0.bpl rename to Test/monomorphize/polymap0.bpl index 33d1eceb8..feea186bf 100644 --- a/Test/datatypes/polymap0.bpl +++ b/Test/monomorphize/polymap0.bpl @@ -1,6 +1,5 @@ // RUN: %parallel-boogie /monomorphize /useArrayTheory "%s" > "%t" // RUN: %diff "%s.expect" "%t" -// XFAIL: * type Ref; var Heap: HeapType; diff --git a/Test/datatypes/polymap0.bpl.expect b/Test/monomorphize/polymap0.bpl.expect similarity index 100% rename from Test/datatypes/polymap0.bpl.expect rename to Test/monomorphize/polymap0.bpl.expect diff --git a/Test/monomorphize/polymap1.bpl b/Test/monomorphize/polymap1.bpl new file mode 100644 index 000000000..022cf8b9c --- /dev/null +++ b/Test/monomorphize/polymap1.bpl @@ -0,0 +1,16 @@ +// RUN: %parallel-boogie /monomorphize "%s" > "%t" +// RUN: %diff "%s.expect" "%t" + +function f(x: T) : int; + +type Field _; +const f1: Field int; +const f2: Field bool; + +procedure p() { + var y: [Field A]bool; + var z: [Field A]int; + + assume (forall x: [Field A]T1, y: [Field A]T2 :: x != y ==> f(x) != f(y)); + assert f(y) != f(z); +} diff --git a/Test/monomorphize/polymap1.bpl.expect b/Test/monomorphize/polymap1.bpl.expect new file mode 100644 index 000000000..df6d5691d --- /dev/null +++ b/Test/monomorphize/polymap1.bpl.expect @@ -0,0 +1,5 @@ +polymap1.bpl(15,2): Error: This assertion might not hold. +Execution trace: + polymap1.bpl(14,2): anon0 + +Boogie program verifier finished with 0 verified, 1 error diff --git a/Test/monomorphize/polymap2.bpl b/Test/monomorphize/polymap2.bpl new file mode 100644 index 000000000..babc4d83a --- /dev/null +++ b/Test/monomorphize/polymap2.bpl @@ -0,0 +1,15 @@ +// RUN: %parallel-boogie /monomorphize "%s" > "%t" +// RUN: %diff "%s.expect" "%t" + +type A _; + +function f(x: T) : bool; +function g(x: T) : int; + +axiom (forall x : A T :: g(x) > 0 ==> f(x)); + +procedure p() { + var x: A int; + assume g(x) > 0; + assert f(x); +} diff --git a/Test/monomorphize/polymap2.bpl.expect b/Test/monomorphize/polymap2.bpl.expect new file mode 100644 index 000000000..37fad75c9 --- /dev/null +++ b/Test/monomorphize/polymap2.bpl.expect @@ -0,0 +1,2 @@ + +Boogie program verifier finished with 1 verified, 0 errors diff --git a/Test/monomorphize/polymap3.bpl b/Test/monomorphize/polymap3.bpl new file mode 100644 index 000000000..ee47f4591 --- /dev/null +++ b/Test/monomorphize/polymap3.bpl @@ -0,0 +1,9 @@ +// RUN: %parallel-boogie /monomorphize "%s" > "%t" +// RUN: %diff "%s.expect" "%t" + +procedure p(x: int) { + var m: [A]bool; + m[true] := false; + m[x] := false; + assert m[x] == false; +} diff --git a/Test/monomorphize/polymap3.bpl.expect b/Test/monomorphize/polymap3.bpl.expect new file mode 100644 index 000000000..37fad75c9 --- /dev/null +++ b/Test/monomorphize/polymap3.bpl.expect @@ -0,0 +1,2 @@ + +Boogie program verifier finished with 1 verified, 0 errors diff --git a/Test/monomorphize/polymap4.bpl b/Test/monomorphize/polymap4.bpl new file mode 100644 index 000000000..37db86faa --- /dev/null +++ b/Test/monomorphize/polymap4.bpl @@ -0,0 +1,19 @@ +// RUN: %parallel-boogie /monomorphize "%s" > "%t" +// RUN: %diff "%s.expect" "%t" + +type A _; + +function f(x: A T) : bool; +function g(x: A T) : int; + +axiom (forall a : A T :: (forall b: A T :: g(a) > g(b) ==> f(a) ==> f(b))); + +procedure p() { + var x: A int; + var y: A bool; + assume g(x) > 0; + assume g(y) < 0; + assert g(x) > g(y); + assume f(x); + assert f(y); +} diff --git a/Test/monomorphize/polymap4.bpl.expect b/Test/monomorphize/polymap4.bpl.expect new file mode 100644 index 000000000..b68b8a8b1 --- /dev/null +++ b/Test/monomorphize/polymap4.bpl.expect @@ -0,0 +1,5 @@ +polymap4.bpl(18,5): Error: This assertion might not hold. +Execution trace: + polymap4.bpl(14,5): anon0 + +Boogie program verifier finished with 0 verified, 1 error diff --git a/Test/monomorphize/polymap5.bpl b/Test/monomorphize/polymap5.bpl new file mode 100644 index 000000000..5c9c32dfb --- /dev/null +++ b/Test/monomorphize/polymap5.bpl @@ -0,0 +1,19 @@ +// RUN: %parallel-boogie /monomorphize /useArrayTheory "%s" > "%t" +// RUN: %diff "%s.expect" "%t" + +type A _; + +function f(x: A T) : bool; +function g(x: A T) : int; + +axiom (forall a : A T :: (forall b: A R :: g(a) > g(b) ==> f(a) ==> f(b))); + +procedure p() { + var x: A int; + var y: A bool; + assume g(x) > 0; + assume g(y) < 0; + assert g(x) > g(y); + assume f(x); + assert f(y); +} diff --git a/Test/monomorphize/polymap5.bpl.expect b/Test/monomorphize/polymap5.bpl.expect new file mode 100644 index 000000000..37fad75c9 --- /dev/null +++ b/Test/monomorphize/polymap5.bpl.expect @@ -0,0 +1,2 @@ + +Boogie program verifier finished with 1 verified, 0 errors diff --git a/Test/monomorphize/viper/binary-search-array.bpl b/Test/monomorphize/viper/binary-search-array.bpl new file mode 100644 index 000000000..9039d4e27 --- /dev/null +++ b/Test/monomorphize/viper/binary-search-array.bpl @@ -0,0 +1,953 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(j$0_1: int): bool; +function neverTriggered2(j$1_1: int): bool; +function neverTriggered3(j$1_2: int): bool; +function neverTriggered4(j$3: int): bool; +function neverTriggered5(j$3_2: int): bool; +function neverTriggered6(j$3_3: int): bool; +function neverTriggered7(j$3_4: int): bool; +function neverTriggered8(j$3_5: int): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(recv: Ref): int; +function invRecv2(recv: Ref): int; +function invRecv3(recv: Ref): int; +function invRecv4(recv: Ref): int; +function invRecv5(recv: Ref): int; +function invRecv6(recv: Ref): int; +function invRecv7(recv: Ref): int; +function invRecv8(recv: Ref): int; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(recv: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(recv: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(recv: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(recv: Ref): bool; +function qpRange8(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Translation of domain IArray +// ================================================== + +// The type for domain IArray +type IArrayDomainType; + +// Translation of domain function loc +function loc(a_2: IArrayDomainType, i: int): Ref; + +// Translation of domain function len +function len(a_2: IArrayDomainType): int; + +// Translation of domain function first +function first(r_1: Ref): IArrayDomainType; + +// Translation of domain function second +function second(r_1: Ref): int; + +// Translation of domain axiom all_diff +axiom (forall a_3: IArrayDomainType, i_1: int :: + { (loc(a_3, i_1): Ref) } + (first((loc(a_3, i_1): Ref)): IArrayDomainType) == a_3 && (second((loc(a_3, i_1): Ref)): int) == i_1 +); + +// Translation of domain axiom length_nonneg +axiom (forall a_3: IArrayDomainType :: + { (len(a_3): int) } + (len(a_3): int) >= 0 +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique val: Field NormalField int; +axiom !IsPredicateField(val); +axiom !IsWandField(val); + +// ================================================== +// Translation of method binary_search +// ================================================== + +procedure binary_search(a_3: IArrayDomainType, key: int) returns (index: int) + modifies Heap, Mask; +{ + var QPMask: MaskType; + var i_2: int; + var j: int; + var PostHeap: HeapType; + var PostMask: MaskType; + var j$2: int; + var i_3: int; + var low: int; + var high: int; + var j$4: int; + var i_6: int; + var ExhaleHeap: HeapType; + var j$4_1: int; + var i_4: int; + var loopHeap: HeapType; + var loopMask: MaskType; + var mid: int; + var j$4_5: int; + var i_11: int; + var j$2_2: int; + var i_4_1: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Checked inhaling of precondition + + // -- Check definedness of (forall j$0: Int :: { loc(a, j$0) } 0 <= j$0 && j$0 < len(a) ==> acc(loc(a, j$0).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$0).val might not be injective. (binary-search-array.vpr@10.12--10.21) [149]"} + (forall j$0_1: int, j$0_1_1: int :: + + (((j$0_1 != j$0_1_1 && (0 <= j$0_1 && j$0_1 < (len(a_3): int))) && (0 <= j$0_1_1 && j$0_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$0_1): Ref) != (loc(a_3, j$0_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$0_1: int :: + { (loc(a_3, j$0_1): Ref) } { (loc(a_3, j$0_1): Ref) } + (0 <= j$0_1 && j$0_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange1((loc(a_3, j$0_1): Ref)) && invRecv1((loc(a_3, j$0_1): Ref)) == j$0_1 + ); + assume (forall o_3: Ref :: + { invRecv1(o_3) } + ((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3) ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$0_1: int :: + { (loc(a_3, j$0_1): Ref) } { (loc(a_3, j$0_1): Ref) } + 0 <= j$0_1 && j$0_1 < (len(a_3): int) ==> (loc(a_3, j$0_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int, j: Int :: { loc(a, i), loc(a, j) } 0 <= i && (j < len(a) && i < j) ==> loc(a, i).val < loc(a, j).val) + if (*) { + if (0 <= i_2 && (j < (len(a_3): int) && i_2 < j)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i).val (binary-search-array.vpr@11.12--11.123) [150]"} + HasDirectPerm(Mask, (loc(a_3, i_2): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j).val (binary-search-array.vpr@11.12--11.123) [151]"} + HasDirectPerm(Mask, (loc(a_3, j): Ref), val); + } + assume false; + } + assume (forall i_1_1: int, j_1: int :: + { (loc(a_3, i_1_1): Ref), (loc(a_3, j_1): Ref) } + 0 <= i_1_1 && (j_1 < (len(a_3): int) && i_1_1 < j_1) ==> Heap[(loc(a_3, i_1_1): Ref), val] < Heap[(loc(a_3, j_1): Ref), val] + ); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Check definedness of (forall j$1: Int :: { loc(a, j$1) } 0 <= j$1 && j$1 < len(a) ==> acc(loc(a, j$1).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$1).val might not be injective. (binary-search-array.vpr@12.12--12.37) [152]"} + (forall j$1_1: int, j$1_1_1: int :: + + (((j$1_1 != j$1_1_1 && (0 <= j$1_1 && j$1_1 < (len(a_3): int))) && (0 <= j$1_1_1 && j$1_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$1_1): Ref) != (loc(a_3, j$1_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$1_1: int :: + { (loc(a_3, j$1_1): Ref) } { (loc(a_3, j$1_1): Ref) } + (0 <= j$1_1 && j$1_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange2((loc(a_3, j$1_1): Ref)) && invRecv2((loc(a_3, j$1_1): Ref)) == j$1_1 + ); + assume (forall o_3: Ref :: + { invRecv2(o_3) } + ((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3) ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$1_1: int :: + { (loc(a_3, j$1_1): Ref) } { (loc(a_3, j$1_1): Ref) } + 0 <= j$1_1 && j$1_1 < (len(a_3): int) ==> (loc(a_3, j$1_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3) && QPMask[o_3, val] == PostMask[o_3, val] + FullPerm) && (!(((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3)) ==> QPMask[o_3, val] == PostMask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall j$2: Int :: { loc(a, j$2) } 0 <= j$2 && j$2 < len(a) ==> loc(a, j$2).val == old(loc(a, j$2).val)) + if (*) { + if (0 <= j$2 && j$2 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$2).val (binary-search-array.vpr@12.12--12.37) [153]"} + HasDirectPerm(PostMask, (loc(a_3, j$2): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$2).val (binary-search-array.vpr@12.12--12.37) [154]"} + HasDirectPerm(old(Mask), (loc(a_3, j$2): Ref), val); + } + assume false; + } + assume (forall j$2_1: int :: + { (loc(a_3, j$2_1): Ref) } + 0 <= j$2_1 && j$2_1 < (len(a_3): int) ==> PostHeap[(loc(a_3, j$2_1): Ref), val] == old(Heap)[(loc(a_3, j$2_1): Ref), val] + ); + assume state(PostHeap, PostMask); + assume -1 <= index; + assume index < (len(a_3): int); + assume state(PostHeap, PostMask); + if (0 <= index) { + + // -- Check definedness of loc(a, index).val == key + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, index).val (binary-search-array.vpr@14.12--14.51) [155]"} + HasDirectPerm(PostMask, (loc(a_3, index): Ref), val); + assume PostHeap[(loc(a_3, index): Ref), val] == key; + } + assume state(PostHeap, PostMask); + if (-1 == index) { + + // -- Check definedness of (forall i: Int :: { loc(a, i) } 0 <= i && i < len(a) ==> loc(a, i).val != key) + if (*) { + if (0 <= i_3 && i_3 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i).val (binary-search-array.vpr@15.12--15.91) [156]"} + HasDirectPerm(PostMask, (loc(a_3, i_3): Ref), val); + } + assume false; + } + assume (forall i_3_1: int :: + { (loc(a_3, i_3_1): Ref) } + 0 <= i_3_1 && i_3_1 < (len(a_3): int) ==> PostHeap[(loc(a_3, i_3_1): Ref), val] != key + ); + } + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: low := 0 -- binary-search-array.vpr@17.3--17.20 + low := 0; + assume state(Heap, Mask); + + // -- Translating statement: high := len(a) -- binary-search-array.vpr@18.3--18.26 + high := (len(a_3): int); + assume state(Heap, Mask); + + // -- Translating statement: index := -1 -- binary-search-array.vpr@19.3--19.14 + index := -1; + assume state(Heap, Mask); + + // -- Translating statement: while (low < high) -- binary-search-array.vpr@21.3--40.4 + + // -- Before loop head + + // -- Exhale loop invariant before loop + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$3) is injective + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. Quantified resource loc(a, j$3).val might not be injective. (binary-search-array.vpr@22.15--22.40) [157]"} + (forall j$3: int, j$3_1: int :: + { neverTriggered4(j$3), neverTriggered4(j$3_1) } + (((j$3 != j$3_1 && (0 <= j$3 && j$3 < (len(a_3): int))) && (0 <= j$3_1 && j$3_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3): Ref) != (loc(a_3, j$3_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. There might be insufficient permission to access loc(a, j$3).val (binary-search-array.vpr@22.15--22.40) [158]"} + (forall j$3: int :: + { (loc(a_3, j$3): Ref) } { (loc(a_3, j$3): Ref) } + 0 <= j$3 && j$3 < (len(a_3): int) ==> Mask[(loc(a_3, j$3): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$3) + assume (forall j$3: int :: + { (loc(a_3, j$3): Ref) } { (loc(a_3, j$3): Ref) } + (0 <= j$3 && j$3 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange4((loc(a_3, j$3): Ref)) && invRecv4((loc(a_3, j$3): Ref)) == j$3 + ); + assume (forall o_3: Ref :: + { invRecv4(o_3) } + (0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$4 && j$4 < (len(a_3): int)) { + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. Assertion loc(a, j$4).val == old(loc(a, j$4).val) might not hold. (binary-search-array.vpr@22.15--22.40) [159]"} + Heap[(loc(a_3, j$4): Ref), val] == old(Heap)[(loc(a_3, j$4): Ref), val]; + } + assume false; + } + assume (forall j$4_1_1: int :: + { (loc(a_3, j$4_1_1): Ref) } + 0 <= j$4_1_1 && j$4_1_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_1_1): Ref), val] == old(Heap)[(loc(a_3, j$4_1_1): Ref), val] + ); + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= len(a)) might not hold on entry. Assertion 0 <= low might not hold. (binary-search-array.vpr@23.15--23.56) [160]"} + 0 <= low; + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= len(a)) might not hold on entry. Assertion low <= high might not hold. (binary-search-array.vpr@23.15--23.56) [161]"} + low <= high; + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= len(a)) might not hold on entry. Assertion high <= len(a) might not hold. (binary-search-array.vpr@23.15--23.56) [162]"} + high <= (len(a_3): int); + if (index == -1) { + if (*) { + if (0 <= i_6 && (i_6 < (len(a_3): int) && !(low <= i_6 && i_6 < high))) { + assert {:msg " Loop invariant index == -1 ==> (forall i: Int :: { loc(a, i) } 0 <= i && (i < len(a) && !(low <= i && i < high)) ==> loc(a, i).val != key) might not hold on entry. Assertion loc(a, i).val != key might not hold. (binary-search-array.vpr@24.15--24.133) [163]"} + Heap[(loc(a_3, i_6): Ref), val] != key; + } + assume false; + } + assume (forall i_7_1: int :: + { (loc(a_3, i_7_1): Ref) } + 0 <= i_7_1 && (i_7_1 < (len(a_3): int) && !(low <= i_7_1 && i_7_1 < high)) ==> Heap[(loc(a_3, i_7_1): Ref), val] != key + ); + } + assert {:msg " Loop invariant -1 <= index && index < len(a) might not hold on entry. Assertion -1 <= index might not hold. (binary-search-array.vpr@25.15--25.44) [164]"} + -1 <= index; + assert {:msg " Loop invariant -1 <= index && index < len(a) might not hold on entry. Assertion index < len(a) might not hold. (binary-search-array.vpr@25.15--25.44) [165]"} + index < (len(a_3): int); + if (0 <= index) { + assert {:msg " Loop invariant 0 <= index ==> loc(a, index).val == key might not hold on entry. Assertion loc(a, index).val == key might not hold. (binary-search-array.vpr@26.15--26.54) [166]"} + Heap[(loc(a_3, index): Ref), val] == key; + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Havoc loop written variables (except locals) + havoc high, index, low; + + // -- Check definedness of invariant + if (*) { + + // -- Check definedness of (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$3).val might not be injective. (binary-search-array.vpr@22.15--22.40) [167]"} + (forall j$3_2: int, j$3_2_1: int :: + + (((j$3_2 != j$3_2_1 && (0 <= j$3_2 && j$3_2 < (len(a_3): int))) && (0 <= j$3_2_1 && j$3_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_2): Ref) != (loc(a_3, j$3_2_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_2: int :: + { (loc(a_3, j$3_2): Ref) } { (loc(a_3, j$3_2): Ref) } + (0 <= j$3_2 && j$3_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange5((loc(a_3, j$3_2): Ref)) && invRecv5((loc(a_3, j$3_2): Ref)) == j$3_2 + ); + assume (forall o_3: Ref :: + { invRecv5(o_3) } + ((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3) ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_2: int :: + { (loc(a_3, j$3_2): Ref) } { (loc(a_3, j$3_2): Ref) } + 0 <= j$3_2 && j$3_2 < (len(a_3): int) ==> (loc(a_3, j$3_2): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + + // -- Check definedness of (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) + if (*) { + if (0 <= j$4_1 && j$4_1 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$4).val (binary-search-array.vpr@22.15--22.40) [168]"} + HasDirectPerm(Mask, (loc(a_3, j$4_1): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$4).val (binary-search-array.vpr@22.15--22.40) [169]"} + HasDirectPerm(old(Mask), (loc(a_3, j$4_1): Ref), val); + } + assume false; + } + assume (forall j$4_3: int :: + { (loc(a_3, j$4_3): Ref) } + 0 <= j$4_3 && j$4_3 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_3): Ref), val] == old(Heap)[(loc(a_3, j$4_3): Ref), val] + ); + assume state(Heap, Mask); + assume 0 <= low; + assume low <= high; + assume high <= (len(a_3): int); + assume state(Heap, Mask); + if (index == -1) { + + // -- Check definedness of (forall i: Int :: { loc(a, i) } 0 <= i && (i < len(a) && !(low <= i && i < high)) ==> loc(a, i).val != key) + if (*) { + if (0 <= i_4 && (i_4 < (len(a_3): int) && !(low <= i_4 && i_4 < high))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i).val (binary-search-array.vpr@24.15--24.133) [170]"} + HasDirectPerm(Mask, (loc(a_3, i_4): Ref), val); + } + assume false; + } + assume (forall i_9: int :: + { (loc(a_3, i_9): Ref) } + 0 <= i_9 && (i_9 < (len(a_3): int) && !(low <= i_9 && i_9 < high)) ==> Heap[(loc(a_3, i_9): Ref), val] != key + ); + } + assume state(Heap, Mask); + assume -1 <= index; + assume index < (len(a_3): int); + assume state(Heap, Mask); + if (0 <= index) { + + // -- Check definedness of loc(a, index).val == key + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, index).val (binary-search-array.vpr@26.15--26.54) [171]"} + HasDirectPerm(Mask, (loc(a_3, index): Ref), val); + assume Heap[(loc(a_3, index): Ref), val] == key; + } + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource loc(a, j$3).val might not be injective. (binary-search-array.vpr@22.15--22.40) [172]"} + (forall j$3_3: int, j$3_3_1: int :: + + (((j$3_3 != j$3_3_1 && (0 <= j$3_3 && j$3_3 < (len(a_3): int))) && (0 <= j$3_3_1 && j$3_3_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_3): Ref) != (loc(a_3, j$3_3_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_3: int :: + { (loc(a_3, j$3_3): Ref) } { (loc(a_3, j$3_3): Ref) } + (0 <= j$3_3 && j$3_3 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange6((loc(a_3, j$3_3): Ref)) && invRecv6((loc(a_3, j$3_3): Ref)) == j$3_3 + ); + assume (forall o_3: Ref :: + { invRecv6(o_3) } + ((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3) ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_3: int :: + { (loc(a_3, j$3_3): Ref) } { (loc(a_3, j$3_3): Ref) } + 0 <= j$3_3 && j$3_3 < (len(a_3): int) ==> (loc(a_3, j$3_3): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall j$4_4: int :: + { (loc(a_3, j$4_4): Ref) } + 0 <= j$4_4 && j$4_4 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_4): Ref), val] == old(Heap)[(loc(a_3, j$4_4): Ref), val] + ); + assume 0 <= low; + assume low <= high; + assume high <= (len(a_3): int); + if (index == -1) { + assume (forall i_10: int :: + { (loc(a_3, i_10): Ref) } + 0 <= i_10 && (i_10 < (len(a_3): int) && !(low <= i_10 && i_10 < high)) ==> Heap[(loc(a_3, i_10): Ref), val] != key + ); + } + assume -1 <= index; + assume index < (len(a_3): int); + if (0 <= index) { + assume Heap[(loc(a_3, index): Ref), val] == key; + } + assume state(Heap, Mask); + // Check and assume guard + assume low < high; + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Translating statement: mid := (low + high) / 2 -- binary-search-array.vpr@28.5--28.37 + mid := (low + high) div 2; + assume state(Heap, Mask); + + // -- Translating statement: if (loc(a, mid).val < key) -- binary-search-array.vpr@30.5--39.6 + + // -- Check definedness of loc(a, mid).val < key + assert {:msg " Conditional statement might fail. There might be insufficient permission to access loc(a, mid).val (binary-search-array.vpr@30.9--30.30) [173]"} + HasDirectPerm(Mask, (loc(a_3, mid): Ref), val); + if (Heap[(loc(a_3, mid): Ref), val] < key) { + + // -- Translating statement: low := mid + 1 -- binary-search-array.vpr@31.7--31.21 + low := mid + 1; + assume state(Heap, Mask); + } else { + + // -- Translating statement: if (key < loc(a, mid).val) -- binary-search-array.vpr@33.7--38.8 + + // -- Check definedness of key < loc(a, mid).val + assert {:msg " Conditional statement might fail. There might be insufficient permission to access loc(a, mid).val (binary-search-array.vpr@33.11--33.32) [174]"} + HasDirectPerm(Mask, (loc(a_3, mid): Ref), val); + if (key < Heap[(loc(a_3, mid): Ref), val]) { + + // -- Translating statement: high := mid -- binary-search-array.vpr@34.9--34.20 + high := mid; + assume state(Heap, Mask); + } else { + + // -- Translating statement: index := mid -- binary-search-array.vpr@36.9--36.21 + index := mid; + assume state(Heap, Mask); + + // -- Translating statement: high := mid -- binary-search-array.vpr@37.9--37.20 + high := mid; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + } + assume state(Heap, Mask); + // Exhale invariant + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$3) is injective + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. Quantified resource loc(a, j$3).val might not be injective. (binary-search-array.vpr@22.15--22.40) [175]"} + (forall j$3_4: int, j$3_4_1: int :: + { neverTriggered7(j$3_4), neverTriggered7(j$3_4_1) } + (((j$3_4 != j$3_4_1 && (0 <= j$3_4 && j$3_4 < (len(a_3): int))) && (0 <= j$3_4_1 && j$3_4_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_4): Ref) != (loc(a_3, j$3_4_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. There might be insufficient permission to access loc(a, j$3).val (binary-search-array.vpr@22.15--22.40) [176]"} + (forall j$3_4: int :: + { (loc(a_3, j$3_4): Ref) } { (loc(a_3, j$3_4): Ref) } + 0 <= j$3_4 && j$3_4 < (len(a_3): int) ==> Mask[(loc(a_3, j$3_4): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$3) + assume (forall j$3_4: int :: + { (loc(a_3, j$3_4): Ref) } { (loc(a_3, j$3_4): Ref) } + (0 <= j$3_4 && j$3_4 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange7((loc(a_3, j$3_4): Ref)) && invRecv7((loc(a_3, j$3_4): Ref)) == j$3_4 + ); + assume (forall o_3: Ref :: + { invRecv7(o_3) } + (0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3)) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3)) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$4_5 && j$4_5 < (len(a_3): int)) { + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. Assertion loc(a, j$4).val == old(loc(a, j$4).val) might not hold. (binary-search-array.vpr@22.15--22.40) [177]"} + Heap[(loc(a_3, j$4_5): Ref), val] == old(Heap)[(loc(a_3, j$4_5): Ref), val]; + } + assume false; + } + assume (forall j$4_6_1: int :: + { (loc(a_3, j$4_6_1): Ref) } + 0 <= j$4_6_1 && j$4_6_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_6_1): Ref), val] == old(Heap)[(loc(a_3, j$4_6_1): Ref), val] + ); + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= len(a)) might not be preserved. Assertion 0 <= low might not hold. (binary-search-array.vpr@23.15--23.56) [178]"} + 0 <= low; + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= len(a)) might not be preserved. Assertion low <= high might not hold. (binary-search-array.vpr@23.15--23.56) [179]"} + low <= high; + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= len(a)) might not be preserved. Assertion high <= len(a) might not hold. (binary-search-array.vpr@23.15--23.56) [180]"} + high <= (len(a_3): int); + if (index == -1) { + if (*) { + if (0 <= i_11 && (i_11 < (len(a_3): int) && !(low <= i_11 && i_11 < high))) { + assert {:msg " Loop invariant index == -1 ==> (forall i: Int :: { loc(a, i) } 0 <= i && (i < len(a) && !(low <= i && i < high)) ==> loc(a, i).val != key) might not be preserved. Assertion loc(a, i).val != key might not hold. (binary-search-array.vpr@24.15--24.133) [181]"} + Heap[(loc(a_3, i_11): Ref), val] != key; + } + assume false; + } + assume (forall i_12_1: int :: + { (loc(a_3, i_12_1): Ref) } + 0 <= i_12_1 && (i_12_1 < (len(a_3): int) && !(low <= i_12_1 && i_12_1 < high)) ==> Heap[(loc(a_3, i_12_1): Ref), val] != key + ); + } + assert {:msg " Loop invariant -1 <= index && index < len(a) might not be preserved. Assertion -1 <= index might not hold. (binary-search-array.vpr@25.15--25.44) [182]"} + -1 <= index; + assert {:msg " Loop invariant -1 <= index && index < len(a) might not be preserved. Assertion index < len(a) might not hold. (binary-search-array.vpr@25.15--25.44) [183]"} + index < (len(a_3): int); + if (0 <= index) { + assert {:msg " Loop invariant 0 <= index ==> loc(a, index).val == key might not be preserved. Assertion loc(a, index).val == key might not hold. (binary-search-array.vpr@26.15--26.54) [184]"} + Heap[(loc(a_3, index): Ref), val] == key; + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(low < high); + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource loc(a, j$3).val might not be injective. (binary-search-array.vpr@22.15--22.40) [185]"} + (forall j$3_5: int, j$3_5_1: int :: + + (((j$3_5 != j$3_5_1 && (0 <= j$3_5 && j$3_5 < (len(a_3): int))) && (0 <= j$3_5_1 && j$3_5_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_5): Ref) != (loc(a_3, j$3_5_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_5: int :: + { (loc(a_3, j$3_5): Ref) } { (loc(a_3, j$3_5): Ref) } + (0 <= j$3_5 && j$3_5 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange8((loc(a_3, j$3_5): Ref)) && invRecv8((loc(a_3, j$3_5): Ref)) == j$3_5 + ); + assume (forall o_3: Ref :: + { invRecv8(o_3) } + ((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3) ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_5: int :: + { (loc(a_3, j$3_5): Ref) } { (loc(a_3, j$3_5): Ref) } + 0 <= j$3_5 && j$3_5 < (len(a_3): int) ==> (loc(a_3, j$3_5): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall j$4_7: int :: + { (loc(a_3, j$4_7): Ref) } + 0 <= j$4_7 && j$4_7 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_7): Ref), val] == old(Heap)[(loc(a_3, j$4_7): Ref), val] + ); + assume 0 <= low; + assume low <= high; + assume high <= (len(a_3): int); + if (index == -1) { + assume (forall i_13: int :: + { (loc(a_3, i_13): Ref) } + 0 <= i_13 && (i_13 < (len(a_3): int) && !(low <= i_13 && i_13 < high)) ==> Heap[(loc(a_3, i_13): Ref), val] != key + ); + } + assume -1 <= index; + assume index < (len(a_3): int); + if (0 <= index) { + assume Heap[(loc(a_3, index): Ref), val] == key; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$1) is injective + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$1).val might not be injective. (binary-search-array.vpr@12.12--12.21) [186]"} + (forall j$1_2: int, j$1_2_1: int :: + { neverTriggered3(j$1_2), neverTriggered3(j$1_2_1) } + (((j$1_2 != j$1_2_1 && (0 <= j$1_2 && j$1_2 < (len(a_3): int))) && (0 <= j$1_2_1 && j$1_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$1_2): Ref) != (loc(a_3, j$1_2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of binary_search might not hold. There might be insufficient permission to access loc(a, j$1).val (binary-search-array.vpr@12.12--12.37) [187]"} + (forall j$1_2: int :: + { (loc(a_3, j$1_2): Ref) } { (loc(a_3, j$1_2): Ref) } + 0 <= j$1_2 && j$1_2 < (len(a_3): int) ==> Mask[(loc(a_3, j$1_2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$1) + assume (forall j$1_2: int :: + { (loc(a_3, j$1_2): Ref) } { (loc(a_3, j$1_2): Ref) } + (0 <= j$1_2 && j$1_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange3((loc(a_3, j$1_2): Ref)) && invRecv3((loc(a_3, j$1_2): Ref)) == j$1_2 + ); + assume (forall o_3: Ref :: + { invRecv3(o_3) } + (0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3)) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3)) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$2_2 && j$2_2 < (len(a_3): int)) { + assert {:msg " Postcondition of binary_search might not hold. Assertion loc(a, j$2).val == old(loc(a, j$2).val) might not hold. (binary-search-array.vpr@12.12--12.37) [188]"} + Heap[(loc(a_3, j$2_2): Ref), val] == old(Heap)[(loc(a_3, j$2_2): Ref), val]; + } + assume false; + } + assume (forall j$2_3_1: int :: + { (loc(a_3, j$2_3_1): Ref) } + 0 <= j$2_3_1 && j$2_3_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$2_3_1): Ref), val] == old(Heap)[(loc(a_3, j$2_3_1): Ref), val] + ); + assert {:msg " Postcondition of binary_search might not hold. Assertion -1 <= index might not hold. (binary-search-array.vpr@13.12--13.41) [189]"} + -1 <= index; + assert {:msg " Postcondition of binary_search might not hold. Assertion index < len(a) might not hold. (binary-search-array.vpr@13.12--13.41) [190]"} + index < (len(a_3): int); + if (0 <= index) { + assert {:msg " Postcondition of binary_search might not hold. Assertion loc(a, index).val == key might not hold. (binary-search-array.vpr@14.12--14.51) [191]"} + Heap[(loc(a_3, index): Ref), val] == key; + } + if (-1 == index) { + if (*) { + if (0 <= i_4_1 && i_4_1 < (len(a_3): int)) { + assert {:msg " Postcondition of binary_search might not hold. Assertion loc(a, i).val != key might not hold. (binary-search-array.vpr@15.12--15.91) [192]"} + Heap[(loc(a_3, i_4_1): Ref), val] != key; + } + assume false; + } + assume (forall i_5_1: int :: + { (loc(a_3, i_5_1): Ref) } + 0 <= i_5_1 && i_5_1 < (len(a_3): int) ==> Heap[(loc(a_3, i_5_1): Ref), val] != key + ); + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} diff --git a/Test/monomorphize/viper/binary-search-seq.bpl b/Test/monomorphize/viper/binary-search-seq.bpl new file mode 100644 index 000000000..abae23b23 --- /dev/null +++ b/Test/monomorphize/viper/binary-search-seq.bpl @@ -0,0 +1,855 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Sequence module. +// ================================================== + + // diff 0 implemented (no difference) + // diff 1 implemented (fixes test5 in sequences.sil) + // diff 2 implemented (fixes m01 and m03 in quantifiedpermissions/issues/issue_0064) + // diff 3 implemented (no difference) + // diff 4 implemented (no difference) + // diff 5 implemented (fixes colourings0 in sequence-incompletenesses test case) + // diff 6 implemented (no difference) + // diff 7 implemented + // diff 8 implemented (allows for contains triggering, without destroying performance of e.g. functions/linkedlists test case) + // diff 11 implemented + // diff 13 implemented, for now (may reduce completeness, but there's a known matching loop when the first drop amount is 0); another option would be to add !=0 as an explicit condition + // diff 14 implemented: eliminate index over take/drop for trivial cases (to avoid matching loops when e.g. s[i..] == s is known) + // diff 16 implemented: remove general cases of equality-learning between take/drop/append subsequences; only allow when take/drop are at top level (this affects linkedlists test case) +// START BASICS +type Seq T; + +function Seq#Length(Seq T): int; +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty(): Seq T; +axiom (forall :: Seq#Length(Seq#Empty(): Seq T) == 0); +axiom (forall s: Seq T :: { Seq#Length(s) } Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T): Seq T; +//axiom (forall t: T :: { Seq#Length(Seq#Singleton(t)) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2: changed trigger) + +function Seq#Append(Seq T, Seq T): Seq T; +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Length(Seq#Append(s0,s1)) } +s0 != Seq#Empty() && s1 != Seq#Empty() ==> //diff 11: consider removing constraints + Seq#Length(Seq#Append(s0,s1)) == Seq#Length(s0) + Seq#Length(s1)); + +//axiom (forall s: Seq T :: { Seq#Append(Seq#Empty(),s) } Seq#Append(Seq#Empty(),s) == s); // (diff 11: switched to double-quantified version) +//axiom (forall s: Seq T :: { Seq#Append(s,Seq#Empty()) } Seq#Append(s,Seq#Empty()) == s); // (diff 11: switched to double-quantified version) +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Append(s0,s1) } (s0 == Seq#Empty() ==> Seq#Append(s0,s1) == s1) && (s1 == Seq#Empty() ==> Seq#Append(s0,s1) == s0)); // diff 11: switched to double-quantified version + +function Seq#Index(Seq T, int): T; +//axiom (forall t: T :: { Seq#Index(Seq#Singleton(t), 0) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2: changed trigger) + +// END BASICS + +// START INDEX-APPEND-UPDATE + +// extra addition function used to force equalities into the e-graph +function Seq#Add(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Add(i,j)} Seq#Add(i,j) == i + j); +function Seq#Sub(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Sub(i,j)} Seq#Sub(i,j) == i - j); + +// (diff 3 (old)) +//axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // {:weight 25} // AS: dropped weight +// s0 != Seq#Empty() && s1 != Seq#Empty() ==> +// ((n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n)) && +// (Seq#Length(s0) <= n ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, n - Seq#Length(s0))))); + +// (diff 3: split axiom, added constraints, replace arithmetic) // diff 11: consider removing constraints +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } { Seq#Index(s0, n), Seq#Append(s0,s1) } // AS: added alternative trigger + (s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= n && n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n))); +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // term below breaks loops + s0 != Seq#Empty() && s1 != Seq#Empty() && Seq#Length(s0) <= n && n < Seq#Length(Seq#Append(s0,s1)) ==> Seq#Add(Seq#Sub(n,Seq#Length(s0)),Seq#Length(s0)) == n && Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, Seq#Sub(n,Seq#Length(s0)))); +// AS: added "reverse triggering" versions of the axioms +axiom (forall s0: Seq T, s1: Seq T, m: int :: { Seq#Index(s1, m), Seq#Append(s0,s1)} // m == n-|s0|, n == m + |s0| + s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= m && m < Seq#Length(s1) ==> Seq#Sub(Seq#Add(m,Seq#Length(s0)),Seq#Length(s0)) == m && Seq#Index(Seq#Append(s0,s1), Seq#Add(m,Seq#Length(s0))) == Seq#Index(s1, m)); + +function Seq#Update(Seq T, int, T): Seq T; +axiom (forall s: Seq T, i: int, v: T :: { Seq#Length(Seq#Update(s,i,v)) } {Seq#Length(s),Seq#Update(s,i,v)} // (diff 4: added trigger) + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s,i,v)) == Seq#Length(s)); +axiom (forall s: Seq T, i: int, v: T, n: int :: { Seq#Index(Seq#Update(s,i,v),n) } { Seq#Index(s,n), Seq#Update(s,i,v) } // (diff 4: added trigger) + 0 <= n && n < Seq#Length(s) ==> + (i == n ==> Seq#Index(Seq#Update(s,i,v),n) == v) && + (i != n ==> Seq#Index(Seq#Update(s,i,v),n) == Seq#Index(s,n))); + +// END INDEX-APPEND-UPDATE + +// START TAKE/DROP + +function Seq#Take(s: Seq T, howMany: int): Seq T; +// AS: added triggers +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Take(s,n)) } { Seq#Take(s,n), Seq#Length(s)} // (diff 7: add trigger) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s,n)) == n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Take(s,n)) == Seq#Length(s))) + && + (n < 0 ==> Seq#Length(Seq#Take(s,n)) == 0)); // (diff 7: added case for n < 0) + +// ** AS: 2nd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Take(s,n), j) } {Seq#Index(s,j), Seq#Take(s,n)} // (diff 0: (was already done)) : add trigger // {:weight 25} // AS: dropped weight + 0 <= j && j < n && j < Seq#Length(s) ==> + Seq#Index(Seq#Take(s,n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int): Seq T; +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Drop(s,n)) } {Seq#Length(s), Seq#Drop(s,n)} // (diff 5: added trigger, exchange arithmetic) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s) - n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Drop(s,n)) == 0)) + && + (n < 0 ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s)) // (diff 7: added cases for n < 0) + ); + +// ** AS: 3rd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +// diff 5 (old) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// 0 <= n && 0 <= j && j < Seq#Length(s)-n ==> +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j+n)); +// +// diff already added // diff -1: try removing this axiom and checking effect +//axiom (forall s: Seq T, n: int, k: int :: { Seq#Drop(s,n), Seq#Index(s,k) } // AS: alternative triggering for above axiom +// 0 <= n && n <= k && k < Seq#Length(s) ==> +// Seq#Index(Seq#Drop(s,n), k-n) == Seq#Index(s, k)); + +// diff 5: split axiom, added triggering case, exhanged arithmetic + +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight + 0 < n && 0 <= j && j < Seq#Length(s)-n ==> // diff 14: change 0 <= n to 0 < n + Seq#Sub(Seq#Add(j,n),n) == j && Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, Seq#Add(j,n))); + +axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } + 0 < n && n <= i && i < Seq#Length(s) ==> // diff 14: change 0 <= n to 0 < n + Seq#Add(Seq#Sub(i,n),n) == i && Seq#Index(Seq#Drop(s,n), Seq#Sub(i,n)) == Seq#Index(s, i)); // i = j + n, j = i - n + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// n <= 0 && 0 <= j && j < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j)); + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } +// n <= 0 && 0 <= i && i < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), i) == Seq#Index(s, i)); // i = j + n, j = i - n + +// ** AS: We dropped the weak trigger on this axiom. One option is to strengthen the triggers: +//axiom (forall s, t: Seq T :: +// // { Seq#Append(s, t) } +// {Seq#Take(Seq#Append(s, t), Seq#Length(s))}{Seq#Drop(Seq#Append(s, t), Seq#Length(s))} +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s && +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// ** AS: another option is to split the axiom (for some reason, this seems in some cases to perform slightly less well (but this could be random): +//axiom (forall s, t: Seq T :: +// { Seq#Take(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s); + +//axiom (forall s, t: Seq T :: +// { Seq#Drop(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// (diff 6b: remove these?) +/* Removed: at present, Carbon doesn't generate Seq#Update (but desugars via take/drop/append) +// Commutability of Take and Drop with Update. +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= n && n <= i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); + 0 <= i && n <=i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); +*/ + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Take(s,n)} // diff 16: temporarily dropped general case of these + 0 < n && n <= Seq#Length(s) ==> Seq#Take(Seq#Append(s,t),n) == Seq#Take(s,n)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Take(Seq#Append(s,t),n) == Seq#Append(s,Seq#Take(t,Seq#Sub(n,Seq#Length(s))))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,Seq#Take(t,m)) } //{Seq#Append(s,t), Seq#Take(t,m)} // diff 16: temporarily dropped general case of these // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Take(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Append(s,Seq#Take(t,m))); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Drop(s,n)} // diff 16: temporarily dropped general case of these + 0 Seq#Drop(Seq#Append(s,t),n) == Seq#Append(Seq#Drop(s,n),t)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Drop(Seq#Append(s,t),n) == Seq#Drop(t,Seq#Sub(n,Seq#Length(s)))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,t),Seq#Drop(t,m) } // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Drop(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Drop(t,m)); + +// Additional axioms about common things +axiom (forall s: Seq T, n: int :: { Seq#Drop(s, n) } // ** NEW + n <= 0 ==> Seq#Drop(s, n) == s); // (diff 1: try changing n==0 to n<=0 (should be ok)) +axiom (forall s: Seq T, n: int :: { Seq#Take(s, n) } // ** NEW + n <= 0 ==> Seq#Take(s, n) == Seq#Empty()); // (diff 1: try changing n==0 to n<=0 (should be ok)) +// diff 13: remove this? +//axiom (forall s: Seq T, m, n: int :: { Seq#Drop(Seq#Drop(s, m), n) } // ** NEW - AS: could have bad triggering behaviour? +// 0 <= m && 0 <= n && m+n <= Seq#Length(s) ==> +// Seq#Sub(Seq#Add(m,n),n) == m && Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, Seq#Add(m,n))); + +// END TAKE/DROP + +// START CONTAINS +// diff 8: skolemisation (old) +function Seq#Contains(Seq T, T): bool; +function Seq#ContainsTrigger(Seq T, T): bool; // usages of Contains inside quantifier triggers are replaced with this +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains // (diff 8: added) +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> + (0 <= Seq#Skolem(s,x) && Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x)); // (diff 8: skolem function) +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } // only trigger if interested in the Contains term + (0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x))); +axiom (forall s: Seq T, i:int :: { Seq#Index(s,i) } + (0 <= i && i < Seq#Length(s) ==> Seq#ContainsTrigger(s,Seq#Index(s,i)))); +// ** AS: made one change here - changed type of x from ref to T +/*axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); +*/ +// diff 8: skolemisation (new) +/* +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains +function Seq#SkolemContainsDrop(Seq T, int, T) : int; // skolem function for Seq#Contains over drop +function Seq#SkolemContainsTake(Seq T, int, T) : int; // skolem function for Seq#Contains over take + +function Seq#Contains(Seq T, T): bool; +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> s != Seq#Empty() && Seq#Length(s) > 0 && 0 <= Seq#Skolem(s,x) && + Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x); + +// AS: note: this is an unusual axiom, but is basically the original +// Consider writing a version without the (precise) first trigger? Also see later versions +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x)); + +// ** AS: made one change here - changed type of x from ref to T +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +// AS: Consider dropping this axiom? +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } { Seq#Contains(s0,x), Seq#Append(s0,s1)} { Seq#Contains(s1,x), Seq#Append(s0,s1)} // AS: added triggers + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) ==> + (Seq#Take(s, n) != Seq#Empty() && Seq#Length(Seq#Take(s, n)) > 0 && + 0 <= Seq#SkolemContainsTake(s, n, x) && Seq#SkolemContainsTake(s, n, x) < n && + Seq#SkolemContainsTake(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsTake(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Take(s, n), x), Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Take(s, n), x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) ==> + ( 0 <= Seq#SkolemContainsDrop(s, n, x) && n <= Seq#SkolemContainsDrop(s, n, x) && + Seq#SkolemContainsDrop(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsDrop(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Drop(s, n), x), Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Drop(s, n), x)); +*/ + +// END CONTAINS + +// START EQUALS + +// diff 9 : skolemise equals (old) +function Seq#Equal(Seq T, Seq T): bool; +/*axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) <==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); +*/ +// diff 9: skolemise equals (new) +// AS: split axiom +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) ==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +function Seq#SkolemDiff(Seq T, Seq T) : int; // skolem function for Seq#Equals + +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + (s0==s1 && Seq#Equal(s0,s1)) || (s0!=s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) != Seq#Length(s1)) || + (s0 != s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) == Seq#Length(s1) && Seq#SkolemDiff(s0,s1) == Seq#SkolemDiff(s1,s0) && 0 <= Seq#SkolemDiff(s0,s1) && Seq#SkolemDiff(s0,s1) < Seq#Length(s0) && + Seq#Index(s0,Seq#SkolemDiff(s0,s1)) != Seq#Index(s1,Seq#SkolemDiff(s0,s1)))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); + + +// END EQUALS + + +// START EXTRAS + +// extra stuff not in current Dafny Prelude + +// diff 10: variant of trigger (maybe drop these?) +// old: +axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) <==> x==y); +// new: +/*axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) ==> x==y); + +axiom (forall x: T :: + { Seq#Singleton(x) } + Seq#Contains(Seq#Singleton(x),x)); +*/ + +function Seq#Range(min: int, max: int) returns (Seq int); +axiom (forall min: int, max: int :: { Seq#Length(Seq#Range(min, max)) } (min < max ==> Seq#Length(Seq#Range(min, max)) == max-min) && (max <= min ==> Seq#Length(Seq#Range(min, max)) == 0)); +axiom (forall min: int, max: int, j: int :: { Seq#Index(Seq#Range(min, max), j) } 0<=j && j Seq#Index(Seq#Range(min, max), j) == min + j); + +axiom (forall min: int, max: int, v: int :: {Seq#Contains(Seq#Range(min, max),v)} + (Seq#Contains(Seq#Range(min, max),v) <==> min <= v && v < max)); + +// END EXTRAS + + +// ================================================== +// Translation of method binary_search +// ================================================== + +procedure binary_search(xs: (Seq int), key: int) returns (index: int) + modifies Heap, Mask; +{ + var i: int; + var j: int; + var PostHeap: HeapType; + var PostMask: MaskType; + var i_2: int; + var low: int; + var high: int; + var i_6: int; + var i_4: int; + var loopHeap: HeapType; + var loopMask: MaskType; + var mid: int; + var i_11: int; + var i_4_1: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Checked inhaling of precondition + + // -- Check definedness of (forall i: Int, j: Int :: { xs[i], xs[j] } 0 <= i && (j < |xs| && i < j) ==> xs[i] < xs[j]) + if (*) { + if (0 <= i && (j < Seq#Length(xs) && i < j)) { + assert {:msg " Contract might not be well-formed. Index xs[i] into xs might be negative. (binary-search-seq.vpr@7.13--7.83) [112]"} + i >= 0; + assert {:msg " Contract might not be well-formed. Index xs[i] into xs might exceed sequence length. (binary-search-seq.vpr@7.13--7.83) [113]"} + i < Seq#Length(xs); + assert {:msg " Contract might not be well-formed. Index xs[j] into xs might be negative. (binary-search-seq.vpr@7.13--7.83) [114]"} + j >= 0; + assert {:msg " Contract might not be well-formed. Index xs[j] into xs might exceed sequence length. (binary-search-seq.vpr@7.13--7.83) [115]"} + j < Seq#Length(xs); + } + assume false; + } + assume (forall i_1: int, j_1: int :: + { Seq#Index(xs, i_1), Seq#Index(xs, j_1) } + 0 <= i_1 && (j_1 < Seq#Length(xs) && i_1 < j_1) ==> Seq#Index(xs, i_1) < Seq#Index(xs, j_1) + ); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + assume -1 <= index; + assume index < Seq#Length(xs); + assume state(PostHeap, PostMask); + if (0 <= index) { + + // -- Check definedness of xs[index] == key + assert {:msg " Contract might not be well-formed. Index xs[index] into xs might be negative. (binary-search-seq.vpr@9.12--9.43) [116]"} + index >= 0; + assert {:msg " Contract might not be well-formed. Index xs[index] into xs might exceed sequence length. (binary-search-seq.vpr@9.12--9.43) [117]"} + index < Seq#Length(xs); + assume Seq#Index(xs, index) == key; + } + assume state(PostHeap, PostMask); + if (-1 == index) { + + // -- Check definedness of (forall i: Int :: { xs[i] } 0 <= i && i < |xs| ==> xs[i] != key) + if (*) { + if (0 <= i_2 && i_2 < Seq#Length(xs)) { + assert {:msg " Contract might not be well-formed. Index xs[i] into xs might be negative. (binary-search-seq.vpr@10.12--10.82) [118]"} + i_2 >= 0; + assert {:msg " Contract might not be well-formed. Index xs[i] into xs might exceed sequence length. (binary-search-seq.vpr@10.12--10.82) [119]"} + i_2 < Seq#Length(xs); + } + assume false; + } + assume (forall i_3: int :: + { Seq#Index(xs, i_3) } + 0 <= i_3 && i_3 < Seq#Length(xs) ==> Seq#Index(xs, i_3) != key + ); + } + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: low := 0 -- binary-search-seq.vpr@12.3--12.20 + low := 0; + assume state(Heap, Mask); + + // -- Translating statement: high := |xs| -- binary-search-seq.vpr@13.3--13.24 + high := Seq#Length(xs); + assume state(Heap, Mask); + + // -- Translating statement: index := -1 -- binary-search-seq.vpr@14.3--14.14 + index := -1; + assume state(Heap, Mask); + + // -- Translating statement: while (low < high && index == -1) -- binary-search-seq.vpr@16.3--33.4 + + // -- Before loop head + + // -- Exhale loop invariant before loop + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= |xs|) might not hold on entry. Assertion 0 <= low might not hold. (binary-search-seq.vpr@17.17--17.56) [120]"} + 0 <= low; + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= |xs|) might not hold on entry. Assertion low <= high might not hold. (binary-search-seq.vpr@17.17--17.56) [121]"} + low <= high; + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= |xs|) might not hold on entry. Assertion high <= |xs| might not hold. (binary-search-seq.vpr@17.17--17.56) [122]"} + high <= Seq#Length(xs); + if (index == -1) { + if (*) { + if (0 <= i_6 && (i_6 < Seq#Length(xs) && !(low <= i_6 && i_6 < high))) { + assert {:msg " Loop invariant index == -1 ==> (forall i: Int :: { xs[i] } 0 <= i && (i < |xs| && !(low <= i && i < high)) ==> xs[i] != key) might not hold on entry. Assertion xs[i] != key might not hold. (binary-search-seq.vpr@18.17--18.114) [123]"} + Seq#Index(xs, i_6) != key; + } + assume false; + } + assume (forall i_7_1: int :: + { Seq#Index(xs, i_7_1) } + 0 <= i_7_1 && (i_7_1 < Seq#Length(xs) && !(low <= i_7_1 && i_7_1 < high)) ==> Seq#Index(xs, i_7_1) != key + ); + } + assert {:msg " Loop invariant -1 <= index && index < |xs| might not hold on entry. Assertion -1 <= index might not hold. (binary-search-seq.vpr@19.17--19.44) [124]"} + -1 <= index; + assert {:msg " Loop invariant -1 <= index && index < |xs| might not hold on entry. Assertion index < |xs| might not hold. (binary-search-seq.vpr@19.17--19.44) [125]"} + index < Seq#Length(xs); + if (0 <= index) { + assert {:msg " Loop invariant 0 <= index ==> xs[index] == key might not hold on entry. Assertion xs[index] == key might not hold. (binary-search-seq.vpr@20.17--20.48) [126]"} + Seq#Index(xs, index) == key; + } + + // -- Havoc loop written variables (except locals) + havoc high, index, low; + + // -- Check definedness of invariant + if (*) { + assume 0 <= low; + assume low <= high; + assume high <= Seq#Length(xs); + assume state(Heap, Mask); + if (index == -1) { + + // -- Check definedness of (forall i: Int :: { xs[i] } 0 <= i && (i < |xs| && !(low <= i && i < high)) ==> xs[i] != key) + if (*) { + if (0 <= i_4 && (i_4 < Seq#Length(xs) && !(low <= i_4 && i_4 < high))) { + assert {:msg " Contract might not be well-formed. Index xs[i] into xs might be negative. (binary-search-seq.vpr@18.17--18.114) [127]"} + i_4 >= 0; + assert {:msg " Contract might not be well-formed. Index xs[i] into xs might exceed sequence length. (binary-search-seq.vpr@18.17--18.114) [128]"} + i_4 < Seq#Length(xs); + } + assume false; + } + assume (forall i_9: int :: + { Seq#Index(xs, i_9) } + 0 <= i_9 && (i_9 < Seq#Length(xs) && !(low <= i_9 && i_9 < high)) ==> Seq#Index(xs, i_9) != key + ); + } + assume state(Heap, Mask); + assume -1 <= index; + assume index < Seq#Length(xs); + assume state(Heap, Mask); + if (0 <= index) { + + // -- Check definedness of xs[index] == key + assert {:msg " Contract might not be well-formed. Index xs[index] into xs might be negative. (binary-search-seq.vpr@20.17--20.48) [129]"} + index >= 0; + assert {:msg " Contract might not be well-formed. Index xs[index] into xs might exceed sequence length. (binary-search-seq.vpr@20.17--20.48) [130]"} + index < Seq#Length(xs); + assume Seq#Index(xs, index) == key; + } + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + assume 0 <= low; + assume low <= high; + assume high <= Seq#Length(xs); + if (index == -1) { + assume (forall i_10: int :: + { Seq#Index(xs, i_10) } + 0 <= i_10 && (i_10 < Seq#Length(xs) && !(low <= i_10 && i_10 < high)) ==> Seq#Index(xs, i_10) != key + ); + } + assume -1 <= index; + assume index < Seq#Length(xs); + if (0 <= index) { + assume Seq#Index(xs, index) == key; + } + assume state(Heap, Mask); + // Check and assume guard + assume low < high && index == -1; + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Translating statement: mid := (low + high) / 2 -- binary-search-seq.vpr@22.5--22.37 + mid := (low + high) div 2; + assume state(Heap, Mask); + + // -- Translating statement: if (xs[mid] < key) -- binary-search-seq.vpr@23.5--32.6 + + // -- Check definedness of xs[mid] < key + assert {:msg " Conditional statement might fail. Index xs[mid] into xs might be negative. (binary-search-seq.vpr@23.9--23.22) [131]"} + mid >= 0; + assert {:msg " Conditional statement might fail. Index xs[mid] into xs might exceed sequence length. (binary-search-seq.vpr@23.9--23.22) [132]"} + mid < Seq#Length(xs); + if (Seq#Index(xs, mid) < key) { + + // -- Translating statement: low := mid + 1 -- binary-search-seq.vpr@24.7--24.21 + low := mid + 1; + assume state(Heap, Mask); + } else { + + // -- Translating statement: if (key < xs[mid]) -- binary-search-seq.vpr@26.7--31.8 + + // -- Check definedness of key < xs[mid] + assert {:msg " Conditional statement might fail. Index xs[mid] into xs might be negative. (binary-search-seq.vpr@26.11--26.24) [133]"} + mid >= 0; + assert {:msg " Conditional statement might fail. Index xs[mid] into xs might exceed sequence length. (binary-search-seq.vpr@26.11--26.24) [134]"} + mid < Seq#Length(xs); + if (key < Seq#Index(xs, mid)) { + + // -- Translating statement: high := mid -- binary-search-seq.vpr@27.10--27.21 + high := mid; + assume state(Heap, Mask); + } else { + + // -- Translating statement: index := mid -- binary-search-seq.vpr@29.9--29.21 + index := mid; + assume state(Heap, Mask); + + // -- Translating statement: high := mid -- binary-search-seq.vpr@30.9--30.20 + high := mid; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + } + assume state(Heap, Mask); + // Exhale invariant + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= |xs|) might not be preserved. Assertion 0 <= low might not hold. (binary-search-seq.vpr@17.17--17.56) [135]"} + 0 <= low; + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= |xs|) might not be preserved. Assertion low <= high might not hold. (binary-search-seq.vpr@17.17--17.56) [136]"} + low <= high; + assert {:msg " Loop invariant 0 <= low && (low <= high && high <= |xs|) might not be preserved. Assertion high <= |xs| might not hold. (binary-search-seq.vpr@17.17--17.56) [137]"} + high <= Seq#Length(xs); + if (index == -1) { + if (*) { + if (0 <= i_11 && (i_11 < Seq#Length(xs) && !(low <= i_11 && i_11 < high))) { + assert {:msg " Loop invariant index == -1 ==> (forall i: Int :: { xs[i] } 0 <= i && (i < |xs| && !(low <= i && i < high)) ==> xs[i] != key) might not be preserved. Assertion xs[i] != key might not hold. (binary-search-seq.vpr@18.17--18.114) [138]"} + Seq#Index(xs, i_11) != key; + } + assume false; + } + assume (forall i_12_1: int :: + { Seq#Index(xs, i_12_1) } + 0 <= i_12_1 && (i_12_1 < Seq#Length(xs) && !(low <= i_12_1 && i_12_1 < high)) ==> Seq#Index(xs, i_12_1) != key + ); + } + assert {:msg " Loop invariant -1 <= index && index < |xs| might not be preserved. Assertion -1 <= index might not hold. (binary-search-seq.vpr@19.17--19.44) [139]"} + -1 <= index; + assert {:msg " Loop invariant -1 <= index && index < |xs| might not be preserved. Assertion index < |xs| might not hold. (binary-search-seq.vpr@19.17--19.44) [140]"} + index < Seq#Length(xs); + if (0 <= index) { + assert {:msg " Loop invariant 0 <= index ==> xs[index] == key might not be preserved. Assertion xs[index] == key might not hold. (binary-search-seq.vpr@20.17--20.48) [141]"} + Seq#Index(xs, index) == key; + } + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(low < high && index == -1); + assume state(Heap, Mask); + assume 0 <= low; + assume low <= high; + assume high <= Seq#Length(xs); + if (index == -1) { + assume (forall i_13: int :: + { Seq#Index(xs, i_13) } + 0 <= i_13 && (i_13 < Seq#Length(xs) && !(low <= i_13 && i_13 < high)) ==> Seq#Index(xs, i_13) != key + ); + } + assume -1 <= index; + assume index < Seq#Length(xs); + if (0 <= index) { + assume Seq#Index(xs, index) == key; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of binary_search might not hold. Assertion -1 <= index might not hold. (binary-search-seq.vpr@8.12--8.39) [142]"} + -1 <= index; + assert {:msg " Postcondition of binary_search might not hold. Assertion index < |xs| might not hold. (binary-search-seq.vpr@8.12--8.39) [143]"} + index < Seq#Length(xs); + if (0 <= index) { + assert {:msg " Postcondition of binary_search might not hold. Assertion xs[index] == key might not hold. (binary-search-seq.vpr@9.12--9.43) [144]"} + Seq#Index(xs, index) == key; + } + if (-1 == index) { + if (*) { + if (0 <= i_4_1 && i_4_1 < Seq#Length(xs)) { + assert {:msg " Postcondition of binary_search might not hold. Assertion xs[i] != key might not hold. (binary-search-seq.vpr@10.12--10.82) [145]"} + Seq#Index(xs, i_4_1) != key; + } + assume false; + } + assume (forall i_5_1: int :: + { Seq#Index(xs, i_5_1) } + 0 <= i_5_1 && i_5_1 < Seq#Length(xs) ==> Seq#Index(xs, i_5_1) != key + ); + } +} diff --git a/Test/monomorphize/viper/domains.bpl b/Test/monomorphize/viper/domains.bpl new file mode 100644 index 000000000..cec4f210a --- /dev/null +++ b/Test/monomorphize/viper/domains.bpl @@ -0,0 +1,729 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Translation of domain List +// ================================================== + +// The type for domain List +type ListDomainType T; + +// Translation of domain function nil +function nil(): ListDomainType T; + +// Translation of domain function cons +function cons(x: T, xs: (ListDomainType T)): ListDomainType T; + +// Translation of domain function length +function length(xs: (ListDomainType T)): int; + +// Translation of domain axiom nil_length +axiom (forall :: + + (length((nil(): ListDomainType T)): int) == 0 +); + +// Translation of domain axiom cons_length +axiom (forall x_1: T :: + + (forall xs_1: (ListDomainType T) :: + { (length((cons(x_1, xs_1): ListDomainType T)): int) } { (length(xs_1): int) } + (length((cons(x_1, xs_1): ListDomainType T)): int) == (length(xs_1): int) + 1 + ) +); + +// Translation of domain axiom nil_cons +axiom (forall z: T :: + + (forall zs: (ListDomainType T) :: + { (cons(z, zs): ListDomainType T) } + (cons(z, zs): ListDomainType T) != (nil(): ListDomainType T) + ) +); + +// ================================================== +// Translation of domain Pair +// ================================================== + +// The type for domain Pair +type PairDomainType A B; + +// Translation of domain function Pair_pair +function Pair_pair(a_2: A, b_2: B): PairDomainType A B; + +// Translation of domain function Pair_first +function Pair_first(p_1: (PairDomainType A B)): A; + +// Translation of domain function Pair_second +function Pair_second(p_1: (PairDomainType A B)): B; + +// Translation of domain axiom Pair_access_first +axiom (forall a_3: A, b_3: B :: + { (Pair_first((Pair_pair(a_3, b_3): PairDomainType A B)): A) } + (Pair_first((Pair_pair(a_3, b_3): PairDomainType A B)): A) == a_3 +); + +// Translation of domain axiom Pair_access_second +axiom (forall a_3: A, b_3: B :: + { (Pair_second((Pair_pair(a_3, b_3): PairDomainType A B)): B) } + (Pair_second((Pair_pair(a_3, b_3): PairDomainType A B)): B) == b_3 +); + +// ================================================== +// Translation of domain Triple +// ================================================== + +// The type for domain Triple +type TripleDomainType A B C; + +// Translation of domain function Triple_triple +function Triple_triple(a_2: A, b_2: B, c: C): TripleDomainType A B C; + +// Translation of domain function Triple_first +function Triple_first(t_1: (TripleDomainType A B C)): A; + +// Translation of domain function Triple_second +function Triple_second(t_1: (TripleDomainType A B C)): B; + +// Translation of domain function Triple_third +function Triple_third(t_1: (TripleDomainType A B C)): C; + +// Translation of domain function Triple_isPrefix +function Triple_isPrefix(p_1: (PairDomainType A B), t_1: (TripleDomainType A B C)): bool; + +// Translation of domain axiom Triple_access_first +axiom (forall a_3: A, b_3: B, c_1: C :: + { (Triple_first((Triple_triple(a_3, b_3, c_1): TripleDomainType A B C)): A) } + (Triple_first((Triple_triple(a_3, b_3, c_1): TripleDomainType A B C)): A) == a_3 +); + +// Translation of domain axiom Triple_access_second +axiom (forall a_3: A, b_3: B, c_1: C :: + { (Triple_second((Triple_triple(a_3, b_3, c_1): TripleDomainType A B C)): B) } + (Triple_second((Triple_triple(a_3, b_3, c_1): TripleDomainType A B C)): B) == b_3 +); + +// Translation of domain axiom Triple_access_third +axiom (forall a_3: A, b_3: B, c_1: C :: + { (Triple_third((Triple_triple(a_3, b_3, c_1): TripleDomainType A B C)): C) } + (Triple_third((Triple_triple(a_3, b_3, c_1): TripleDomainType A B C)): C) == c_1 +); + +// Translation of domain axiom Triple_is_prefix +axiom (forall p_2: (PairDomainType A B), t_2: (TripleDomainType A B C) :: + { (Triple_isPrefix(p_2, t_2): bool) } { (Pair_first(p_2): A), (Triple_first(t_2): A) } { (Pair_first(p_2): A), (Triple_second(t_2): B) } { (Triple_first(t_2): A), (Pair_second(p_2): B) } { (Pair_second(p_2): B), (Triple_second(t_2): B) } + (Triple_isPrefix(p_2, t_2): bool) == ((Pair_first(p_2): A) == (Triple_first(t_2): A) && (Pair_second(p_2): B) == (Triple_second(t_2): B)) +); + +// ================================================== +// Translation of domain L +// ================================================== + +// The type for domain L +type LDomainType; + +// Translation of domain function f1 +function f1(x: int): int; + +// Translation of domain function f2 +function f2(x: int): int; + +// ================================================== +// Translation of domain Foo +// ================================================== + +// The type for domain Foo +type FooDomainType A; + +// Translation of domain function foo +function foo(a_2: A): int; + +// Translation of domain function fooid +function fooid(a_2: A): A; + +// Translation of domain axiom foo_ax1 +axiom (forall a_3: A :: + { (foo(a_3): int) } + (foo(a_3): int) > 0 +); + +// Translation of domain axiom foo_ax2 +axiom (forall a_3: A :: + { (fooid(a_3): A) } + (fooid(a_3): A) == a_3 +); + +// ================================================== +// Translation of domain Bar +// ================================================== + +// The type for domain Bar +type BarDomainType A B; + +// Translation of domain function barfoo1 +function barfoo1(a_2: A): bool; + +// Translation of domain function barfoo2 +function barfoo2(a_2: A): int; + +// Translation of domain axiom bar_ax1 +axiom (forall a_3: A :: + { (barfoo1(a_3): bool) } + (barfoo1(a_3): bool) +); + +// Translation of domain axiom bar_ax2 +axiom (forall b_3: B :: + + (barfoo1(null): bool) +); + +// Translation of domain axiom bar_ax3 +axiom (forall a_3: A :: + { (barfoo2(a_3): int) } { (hide(a_3): int) } + (barfoo2(a_3): int) != (hide(a_3): int) +); + +// ================================================== +// Translation of domain Hidden +// ================================================== + +// The type for domain Hidden +type HiddenDomainType A; + +// Translation of domain function hide +function hide(a_2: A): int; + +// Translation of domain axiom hidden_ax1 +axiom (forall a_3: A :: + { (hide(a_3): int) } + (hide(a_3): int) == 0 +); + +// ================================================== +// Translation of domain D10A +// ================================================== + +// The type for domain D10A +type D10ADomainType A; + +// Translation of domain function hide2 +function hide2(a_2: A): int; + +// ================================================== +// Translation of domain D10B +// ================================================== + +// The type for domain D10B +type D10BDomainType; + +// Translation of domain axiom d10b_ax1 +axiom (forall x_1: int :: + { (hide2(x_1): int) } + (hide2(x_1): int) > 0 +); + +// ================================================== +// Translation of domain D10C +// ================================================== + +// The type for domain D10C +type D10CDomainType A; + +// Translation of domain axiom d10c_ax1 +axiom (forall r_1: Ref :: + { (hide2(r_1): int) } + (hide2(r_1): int) < 0 +); + +// ================================================== +// Translation of domain Cell +// ================================================== + +// The type for domain Cell +type CellDomainType A; + +// Translation of domain function Cell_cell +function Cell_cell(a_2: A): CellDomainType A; + +// Translation of domain function Cell_get +function Cell_get(c: (CellDomainType A)): A; + +// Translation of domain axiom cell_ax1 +axiom (forall a_3: A :: + { (Cell_get((Cell_cell(a_3): CellDomainType A)): A) } + (Cell_get((Cell_cell(a_3): CellDomainType A)): A) == a_3 +); + +// ================================================== +// Translation of method test +// ================================================== + +procedure test(x_1: int, xs_1: (ListDomainType int)) returns () + modifies Heap, Mask; +{ + var n: (ListDomainType int); + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: n := (nil(): List[Int]) -- domains.vpr@20.5--20.30 + n := (nil(): ListDomainType int); + assume state(Heap, Mask); + + // -- Translating statement: assert (length(n): Int) == 0 -- domains.vpr@21.5--21.26 + assert {:msg " Assert might fail. Assertion (length(n): Int) == 0 might not hold. (domains.vpr@21.12--21.26) [19]"} + (length(n): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: assert n != (cons(x, xs): List[Int]) -- domains.vpr@22.5--22.28 + assert {:msg " Assert might fail. Assertion n != (cons(x, xs): List[Int]) might not hold. (domains.vpr@22.12--22.28) [20]"} + n != (cons(x_1, xs_1): ListDomainType int); + assume state(Heap, Mask); + + // -- Translating statement: assert (length((cons(1, n): List[Int])): Int) == 1 -- domains.vpr@23.5--23.35 + assert {:msg " Assert might fail. Assertion (length((cons(1, n): List[Int])): Int) == 1 might not hold. (domains.vpr@23.12--23.35) [21]"} + (length((cons(1, n): ListDomainType int)): int) == 1; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method test2 +// ================================================== + +procedure test2(a_3: int, b_3: bool) returns () + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert (Pair_first((Pair_pair(a, b): Pair[Int, Bool])): Int) == a -- domains.vpr@68.3--68.42 + assert {:msg " Assert might fail. Assertion (Pair_first((Pair_pair(a, b): Pair[Int, Bool])): Int) == a might not hold. (domains.vpr@68.10--68.42) [22]"} + (Pair_first((Pair_pair(a_3, b_3): PairDomainType int bool)): int) == a_3; + assume state(Heap, Mask); + + // -- Translating statement: assert (Pair_second((Pair_pair(a, b): Pair[Int, Bool])): Bool) == b -- domains.vpr@69.3--69.43 + assert {:msg " Assert might fail. Assertion (Pair_second((Pair_pair(a, b): Pair[Int, Bool])): Bool) == b might not hold. (domains.vpr@69.10--69.43) [23]"} + (Pair_second((Pair_pair(a_3, b_3): PairDomainType int bool)): bool) == b_3; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method test3 +// ================================================== + +procedure test3(a_3: int, b_3: bool, c_1: Ref) returns () + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Assumptions about method arguments + assume Heap[c_1, $allocated]; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert (Triple_first((Triple_triple(a, b, c): Triple[Int, Bool, Ref])): Int) == + // a -- domains.vpr@73.3--73.51 + assert {:msg " Assert might fail. Assertion (Triple_first((Triple_triple(a, b, c): Triple[Int, Bool, Ref])): Int) == a might not hold. (domains.vpr@73.10--73.51) [24]"} + (Triple_first((Triple_triple(a_3, b_3, c_1): TripleDomainType int bool Ref)): int) == a_3; + assume state(Heap, Mask); + + // -- Translating statement: assert (Triple_second((Triple_triple(a, b, c): Triple[Int, Bool, Ref])): Bool) == + // b -- domains.vpr@74.3--74.52 + assert {:msg " Assert might fail. Assertion (Triple_second((Triple_triple(a, b, c): Triple[Int, Bool, Ref])): Bool) == b might not hold. (domains.vpr@74.10--74.52) [25]"} + (Triple_second((Triple_triple(a_3, b_3, c_1): TripleDomainType int bool Ref)): bool) == b_3; + assume state(Heap, Mask); + + // -- Translating statement: assert (Triple_third((Triple_triple(a, b, c): Triple[Int, Bool, Ref])): Ref) == + // c -- domains.vpr@75.3--75.51 + assert {:msg " Assert might fail. Assertion (Triple_third((Triple_triple(a, b, c): Triple[Int, Bool, Ref])): Ref) == c might not hold. (domains.vpr@75.10--75.51) [26]"} + (Triple_third((Triple_triple(a_3, b_3, c_1): TripleDomainType int bool Ref)): Ref) == c_1; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method test4 +// ================================================== + +procedure test4(a_3: int, b_3: bool, c_1: Ref) returns () + modifies Heap, Mask; +{ + var p_2: (PairDomainType int bool); + var t_2: (TripleDomainType int bool Ref); + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Assumptions about method arguments + assume Heap[c_1, $allocated]; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: p := (Pair_pair(a, b): Pair[Int, Bool]) -- domains.vpr@79.3--79.44 + p_2 := (Pair_pair(a_3, b_3): PairDomainType int bool); + assume state(Heap, Mask); + + // -- Translating statement: t := (Triple_triple(a, b, c): Triple[Int, Bool, Ref]) -- domains.vpr@80.3--80.58 + t_2 := (Triple_triple(a_3, b_3, c_1): TripleDomainType int bool Ref); + assume state(Heap, Mask); + + // -- Translating statement: assert (Triple_isPrefix(p, t): Bool) -- domains.vpr@81.3--81.31 + assert {:msg " Assert might fail. Assertion (Triple_isPrefix(p, t): Bool) might not hold. (domains.vpr@81.10--81.31) [27]"} + (Triple_isPrefix(p_2, t_2): bool); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method t5 +// ================================================== + +procedure t5() returns () + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: inhale (forall i: Int :: { f1(i), f2(i) } f1(i) > 0) -- domains.vpr@91.10--91.50 + + // -- Check definedness of (forall i: Int :: { f1(i), f2(i) } f1(i) > 0) + if (*) { + assume false; + } + assume (forall i_1: int :: + { (f1(i_1): int), (f2(i_1): int) } + (f1(i_1): int) > 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method t6 +// ================================================== + +procedure t6() returns () + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert (foo(1): Int) > 0 -- domains.vpr@107.3--107.20 + assert {:msg " Assert might fail. Assertion (foo(1): Int) > 0 might not hold. (domains.vpr@107.10--107.20) [28]"} + (foo(1): int) > 0; + assume state(Heap, Mask); + + // -- Translating statement: assert (foo(null): Int) > 0 -- domains.vpr@108.3--108.23 + assert {:msg " Assert might fail. Assertion (foo(null): Int) > 0 might not hold. (domains.vpr@108.10--108.23) [29]"} + (foo(null): int) > 0; + assume state(Heap, Mask); + + // -- Translating statement: assert (foo(none): Int) > 0 -- domains.vpr@109.3--109.23 + assert {:msg " Assert might fail. Assertion (foo(none): Int) > 0 might not hold. (domains.vpr@109.10--109.23) [30]"} + (foo(NoPerm): int) > 0; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method test7 +// ================================================== + +procedure test7() returns () + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert (barfoo2(101): Int) != 0 -- domains.vpr@128.3--128.27 + assert {:msg " Assert might fail. Assertion (barfoo2(101): Int) != 0 might not hold. (domains.vpr@128.10--128.27) [31]"} + (barfoo2(101): int) != 0; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method test8 +// ================================================== + +procedure test8() returns () + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert (hide2(101): Int) > 0 -- domains.vpr@144.3--144.24 + assert {:msg " Assert might fail. Assertion (hide2(101): Int) > 0 might not hold. (domains.vpr@144.10--144.24) [32]"} + (hide2(101): int) > 0; + assume state(Heap, Mask); + + // -- Translating statement: assert (hide2(null): Int) < 0 -- domains.vpr@145.3--145.25 + assert {:msg " Assert might fail. Assertion (hide2(null): Int) < 0 might not hold. (domains.vpr@145.10--145.25) [33]"} + (hide2(null): int) < 0; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method test9 +// ================================================== + +procedure test9() returns () + modifies Heap, Mask; +{ + var c1: (CellDomainType int); + var c2: (CellDomainType Ref); + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: c1 := (Cell_cell(0): Cell[Int]) -- domains.vpr@156.2--156.35 + c1 := (Cell_cell(0): CellDomainType int); + assume state(Heap, Mask); + + // -- Translating statement: assert c1 == (Cell_cell(0): Cell[Int]) -- domains.vpr@158.3--158.28 + assert {:msg " Assert might fail. Assertion c1 == (Cell_cell(0): Cell[Int]) might not hold. (domains.vpr@158.10--158.28) [34]"} + c1 == (Cell_cell(0): CellDomainType int); + assume state(Heap, Mask); + + // -- Translating statement: assert (Cell_get(c1): Int) == 0 -- domains.vpr@159.2--159.26 + assert {:msg " Assert might fail. Assertion (Cell_get(c1): Int) == 0 might not hold. (domains.vpr@159.9--159.26) [35]"} + (Cell_get(c1): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: assert (Cell_get(c1): Int) == (Cell_get((Cell_cell(0): Cell[Int])): Int) -- domains.vpr@160.2--160.47 + assert {:msg " Assert might fail. Assertion (Cell_get(c1): Int) == (Cell_get((Cell_cell(0): Cell[Int])): Int) might not hold. (domains.vpr@160.9--160.47) [36]"} + (Cell_get(c1): int) == (Cell_get((Cell_cell(0): CellDomainType int)): int); + assume state(Heap, Mask); + + // -- Translating statement: c2 := (Cell_cell(null): Cell[Ref]) -- domains.vpr@162.2--162.38 + c2 := (Cell_cell(null): CellDomainType Ref); + assume state(Heap, Mask); + + // -- Translating statement: assert (Cell_get(c2): Ref) == null -- domains.vpr@164.2--164.29 + assert {:msg " Assert might fail. Assertion (Cell_get(c2): Ref) == null might not hold. (domains.vpr@164.9--164.29) [37]"} + (Cell_get(c2): Ref) == null; + assume state(Heap, Mask); +} diff --git a/Test/monomorphize/viper/graph-copy.bpl b/Test/monomorphize/viper/graph-copy.bpl new file mode 100644 index 000000000..19988f054 --- /dev/null +++ b/Test/monomorphize/viper/graph-copy.bpl @@ -0,0 +1,3386 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(x_1: Ref): bool; +function neverTriggered2(x_3: Ref): bool; +function neverTriggered3(x_9: Ref): bool; +function neverTriggered4(x_11: Ref): bool; +function neverTriggered5(x_13: Ref): bool; +function neverTriggered6(x_17: Ref): bool; +function neverTriggered7(x_25: Ref): bool; +function neverTriggered8(x_27: Ref): bool; +function neverTriggered9(x_28: Ref): bool; +function neverTriggered10(x_31: Ref): bool; +function neverTriggered11(x_38: Ref): bool; +function neverTriggered12(x_39: Ref): bool; +function neverTriggered13(x_40: Ref): bool; +function neverTriggered14(x_43: Ref): bool; +function neverTriggered15(r_4: Ref): bool; +function neverTriggered16(r_5: Ref): bool; +function neverTriggered17(x_47: Ref): bool; +function neverTriggered18(x_51: Ref): bool; +function neverTriggered19(r_11: Ref): bool; +function neverTriggered20(r_13: Ref): bool; +function neverTriggered21(x_54: Ref): bool; +function neverTriggered22(x_56: Ref): bool; +function neverTriggered23(r_16: Ref): bool; +function neverTriggered24(r_17: Ref): bool; +function neverTriggered25(x_58: Ref): bool; +function neverTriggered26(x_59: Ref): bool; +function neverTriggered27(x_64: Ref): bool; +function neverTriggered28(x_65: Ref): bool; +function neverTriggered29(x_66: Ref): bool; +function neverTriggered30(x_68: Ref): bool; +function neverTriggered31(x_72: Ref): bool; +function neverTriggered32(x_73: Ref): bool; +function neverTriggered33(x_74: Ref): bool; +function neverTriggered34(x_77: Ref): bool; +function neverTriggered35(r_22: Ref): bool; +function neverTriggered36(r_23: Ref): bool; +function neverTriggered37(x_80: Ref): bool; +function neverTriggered38(x_82: Ref): bool; +function neverTriggered39(r_26: Ref): bool; +function neverTriggered40(r_27: Ref): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(recv: Ref): Ref; +function invRecv2(recv: Ref): Ref; +function invRecv3(recv: Ref): Ref; +function invRecv4(recv: Ref): Ref; +function invRecv5(recv: Ref): Ref; +function invRecv6(recv: Ref): Ref; +function invRecv7(recv: Ref): Ref; +function invRecv8(recv: Ref): Ref; +function invRecv9(recv: Ref): Ref; +function invRecv10(recv: Ref): Ref; +function invRecv11(recv: Ref): Ref; +function invRecv12(recv: Ref): Ref; +function invRecv13(recv: Ref): Ref; +function invRecv14(recv: Ref): Ref; +function invRecv15(recv: Ref): Ref; +function invRecv16(recv: Ref): Ref; +function invRecv17(recv: Ref): Ref; +function invRecv18(recv: Ref): Ref; +function invRecv19(recv: Ref): Ref; +function invRecv20(recv: Ref): Ref; +function invRecv21(recv: Ref): Ref; +function invRecv22(recv: Ref): Ref; +function invRecv23(recv: Ref): Ref; +function invRecv24(recv: Ref): Ref; +function invRecv25(recv: Ref): Ref; +function invRecv26(recv: Ref): Ref; +function invRecv27(recv: Ref): Ref; +function invRecv28(recv: Ref): Ref; +function invRecv29(recv: Ref): Ref; +function invRecv30(recv: Ref): Ref; +function invRecv31(recv: Ref): Ref; +function invRecv32(recv: Ref): Ref; +function invRecv33(recv: Ref): Ref; +function invRecv34(recv: Ref): Ref; +function invRecv35(recv: Ref): Ref; +function invRecv36(recv: Ref): Ref; +function invRecv37(recv: Ref): Ref; +function invRecv38(recv: Ref): Ref; +function invRecv39(recv: Ref): Ref; +function invRecv40(recv: Ref): Ref; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(recv: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(recv: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(recv: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(recv: Ref): bool; +function qpRange8(recv: Ref): bool; +function qpRange9(recv: Ref): bool; +function qpRange10(recv: Ref): bool; +function qpRange11(recv: Ref): bool; +function qpRange12(recv: Ref): bool; +function qpRange13(recv: Ref): bool; +function qpRange14(recv: Ref): bool; +function qpRange15(recv: Ref): bool; +function qpRange16(recv: Ref): bool; +function qpRange17(recv: Ref): bool; +function qpRange18(recv: Ref): bool; +function qpRange19(recv: Ref): bool; +function qpRange20(recv: Ref): bool; +function qpRange21(recv: Ref): bool; +function qpRange22(recv: Ref): bool; +function qpRange23(recv: Ref): bool; +function qpRange24(recv: Ref): bool; +function qpRange25(recv: Ref): bool; +function qpRange26(recv: Ref): bool; +function qpRange27(recv: Ref): bool; +function qpRange28(recv: Ref): bool; +function qpRange29(recv: Ref): bool; +function qpRange30(recv: Ref): bool; +function qpRange31(recv: Ref): bool; +function qpRange32(recv: Ref): bool; +function qpRange33(recv: Ref): bool; +function qpRange34(recv: Ref): bool; +function qpRange35(recv: Ref): bool; +function qpRange36(recv: Ref): bool; +function qpRange37(recv: Ref): bool; +function qpRange38(recv: Ref): bool; +function qpRange39(recv: Ref): bool; +function qpRange40(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Sequence module. +// ================================================== + + // diff 0 implemented (no difference) + // diff 1 implemented (fixes test5 in sequences.sil) + // diff 2 implemented (fixes m01 and m03 in quantifiedpermissions/issues/issue_0064) + // diff 3 implemented (no difference) + // diff 4 implemented (no difference) + // diff 5 implemented (fixes colourings0 in sequence-incompletenesses test case) + // diff 6 implemented (no difference) + // diff 7 implemented + // diff 8 implemented (allows for contains triggering, without destroying performance of e.g. functions/linkedlists test case) + // diff 11 implemented + // diff 13 implemented, for now (may reduce completeness, but there's a known matching loop when the first drop amount is 0); another option would be to add !=0 as an explicit condition + // diff 14 implemented: eliminate index over take/drop for trivial cases (to avoid matching loops when e.g. s[i..] == s is known) + // diff 16 implemented: remove general cases of equality-learning between take/drop/append subsequences; only allow when take/drop are at top level (this affects linkedlists test case) +// START BASICS +type Seq T; + +function Seq#Length(Seq T): int; +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty(): Seq T; +axiom (forall :: Seq#Length(Seq#Empty(): Seq T) == 0); +axiom (forall s: Seq T :: { Seq#Length(s) } Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T): Seq T; +//axiom (forall t: T :: { Seq#Length(Seq#Singleton(t)) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2: changed trigger) + +function Seq#Append(Seq T, Seq T): Seq T; +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Length(Seq#Append(s0,s1)) } +s0 != Seq#Empty() && s1 != Seq#Empty() ==> //diff 11: consider removing constraints + Seq#Length(Seq#Append(s0,s1)) == Seq#Length(s0) + Seq#Length(s1)); + +//axiom (forall s: Seq T :: { Seq#Append(Seq#Empty(),s) } Seq#Append(Seq#Empty(),s) == s); // (diff 11: switched to double-quantified version) +//axiom (forall s: Seq T :: { Seq#Append(s,Seq#Empty()) } Seq#Append(s,Seq#Empty()) == s); // (diff 11: switched to double-quantified version) +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Append(s0,s1) } (s0 == Seq#Empty() ==> Seq#Append(s0,s1) == s1) && (s1 == Seq#Empty() ==> Seq#Append(s0,s1) == s0)); // diff 11: switched to double-quantified version + +function Seq#Index(Seq T, int): T; +//axiom (forall t: T :: { Seq#Index(Seq#Singleton(t), 0) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2: changed trigger) + +// END BASICS + +// START INDEX-APPEND-UPDATE + +// extra addition function used to force equalities into the e-graph +function Seq#Add(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Add(i,j)} Seq#Add(i,j) == i + j); +function Seq#Sub(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Sub(i,j)} Seq#Sub(i,j) == i - j); + +// (diff 3 (old)) +//axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // {:weight 25} // AS: dropped weight +// s0 != Seq#Empty() && s1 != Seq#Empty() ==> +// ((n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n)) && +// (Seq#Length(s0) <= n ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, n - Seq#Length(s0))))); + +// (diff 3: split axiom, added constraints, replace arithmetic) // diff 11: consider removing constraints +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } { Seq#Index(s0, n), Seq#Append(s0,s1) } // AS: added alternative trigger + (s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= n && n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n))); +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // term below breaks loops + s0 != Seq#Empty() && s1 != Seq#Empty() && Seq#Length(s0) <= n && n < Seq#Length(Seq#Append(s0,s1)) ==> Seq#Add(Seq#Sub(n,Seq#Length(s0)),Seq#Length(s0)) == n && Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, Seq#Sub(n,Seq#Length(s0)))); +// AS: added "reverse triggering" versions of the axioms +axiom (forall s0: Seq T, s1: Seq T, m: int :: { Seq#Index(s1, m), Seq#Append(s0,s1)} // m == n-|s0|, n == m + |s0| + s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= m && m < Seq#Length(s1) ==> Seq#Sub(Seq#Add(m,Seq#Length(s0)),Seq#Length(s0)) == m && Seq#Index(Seq#Append(s0,s1), Seq#Add(m,Seq#Length(s0))) == Seq#Index(s1, m)); + +function Seq#Update(Seq T, int, T): Seq T; +axiom (forall s: Seq T, i: int, v: T :: { Seq#Length(Seq#Update(s,i,v)) } {Seq#Length(s),Seq#Update(s,i,v)} // (diff 4: added trigger) + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s,i,v)) == Seq#Length(s)); +axiom (forall s: Seq T, i: int, v: T, n: int :: { Seq#Index(Seq#Update(s,i,v),n) } { Seq#Index(s,n), Seq#Update(s,i,v) } // (diff 4: added trigger) + 0 <= n && n < Seq#Length(s) ==> + (i == n ==> Seq#Index(Seq#Update(s,i,v),n) == v) && + (i != n ==> Seq#Index(Seq#Update(s,i,v),n) == Seq#Index(s,n))); + +// END INDEX-APPEND-UPDATE + +// START TAKE/DROP + +function Seq#Take(s: Seq T, howMany: int): Seq T; +// AS: added triggers +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Take(s,n)) } { Seq#Take(s,n), Seq#Length(s)} // (diff 7: add trigger) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s,n)) == n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Take(s,n)) == Seq#Length(s))) + && + (n < 0 ==> Seq#Length(Seq#Take(s,n)) == 0)); // (diff 7: added case for n < 0) + +// ** AS: 2nd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Take(s,n), j) } {Seq#Index(s,j), Seq#Take(s,n)} // (diff 0: (was already done)) : add trigger // {:weight 25} // AS: dropped weight + 0 <= j && j < n && j < Seq#Length(s) ==> + Seq#Index(Seq#Take(s,n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int): Seq T; +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Drop(s,n)) } {Seq#Length(s), Seq#Drop(s,n)} // (diff 5: added trigger, exchange arithmetic) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s) - n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Drop(s,n)) == 0)) + && + (n < 0 ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s)) // (diff 7: added cases for n < 0) + ); + +// ** AS: 3rd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +// diff 5 (old) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// 0 <= n && 0 <= j && j < Seq#Length(s)-n ==> +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j+n)); +// +// diff already added // diff -1: try removing this axiom and checking effect +//axiom (forall s: Seq T, n: int, k: int :: { Seq#Drop(s,n), Seq#Index(s,k) } // AS: alternative triggering for above axiom +// 0 <= n && n <= k && k < Seq#Length(s) ==> +// Seq#Index(Seq#Drop(s,n), k-n) == Seq#Index(s, k)); + +// diff 5: split axiom, added triggering case, exhanged arithmetic + +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight + 0 < n && 0 <= j && j < Seq#Length(s)-n ==> // diff 14: change 0 <= n to 0 < n + Seq#Sub(Seq#Add(j,n),n) == j && Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, Seq#Add(j,n))); + +axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } + 0 < n && n <= i && i < Seq#Length(s) ==> // diff 14: change 0 <= n to 0 < n + Seq#Add(Seq#Sub(i,n),n) == i && Seq#Index(Seq#Drop(s,n), Seq#Sub(i,n)) == Seq#Index(s, i)); // i = j + n, j = i - n + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// n <= 0 && 0 <= j && j < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j)); + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } +// n <= 0 && 0 <= i && i < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), i) == Seq#Index(s, i)); // i = j + n, j = i - n + +// ** AS: We dropped the weak trigger on this axiom. One option is to strengthen the triggers: +//axiom (forall s, t: Seq T :: +// // { Seq#Append(s, t) } +// {Seq#Take(Seq#Append(s, t), Seq#Length(s))}{Seq#Drop(Seq#Append(s, t), Seq#Length(s))} +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s && +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// ** AS: another option is to split the axiom (for some reason, this seems in some cases to perform slightly less well (but this could be random): +//axiom (forall s, t: Seq T :: +// { Seq#Take(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s); + +//axiom (forall s, t: Seq T :: +// { Seq#Drop(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// (diff 6b: remove these?) +/* Removed: at present, Carbon doesn't generate Seq#Update (but desugars via take/drop/append) +// Commutability of Take and Drop with Update. +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= n && n <= i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); + 0 <= i && n <=i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); +*/ + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Take(s,n)} // diff 16: temporarily dropped general case of these + 0 < n && n <= Seq#Length(s) ==> Seq#Take(Seq#Append(s,t),n) == Seq#Take(s,n)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Take(Seq#Append(s,t),n) == Seq#Append(s,Seq#Take(t,Seq#Sub(n,Seq#Length(s))))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,Seq#Take(t,m)) } //{Seq#Append(s,t), Seq#Take(t,m)} // diff 16: temporarily dropped general case of these // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Take(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Append(s,Seq#Take(t,m))); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Drop(s,n)} // diff 16: temporarily dropped general case of these + 0 Seq#Drop(Seq#Append(s,t),n) == Seq#Append(Seq#Drop(s,n),t)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Drop(Seq#Append(s,t),n) == Seq#Drop(t,Seq#Sub(n,Seq#Length(s)))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,t),Seq#Drop(t,m) } // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Drop(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Drop(t,m)); + +// Additional axioms about common things +axiom (forall s: Seq T, n: int :: { Seq#Drop(s, n) } // ** NEW + n <= 0 ==> Seq#Drop(s, n) == s); // (diff 1: try changing n==0 to n<=0 (should be ok)) +axiom (forall s: Seq T, n: int :: { Seq#Take(s, n) } // ** NEW + n <= 0 ==> Seq#Take(s, n) == Seq#Empty()); // (diff 1: try changing n==0 to n<=0 (should be ok)) +// diff 13: remove this? +//axiom (forall s: Seq T, m, n: int :: { Seq#Drop(Seq#Drop(s, m), n) } // ** NEW - AS: could have bad triggering behaviour? +// 0 <= m && 0 <= n && m+n <= Seq#Length(s) ==> +// Seq#Sub(Seq#Add(m,n),n) == m && Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, Seq#Add(m,n))); + +// END TAKE/DROP + +// START CONTAINS +// diff 8: skolemisation (old) +function Seq#Contains(Seq T, T): bool; +function Seq#ContainsTrigger(Seq T, T): bool; // usages of Contains inside quantifier triggers are replaced with this +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains // (diff 8: added) +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> + (0 <= Seq#Skolem(s,x) && Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x)); // (diff 8: skolem function) +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } // only trigger if interested in the Contains term + (0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x))); +axiom (forall s: Seq T, i:int :: { Seq#Index(s,i) } + (0 <= i && i < Seq#Length(s) ==> Seq#ContainsTrigger(s,Seq#Index(s,i)))); +// ** AS: made one change here - changed type of x from ref to T +/*axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); +*/ +// diff 8: skolemisation (new) +/* +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains +function Seq#SkolemContainsDrop(Seq T, int, T) : int; // skolem function for Seq#Contains over drop +function Seq#SkolemContainsTake(Seq T, int, T) : int; // skolem function for Seq#Contains over take + +function Seq#Contains(Seq T, T): bool; +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> s != Seq#Empty() && Seq#Length(s) > 0 && 0 <= Seq#Skolem(s,x) && + Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x); + +// AS: note: this is an unusual axiom, but is basically the original +// Consider writing a version without the (precise) first trigger? Also see later versions +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x)); + +// ** AS: made one change here - changed type of x from ref to T +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +// AS: Consider dropping this axiom? +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } { Seq#Contains(s0,x), Seq#Append(s0,s1)} { Seq#Contains(s1,x), Seq#Append(s0,s1)} // AS: added triggers + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) ==> + (Seq#Take(s, n) != Seq#Empty() && Seq#Length(Seq#Take(s, n)) > 0 && + 0 <= Seq#SkolemContainsTake(s, n, x) && Seq#SkolemContainsTake(s, n, x) < n && + Seq#SkolemContainsTake(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsTake(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Take(s, n), x), Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Take(s, n), x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) ==> + ( 0 <= Seq#SkolemContainsDrop(s, n, x) && n <= Seq#SkolemContainsDrop(s, n, x) && + Seq#SkolemContainsDrop(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsDrop(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Drop(s, n), x), Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Drop(s, n), x)); +*/ + +// END CONTAINS + +// START EQUALS + +// diff 9 : skolemise equals (old) +function Seq#Equal(Seq T, Seq T): bool; +/*axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) <==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); +*/ +// diff 9: skolemise equals (new) +// AS: split axiom +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) ==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +function Seq#SkolemDiff(Seq T, Seq T) : int; // skolem function for Seq#Equals + +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + (s0==s1 && Seq#Equal(s0,s1)) || (s0!=s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) != Seq#Length(s1)) || + (s0 != s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) == Seq#Length(s1) && Seq#SkolemDiff(s0,s1) == Seq#SkolemDiff(s1,s0) && 0 <= Seq#SkolemDiff(s0,s1) && Seq#SkolemDiff(s0,s1) < Seq#Length(s0) && + Seq#Index(s0,Seq#SkolemDiff(s0,s1)) != Seq#Index(s1,Seq#SkolemDiff(s0,s1)))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); + + +// END EQUALS + + +// START EXTRAS + +// extra stuff not in current Dafny Prelude + +// diff 10: variant of trigger (maybe drop these?) +// old: +axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) <==> x==y); +// new: +/*axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) ==> x==y); + +axiom (forall x: T :: + { Seq#Singleton(x) } + Seq#Contains(Seq#Singleton(x),x)); +*/ + +function Seq#Range(min: int, max: int) returns (Seq int); +axiom (forall min: int, max: int :: { Seq#Length(Seq#Range(min, max)) } (min < max ==> Seq#Length(Seq#Range(min, max)) == max-min) && (max <= min ==> Seq#Length(Seq#Range(min, max)) == 0)); +axiom (forall min: int, max: int, j: int :: { Seq#Index(Seq#Range(min, max), j) } 0<=j && j Seq#Index(Seq#Range(min, max), j) == min + j); + +axiom (forall min: int, max: int, v: int :: {Seq#Contains(Seq#Range(min, max),v)} + (Seq#Contains(Seq#Range(min, max),v) <==> min <= v && v < max)); + +// END EXTRAS + + +// ================================================== +// Preamble of Set module. +// ================================================== + + +type Set T = [T]bool; + +function Set#Card(Set T): int; +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty(): Set T; +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); +axiom (forall s: Set T :: { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) && + (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T): Set T; +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); +axiom (forall r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o); +axiom (forall r: T :: { Set#Card(Set#Singleton(r)) } Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T): Set T; +axiom (forall a: Set T, x: T, o: T :: { Set#UnionOne(a,x)[o] } + Set#UnionOne(a,x)[o] <==> o == x || a[o]); +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } + Set#UnionOne(a, x)[x]); +axiom (forall a: Set T, x: T, y: T :: { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); +axiom (forall a: Set T, x: T :: { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); +axiom (forall a: Set T, x: T :: { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Union(a,b)[o] } + Set#Union(a,b)[o] <==> a[o] || b[o]); +axiom (forall a, b: Set T, y: T :: { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); +axiom (forall a, b: Set T, y: T :: { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); +//axiom (forall a, b: Set T :: { Set#Union(a, b) } +// Set#Disjoint(a, b) ==> +// Set#Difference(Set#Union(a, b), a) == b && +// Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Intersection(a,b)[o] } {Set#Intersection(a,b), a[o]} {Set#Intersection(a,b), b[o]} // AS: added alternative triggers 20/06/19 + Set#Intersection(a,b)[o] <==> a[o] && b[o]); + +axiom (forall a, b: Set T :: { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); +axiom (forall a, b: Set T :: { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); +axiom (forall a, b: Set T :: { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); +axiom (forall a, b: Set T :: { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); +axiom (forall a, b: Set T :: { Set#Card(Set#Union(a, b)) }{ Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Difference(a,b)[o] } { Set#Difference(a,b), a[o] } + Set#Difference(a,b)[o] <==> a[o] && !b[o]); +axiom (forall a, b: Set T, y: T :: { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y] ); +axiom (forall a, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) && + Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T): bool; +axiom(forall a: Set T, b: Set T :: { Set#Subset(a,b) } + Set#Subset(a,b) <==> (forall o: T :: {a[o]} {b[o]} a[o] ==> b[o])); +// axiom(forall a: Set T, b: Set T :: +// { Set#Subset(a,b), Set#Card(a), Set#Card(b) } // very restrictive trigger +// Set#Subset(a,b) ==> Set#Card(a) <= Set#Card(b)); + + +function Set#Equal(Set T, Set T): bool; +axiom(forall a: Set T, b: Set T :: { Set#Equal(a,b) } + Set#Equal(a,b) <==> (forall o: T :: {a[o]} {b[o]} a[o] <==> b[o])); +axiom(forall a: Set T, b: Set T :: { Set#Equal(a,b) } // extensionality axiom for sets + Set#Equal(a,b) ==> a == b); + +//function Set#Disjoint(Set T, Set T): bool; +//axiom (forall a: Set T, b: Set T :: { Set#Disjoint(a,b) } +// Set#Disjoint(a,b) <==> (forall o: T :: {a[o]} {b[o]} !a[o] || !b[o])); + +// --------------------------------------------------------------- +// -- Axiomatization of multisets -------------------------------- +// --------------------------------------------------------------- + +function Math#min(a: int, b: int): int; +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); +axiom (forall a: int, b: int :: { Math#min(a, b) } Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int): int; +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T; // = [T]int; + +function MultiSet#Select(ms: MultiSet T, x:T): int; + +//function $IsGoodMultiSet(ms: MultiSet T): bool; +// ints are non-negative, used after havocing, and for conversion from sequences to multisets. +//axiom (forall ms: MultiSet T :: { $IsGoodMultiSet(ms) } +// $IsGoodMultiSet(ms) <==> +// (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +axiom (forall ms: MultiSet T, x: T :: {MultiSet#Select(ms,x)} MultiSet#Select(ms,x) >= 0); // NEW + +function MultiSet#Card(MultiSet T): int; +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); +//axiom (forall s: MultiSet T, x: T, n: int :: { MultiSet#Card(s[x := n]) } +// 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); +// +function MultiSet#Empty(): MultiSet T; +axiom (forall o: T :: { MultiSet#Select(MultiSet#Empty(),o) } MultiSet#Select(MultiSet#Empty(),o) == 0); +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) && + (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < MultiSet#Select(s,x)))); + +function MultiSet#Singleton(T): MultiSet T; +axiom (forall r: T, o: T :: { MultiSet#Select(MultiSet#Singleton(r),o) } (MultiSet#Select(MultiSet#Singleton(r),o) == 1 <==> r == o) && + (MultiSet#Select(MultiSet#Singleton(r),o) == 0 <==> r != o)); +axiom (forall r: T :: { MultiSet#Singleton(r) } MultiSet#Card(MultiSet#Singleton(r)) == 1 && MultiSet#Select(MultiSet#Singleton(r),r) == 1); // AS: added +axiom (forall r: T :: { MultiSet#Singleton(r) } MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); // AS: remove this? + +function MultiSet#UnionOne(MultiSet T, T): MultiSet T; +// union-ing increases count by one for x, not for others +axiom (forall a: MultiSet T, x: T, o: T :: { MultiSet#Select(MultiSet#UnionOne(a,x),o) } { MultiSet#UnionOne(a, x), MultiSet#Select(a,o) } // AS: added back this trigger (used on a similar axiom before) + MultiSet#Select(MultiSet#UnionOne(a, x),o) == (if x==o then MultiSet#Select(a,o) + 1 else MultiSet#Select(a,o))); +// non-decreasing +axiom (forall a: MultiSet T, x: T :: { MultiSet#Card(MultiSet#UnionOne(a, x)) } {MultiSet#UnionOne(a, x), MultiSet#Card(a)} // AS: added alternative trigger + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); +// AS: added - concrete knowledge of element added +axiom (forall a: MultiSet T, x: T :: { MultiSet#UnionOne(a,x)} + MultiSet#Select(MultiSet#UnionOne(a, x),x) > 0 && MultiSet#Card(MultiSet#UnionOne(a, x)) > 0); + +function MultiSet#Union(MultiSet T, MultiSet T): MultiSet T; +// union-ing is the sum of the contents +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Union(a,b),o) } {MultiSet#Union(a,b), MultiSet#Select(a,o), MultiSet#Select(b,o)}// AS: added triggers + MultiSet#Select(MultiSet#Union(a,b),o) == MultiSet#Select(a,o) + MultiSet#Select(b,o)); +axiom (forall a: MultiSet T, b: MultiSet T :: { MultiSet#Card(MultiSet#Union(a,b)) } {MultiSet#Card(a), MultiSet#Union(a,b)} {MultiSet#Card(b), MultiSet#Union(a,b)} + MultiSet#Card(MultiSet#Union(a,b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T): MultiSet T; +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Intersection(a,b),o) } + MultiSet#Select(MultiSet#Intersection(a,b),o) == Math#min(MultiSet#Select(a,o), MultiSet#Select(b,o))); + +// left and right pseudo-idempotence +axiom (forall a, b: MultiSet T :: { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) == MultiSet#Intersection(a, b)); +axiom (forall a, b: MultiSet T :: { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) == MultiSet#Intersection(a, b)); + +// multiset difference, a - b. clip() makes it positive. +function MultiSet#Difference(MultiSet T, MultiSet T): MultiSet T; +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Difference(a,b),o) } + MultiSet#Select(MultiSet#Difference(a,b),o) == Math#clip(MultiSet#Select(a,o) - MultiSet#Select(b,o))); +axiom (forall a, b: MultiSet T, y: T :: { MultiSet#Difference(a, b), MultiSet#Select(b,y), MultiSet#Select(a,y) } + MultiSet#Select(a,y) <= MultiSet#Select(b,y) ==> MultiSet#Select(MultiSet#Difference(a, b),y) == 0 ); +axiom (forall a, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) && + MultiSet#Card(MultiSet#Difference(a, b)) == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +// multiset subset means a must have at most as many of each element as b +function MultiSet#Subset(MultiSet T, MultiSet T): bool; +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Subset(a,b) } + MultiSet#Subset(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) <= MultiSet#Select(b,o))); + +function MultiSet#Equal(MultiSet T, MultiSet T): bool; +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Equal(a,b) } + MultiSet#Equal(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) == MultiSet#Select(b,o))); +// extensionality axiom for multisets +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Equal(a,b) } + MultiSet#Equal(a,b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T): bool; +axiom (forall a: MultiSet T, b: MultiSet T :: { MultiSet#Disjoint(a,b) } + MultiSet#Disjoint(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) == 0 || MultiSet#Select(b,o) == 0)); + + + +// ================================================== +// Translation of domain IEdges +// ================================================== + +// The type for domain IEdges +type IEdgesDomainType; + +// Translation of domain function edge_lookup +function edge_lookup(e: IEdgesDomainType, i: int): Ref; + +// Translation of domain function has_edge +function has_edge(e: IEdgesDomainType, i: int): bool; + +// Translation of domain function insert_edge +function insert_edge(e: IEdgesDomainType, i: int, node: Ref): IEdgesDomainType; + +// Translation of domain function edges_domain +function edges_domain(e: IEdgesDomainType): Set int; + +// Translation of domain function empty_edges +function empty_edges(): IEdgesDomainType; + +// Translation of domain axiom inserted_edge_present +axiom (forall e_1: IEdgesDomainType, i_1: int, node_1: Ref :: + { (edge_lookup((insert_edge(e_1, i_1, node_1): IEdgesDomainType), i_1): Ref) } + (edge_lookup((insert_edge(e_1, i_1, node_1): IEdgesDomainType), i_1): Ref) == node_1 +); + +// Translation of domain axiom other_edges_preserved_after_insertion +axiom (forall e_1: IEdgesDomainType, i_1: int, node_1: Ref, j: int :: + { (edge_lookup(e_1, j): Ref), (insert_edge(e_1, i_1, node_1): IEdgesDomainType) } { (edge_lookup(e_1, j): Ref), (edge_lookup((insert_edge(e_1, i_1, node_1): IEdgesDomainType), j): Ref) } { (edge_lookup((insert_edge(e_1, i_1, node_1): IEdgesDomainType), j): Ref) } + i_1 != j ==> (edge_lookup(e_1, j): Ref) == (edge_lookup((insert_edge(e_1, i_1, node_1): IEdgesDomainType), j): Ref) +); + +// Translation of domain axiom inserted_edge_defined +axiom (forall e_1: IEdgesDomainType, i_1: int, node_1: Ref :: + { (has_edge((insert_edge(e_1, i_1, node_1): IEdgesDomainType), i_1): bool) } + (has_edge((insert_edge(e_1, i_1, node_1): IEdgesDomainType), i_1): bool) +); + +// Translation of domain axiom has_edge_complete +axiom (forall e_1: IEdgesDomainType, i_1: int :: + { (has_edge(e_1, i_1): bool) } { (edge_lookup(e_1, i_1): Ref) } + (has_edge(e_1, i_1): bool) == ((edge_lookup(e_1, i_1): Ref) != null) +); + +// Translation of domain axiom edges_domain_defined +axiom (forall e_1: IEdgesDomainType, i_1: int :: + { (edges_domain(e_1): Set int), (has_edge(e_1, i_1): bool) } { (edges_domain(e_1): Set int)[i_1] } { (has_edge(e_1, i_1): bool) } + (edges_domain(e_1): Set int)[i_1] == (has_edge(e_1, i_1): bool) +); + +// Translation of domain axiom empty_edges_has_no_nodes +axiom (forall i_1: int :: + { (has_edge((empty_edges(): IEdgesDomainType), i_1): bool) } + !(has_edge((empty_edges(): IEdgesDomainType), i_1): bool) +); + +// ================================================== +// Translation of domain INodeMap +// ================================================== + +// The type for domain INodeMap +type INodeMapDomainType; + +// Translation of domain function lookup +function lookup(node_map: INodeMapDomainType, node: Ref): Ref; + +// Translation of domain function has_node +function has_node(node_map: INodeMapDomainType, node: Ref): bool; + +// Translation of domain function insert +function insert(node_map: INodeMapDomainType, key_node: Ref, val_node: Ref): INodeMapDomainType; + +// Translation of domain function map_domain +function map_domain(node_map: INodeMapDomainType): Seq Ref; + +// Translation of domain function empty_map +function empty_map(): INodeMapDomainType; + +// Translation of domain axiom inserted_node_present +axiom (forall node_map_1: INodeMapDomainType, key_node_1: Ref, val_node_1: Ref :: + { (lookup((insert(node_map_1, key_node_1, val_node_1): INodeMapDomainType), key_node_1): Ref) } + (lookup((insert(node_map_1, key_node_1, val_node_1): INodeMapDomainType), key_node_1): Ref) == val_node_1 +); + +// Translation of domain axiom other_nodes_preserved_after_insertion +axiom (forall node_map_1: INodeMapDomainType, key_node_1: Ref, val_node_1: Ref, node_1: Ref :: + { (lookup(node_map_1, node_1): Ref), (insert(node_map_1, key_node_1, val_node_1): INodeMapDomainType) } { (lookup(node_map_1, node_1): Ref), (lookup((insert(node_map_1, key_node_1, val_node_1): INodeMapDomainType), node_1): Ref) } { (lookup((insert(node_map_1, key_node_1, val_node_1): INodeMapDomainType), node_1): Ref) } + node_1 != key_node_1 ==> (lookup(node_map_1, node_1): Ref) == (lookup((insert(node_map_1, key_node_1, val_node_1): INodeMapDomainType), node_1): Ref) +); + +// Translation of domain axiom inserted_node_defined +axiom (forall node_map_1: INodeMapDomainType, key_node_1: Ref, val_node_1: Ref :: + { (has_node((insert(node_map_1, key_node_1, val_node_1): INodeMapDomainType), key_node_1): bool) } + (has_node((insert(node_map_1, key_node_1, val_node_1): INodeMapDomainType), key_node_1): bool) +); + +// Translation of domain axiom has_node_complete +axiom (forall node_map_1: INodeMapDomainType, node_1: Ref :: + { (has_node(node_map_1, node_1): bool) } { (lookup(node_map_1, node_1): Ref) } + (has_node(node_map_1, node_1): bool) == ((lookup(node_map_1, node_1): Ref) != null) +); + +// Translation of domain axiom domain_is_defined +axiom (forall node_map_1: INodeMapDomainType, key: Ref :: + { (map_domain(node_map_1): Seq Ref), (has_node(node_map_1, key): bool) } { Seq#ContainsTrigger((map_domain(node_map_1): Seq Ref), key) } { Seq#Contains((map_domain(node_map_1): Seq Ref), key) } { (has_node(node_map_1, key): bool) } + Seq#Contains((map_domain(node_map_1): Seq Ref), key) == (has_node(node_map_1, key): bool) +); + +// Translation of domain axiom empty_map_has_no_nodes +axiom (forall node_1: Ref :: + { (has_node((empty_map(): INodeMapDomainType), node_1): bool) } + !(has_node((empty_map(): INodeMapDomainType), node_1): bool) +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique val: Field NormalField int; +axiom !IsPredicateField(val); +axiom !IsWandField(val); +const unique edges: Field NormalField IEdgesDomainType; +axiom !IsPredicateField(edges); +axiom !IsWandField(edges); + +// ================================================== +// Translation of method graph_copy_rec +// ================================================== + +procedure graph_copy_rec(this: Ref, node_map_1: INodeMapDomainType, setOfRef: (Set Ref), node_map_image: (Set Ref), rd: Perm) returns (nodeCopy: Ref, res_node_map: INodeMapDomainType, res_copy_nodes: (Set Ref)) + modifies Heap, Mask; +{ + var QPMask: MaskType; + var x: Ref; + var i_2: int; + var PostHeap: HeapType; + var PostMask: MaskType; + var x_2: Ref; + var x_4: Ref; + var x_6: Ref; + var i_3: int; + var freshObj: Ref; + var S: (Set int); + var x_41: Ref; + var x_44: Ref; + var j: int; + var r_1: Ref; + var j_2: int; + var r_2: Ref; + var ExhaleHeap: HeapType; + var i_6: int; + var x_8: Ref; + var x_10: Ref; + var j_1: int; + var r_3: Ref; + var j_3: int; + var loopHeap: HeapType; + var loopMask: MaskType; + var newNode: Ref; + var nodeForId: Ref; + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var arg_s1: (Set int); + var arg_node_map: INodeMapDomainType; + var arg_node_map_image: (Set Ref); + var arg_rd: Perm; + var x_60: Ref; + var i$0: int; + var x_62: Ref; + var x_75: Ref; + var x_78: Ref; + var j_10: int; + var r_18: Ref; + var j_12: int; + var r_20: Ref; + var x_29: Ref; + var x_32: Ref; + var x_34: Ref; + var i_4: int; + var x_36: Ref; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Assumptions about method arguments + assume Heap[this, $allocated]; + + // -- Checked inhaling of precondition + assume NoPerm < rd; + assume state(Heap, Mask); + assume this != null; + assume state(Heap, Mask); + assume setOfRef[this]; + assume state(Heap, Mask); + assume Set#Card(Set#Intersection(setOfRef, node_map_image)) == 0; + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.val might not be injective. (graph-copy.vpr@96.12--96.61) [443]"} + (forall x_1: Ref, x_1_1: Ref :: + + (((x_1 != x_1_1 && setOfRef[x_1]) && setOfRef[x_1_1]) && NoPerm < rd) && NoPerm < rd ==> x_1 != x_1_1 + ); + + // -- Define Inverse Function + assume (forall x_1: Ref :: + { Heap[x_1, val] } { QPMask[x_1, val] } { setOfRef[x_1] } + setOfRef[x_1] && NoPerm < rd ==> qpRange1(x_1) && invRecv1(x_1) == x_1 + ); + assume (forall o_3: Ref :: + { invRecv1(o_3) } + (setOfRef[invRecv1(o_3)] && NoPerm < rd) && qpRange1(o_3) ==> invRecv1(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " Contract might not be well-formed. Fraction rd might be negative. (graph-copy.vpr@96.12--96.61) [444]"} + (forall x_1: Ref :: + { Heap[x_1, val] } { QPMask[x_1, val] } { setOfRef[x_1] } + setOfRef[x_1] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_1: Ref :: + { Heap[x_1, val] } { QPMask[x_1, val] } { setOfRef[x_1] } + setOfRef[x_1] && rd > NoPerm ==> x_1 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((setOfRef[invRecv1(o_3)] && NoPerm < rd) && qpRange1(o_3) ==> (NoPerm < rd ==> invRecv1(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + rd) && (!((setOfRef[invRecv1(o_3)] && NoPerm < rd) && qpRange1(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.edges might not be injective. (graph-copy.vpr@97.12--97.63) [445]"} + (forall x_3: Ref, x_3_1: Ref :: + + (((x_3 != x_3_1 && setOfRef[x_3]) && setOfRef[x_3_1]) && NoPerm < rd) && NoPerm < rd ==> x_3 != x_3_1 + ); + + // -- Define Inverse Function + assume (forall x_3: Ref :: + { Heap[x_3, edges] } { QPMask[x_3, edges] } { setOfRef[x_3] } + setOfRef[x_3] && NoPerm < rd ==> qpRange2(x_3) && invRecv2(x_3) == x_3 + ); + assume (forall o_3: Ref :: + { invRecv2(o_3) } + (setOfRef[invRecv2(o_3)] && NoPerm < rd) && qpRange2(o_3) ==> invRecv2(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " Contract might not be well-formed. Fraction rd might be negative. (graph-copy.vpr@97.12--97.63) [446]"} + (forall x_3: Ref :: + { Heap[x_3, edges] } { QPMask[x_3, edges] } { setOfRef[x_3] } + setOfRef[x_3] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_3: Ref :: + { Heap[x_3, edges] } { QPMask[x_3, edges] } { setOfRef[x_3] } + setOfRef[x_3] && rd > NoPerm ==> x_3 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((setOfRef[invRecv2(o_3)] && NoPerm < rd) && qpRange2(o_3) ==> (NoPerm < rd ==> invRecv2(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + rd) && (!((setOfRef[invRecv2(o_3)] && NoPerm < rd) && qpRange2(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref, i: Int :: { (x in setOfRef), (i in edges_domain(x.edges)) } { (x in setOfRef), edge_lookup(x.edges, i) } { (x in setOfRef), (edge_lookup(x.edges, i) in setOfRef) } { edges_domain(x.edges), edge_lookup(x.edges, i) } { edges_domain(x.edges), (edge_lookup(x.edges, i) in setOfRef) } { (i in edges_domain(x.edges)) } { (edge_lookup(x.edges, i) in setOfRef) } (x in setOfRef) && (i in edges_domain(x.edges)) ==> (edge_lookup(x.edges, i) in setOfRef)) + if (*) { + if (setOfRef[x]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.edges (graph-copy.vpr@98.12--98.120) [447]"} + HasDirectPerm(Mask, x, edges); + } + if (setOfRef[x] && (edges_domain(Heap[x, edges]): Set int)[i_2]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.edges (graph-copy.vpr@98.12--98.120) [448]"} + HasDirectPerm(Mask, x, edges); + } + assume false; + } + assume (forall x_5: Ref, i_1_1: int :: + { setOfRef[x_5], (edges_domain(Heap[x_5, edges]): Set int)[i_1_1] } { setOfRef[x_5], (edge_lookup(Heap[x_5, edges], i_1_1): Ref) } { setOfRef[x_5], setOfRef[(edge_lookup(Heap[x_5, edges], i_1_1): Ref)] } { (edges_domain(Heap[x_5, edges]): Set int), (edge_lookup(Heap[x_5, edges], i_1_1): Ref) } { (edges_domain(Heap[x_5, edges]): Set int), setOfRef[(edge_lookup(Heap[x_5, edges], i_1_1): Ref)] } { (edges_domain(Heap[x_5, edges]): Set int)[i_1_1] } { setOfRef[(edge_lookup(Heap[x_5, edges], i_1_1): Ref)] } + setOfRef[x_5] && (edges_domain(Heap[x_5, edges]): Set int)[i_1_1] ==> setOfRef[(edge_lookup(Heap[x_5, edges], i_1_1): Ref)] + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in map_domain(node_map)) } { (lookup(node_map, x) in node_map_image) } (x in map_domain(node_map)) ==> (lookup(node_map, x) in node_map_image)) + if (*) { + assume false; + } + assume (forall x_7: Ref :: + { Seq#ContainsTrigger((map_domain(node_map_1): Seq Ref), x_7) } { Seq#Contains((map_domain(node_map_1): Seq Ref), x_7) } { node_map_image[(lookup(node_map_1, x_7): Ref)] } + Seq#Contains((map_domain(node_map_1): Seq Ref), x_7) ==> node_map_image[(lookup(node_map_1, x_7): Ref)] + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in node_map_image) } (x in node_map_image) ==> acc(x.val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.val might not be injective. (graph-copy.vpr@101.12--101.63) [449]"} + (forall x_9: Ref, x_9_1: Ref :: + + (((x_9 != x_9_1 && node_map_image[x_9]) && node_map_image[x_9_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_9 != x_9_1 + ); + + // -- Define Inverse Function + assume (forall x_9: Ref :: + { Heap[x_9, val] } { QPMask[x_9, val] } { node_map_image[x_9] } + node_map_image[x_9] && NoPerm < FullPerm ==> qpRange3(x_9) && invRecv3(x_9) == x_9 + ); + assume (forall o_3: Ref :: + { invRecv3(o_3) } + (node_map_image[invRecv3(o_3)] && NoPerm < FullPerm) && qpRange3(o_3) ==> invRecv3(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall x_9: Ref :: + { Heap[x_9, val] } { QPMask[x_9, val] } { node_map_image[x_9] } + node_map_image[x_9] ==> x_9 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((node_map_image[invRecv3(o_3)] && NoPerm < FullPerm) && qpRange3(o_3) ==> (NoPerm < FullPerm ==> invRecv3(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!((node_map_image[invRecv3(o_3)] && NoPerm < FullPerm) && qpRange3(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in node_map_image) } (x in node_map_image) ==> acc(x.edges, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.edges might not be injective. (graph-copy.vpr@102.12--102.65) [450]"} + (forall x_11: Ref, x_11_1: Ref :: + + (((x_11 != x_11_1 && node_map_image[x_11]) && node_map_image[x_11_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_11 != x_11_1 + ); + + // -- Define Inverse Function + assume (forall x_11: Ref :: + { Heap[x_11, edges] } { QPMask[x_11, edges] } { node_map_image[x_11] } + node_map_image[x_11] && NoPerm < FullPerm ==> qpRange4(x_11) && invRecv4(x_11) == x_11 + ); + assume (forall o_3: Ref :: + { invRecv4(o_3) } + (node_map_image[invRecv4(o_3)] && NoPerm < FullPerm) && qpRange4(o_3) ==> invRecv4(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall x_11: Ref :: + { Heap[x_11, edges] } { QPMask[x_11, edges] } { node_map_image[x_11] } + node_map_image[x_11] ==> x_11 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((node_map_image[invRecv4(o_3)] && NoPerm < FullPerm) && qpRange4(o_3) ==> (NoPerm < FullPerm ==> invRecv4(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + FullPerm) && (!((node_map_image[invRecv4(o_3)] && NoPerm < FullPerm) && qpRange4(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + assume nodeCopy != null; + assume res_copy_nodes[nodeCopy]; + assume state(PostHeap, PostMask); + assume Set#Card(Set#Intersection(setOfRef, res_copy_nodes)) == 0; + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.val might not be injective. (graph-copy.vpr@106.11--106.60) [451]"} + (forall x_13: Ref, x_13_1: Ref :: + + (((x_13 != x_13_1 && setOfRef[x_13]) && setOfRef[x_13_1]) && NoPerm < rd) && NoPerm < rd ==> x_13 != x_13_1 + ); + + // -- Define Inverse Function + assume (forall x_13: Ref :: + { PostHeap[x_13, val] } { QPMask[x_13, val] } { setOfRef[x_13] } + setOfRef[x_13] && NoPerm < rd ==> qpRange5(x_13) && invRecv5(x_13) == x_13 + ); + assume (forall o_3: Ref :: + { invRecv5(o_3) } + (setOfRef[invRecv5(o_3)] && NoPerm < rd) && qpRange5(o_3) ==> invRecv5(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " Contract might not be well-formed. Fraction rd might be negative. (graph-copy.vpr@106.11--106.60) [452]"} + (forall x_13: Ref :: + { PostHeap[x_13, val] } { QPMask[x_13, val] } { setOfRef[x_13] } + setOfRef[x_13] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_13: Ref :: + { PostHeap[x_13, val] } { QPMask[x_13, val] } { setOfRef[x_13] } + setOfRef[x_13] && rd > NoPerm ==> x_13 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((setOfRef[invRecv5(o_3)] && NoPerm < rd) && qpRange5(o_3) ==> (NoPerm < rd ==> invRecv5(o_3) == o_3) && QPMask[o_3, val] == PostMask[o_3, val] + rd) && (!((setOfRef[invRecv5(o_3)] && NoPerm < rd) && qpRange5(o_3)) ==> QPMask[o_3, val] == PostMask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> x.val == old(x.val)) + if (*) { + if (setOfRef[x_2]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.val (graph-copy.vpr@107.11--107.65) [453]"} + HasDirectPerm(PostMask, x_2, val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.val (graph-copy.vpr@107.11--107.65) [454]"} + HasDirectPerm(old(Mask), x_2, val); + } + assume false; + } + assume (forall x_15: Ref :: + { setOfRef[x_15] } + setOfRef[x_15] ==> PostHeap[x_15, val] == old(Heap)[x_15, val] + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.edges might not be injective. (graph-copy.vpr@108.11--108.62) [455]"} + (forall x_17: Ref, x_17_1: Ref :: + + (((x_17 != x_17_1 && setOfRef[x_17]) && setOfRef[x_17_1]) && NoPerm < rd) && NoPerm < rd ==> x_17 != x_17_1 + ); + + // -- Define Inverse Function + assume (forall x_17: Ref :: + { PostHeap[x_17, edges] } { QPMask[x_17, edges] } { setOfRef[x_17] } + setOfRef[x_17] && NoPerm < rd ==> qpRange6(x_17) && invRecv6(x_17) == x_17 + ); + assume (forall o_3: Ref :: + { invRecv6(o_3) } + (setOfRef[invRecv6(o_3)] && NoPerm < rd) && qpRange6(o_3) ==> invRecv6(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " Contract might not be well-formed. Fraction rd might be negative. (graph-copy.vpr@108.11--108.62) [456]"} + (forall x_17: Ref :: + { PostHeap[x_17, edges] } { QPMask[x_17, edges] } { setOfRef[x_17] } + setOfRef[x_17] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_17: Ref :: + { PostHeap[x_17, edges] } { QPMask[x_17, edges] } { setOfRef[x_17] } + setOfRef[x_17] && rd > NoPerm ==> x_17 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((setOfRef[invRecv6(o_3)] && NoPerm < rd) && qpRange6(o_3) ==> (NoPerm < rd ==> invRecv6(o_3) == o_3) && QPMask[o_3, edges] == PostMask[o_3, edges] + rd) && (!((setOfRef[invRecv6(o_3)] && NoPerm < rd) && qpRange6(o_3)) ==> QPMask[o_3, edges] == PostMask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> x.edges == old(x.edges)) + if (*) { + if (setOfRef[x_4]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.edges (graph-copy.vpr@109.11--109.69) [457]"} + HasDirectPerm(PostMask, x_4, edges); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.edges (graph-copy.vpr@109.11--109.69) [458]"} + HasDirectPerm(old(Mask), x_4, edges); + } + assume false; + } + assume (forall x_19: Ref :: + { setOfRef[x_19] } + setOfRef[x_19] ==> PostHeap[x_19, edges] == old(Heap)[x_19, edges] + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall x: Ref, i: Int :: { (x in setOfRef), (i in edges_domain(x.edges)) } { (x in setOfRef), edge_lookup(x.edges, i) } { (x in setOfRef), (edge_lookup(x.edges, i) in setOfRef) } { edges_domain(x.edges), edge_lookup(x.edges, i) } { edges_domain(x.edges), (edge_lookup(x.edges, i) in setOfRef) } { (i in edges_domain(x.edges)) } { (edge_lookup(x.edges, i) in setOfRef) } (x in setOfRef) && (i in edges_domain(x.edges)) ==> (edge_lookup(x.edges, i) in setOfRef)) + if (*) { + if (setOfRef[x_6]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.edges (graph-copy.vpr@110.11--110.119) [459]"} + HasDirectPerm(PostMask, x_6, edges); + } + if (setOfRef[x_6] && (edges_domain(PostHeap[x_6, edges]): Set int)[i_3]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.edges (graph-copy.vpr@110.11--110.119) [460]"} + HasDirectPerm(PostMask, x_6, edges); + } + assume false; + } + assume (forall x_21: Ref, i_3_1: int :: + { setOfRef[x_21], (edges_domain(PostHeap[x_21, edges]): Set int)[i_3_1] } { setOfRef[x_21], (edge_lookup(PostHeap[x_21, edges], i_3_1): Ref) } { setOfRef[x_21], setOfRef[(edge_lookup(PostHeap[x_21, edges], i_3_1): Ref)] } { (edges_domain(PostHeap[x_21, edges]): Set int), (edge_lookup(PostHeap[x_21, edges], i_3_1): Ref) } { (edges_domain(PostHeap[x_21, edges]): Set int), setOfRef[(edge_lookup(PostHeap[x_21, edges], i_3_1): Ref)] } { (edges_domain(PostHeap[x_21, edges]): Set int)[i_3_1] } { setOfRef[(edge_lookup(PostHeap[x_21, edges], i_3_1): Ref)] } + setOfRef[x_21] && (edges_domain(PostHeap[x_21, edges]): Set int)[i_3_1] ==> setOfRef[(edge_lookup(PostHeap[x_21, edges], i_3_1): Ref)] + ); + assume state(PostHeap, PostMask); + assume Set#Equal(res_copy_nodes, Set#Union(res_copy_nodes, node_map_image)); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall x: Ref :: { (x in map_domain(res_node_map)) } { (lookup(res_node_map, x) in res_copy_nodes) } (x in map_domain(res_node_map)) ==> (lookup(res_node_map, x) in res_copy_nodes)) + if (*) { + assume false; + } + assume (forall x_23: Ref :: + { Seq#ContainsTrigger((map_domain(res_node_map): Seq Ref), x_23) } { Seq#Contains((map_domain(res_node_map): Seq Ref), x_23) } { res_copy_nodes[(lookup(res_node_map, x_23): Ref)] } + Seq#Contains((map_domain(res_node_map): Seq Ref), x_23) ==> res_copy_nodes[(lookup(res_node_map, x_23): Ref)] + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall x: Ref :: { (x in res_copy_nodes) } (x in res_copy_nodes) ==> acc(x.val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.val might not be injective. (graph-copy.vpr@113.11--113.62) [461]"} + (forall x_25: Ref, x_25_1: Ref :: + + (((x_25 != x_25_1 && res_copy_nodes[x_25]) && res_copy_nodes[x_25_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_25 != x_25_1 + ); + + // -- Define Inverse Function + assume (forall x_25: Ref :: + { PostHeap[x_25, val] } { QPMask[x_25, val] } { res_copy_nodes[x_25] } + res_copy_nodes[x_25] && NoPerm < FullPerm ==> qpRange7(x_25) && invRecv7(x_25) == x_25 + ); + assume (forall o_3: Ref :: + { invRecv7(o_3) } + (res_copy_nodes[invRecv7(o_3)] && NoPerm < FullPerm) && qpRange7(o_3) ==> invRecv7(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall x_25: Ref :: + { PostHeap[x_25, val] } { QPMask[x_25, val] } { res_copy_nodes[x_25] } + res_copy_nodes[x_25] ==> x_25 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((res_copy_nodes[invRecv7(o_3)] && NoPerm < FullPerm) && qpRange7(o_3) ==> (NoPerm < FullPerm ==> invRecv7(o_3) == o_3) && QPMask[o_3, val] == PostMask[o_3, val] + FullPerm) && (!((res_copy_nodes[invRecv7(o_3)] && NoPerm < FullPerm) && qpRange7(o_3)) ==> QPMask[o_3, val] == PostMask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall x: Ref :: { (x in res_copy_nodes) } (x in res_copy_nodes) ==> acc(x.edges, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.edges might not be injective. (graph-copy.vpr@114.11--114.64) [462]"} + (forall x_27: Ref, x_27_1: Ref :: + + (((x_27 != x_27_1 && res_copy_nodes[x_27]) && res_copy_nodes[x_27_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_27 != x_27_1 + ); + + // -- Define Inverse Function + assume (forall x_27: Ref :: + { PostHeap[x_27, edges] } { QPMask[x_27, edges] } { res_copy_nodes[x_27] } + res_copy_nodes[x_27] && NoPerm < FullPerm ==> qpRange8(x_27) && invRecv8(x_27) == x_27 + ); + assume (forall o_3: Ref :: + { invRecv8(o_3) } + (res_copy_nodes[invRecv8(o_3)] && NoPerm < FullPerm) && qpRange8(o_3) ==> invRecv8(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall x_27: Ref :: + { PostHeap[x_27, edges] } { QPMask[x_27, edges] } { res_copy_nodes[x_27] } + res_copy_nodes[x_27] ==> x_27 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((res_copy_nodes[invRecv8(o_3)] && NoPerm < FullPerm) && qpRange8(o_3) ==> (NoPerm < FullPerm ==> invRecv8(o_3) == o_3) && QPMask[o_3, edges] == PostMask[o_3, edges] + FullPerm) && (!((res_copy_nodes[invRecv8(o_3)] && NoPerm < FullPerm) && qpRange8(o_3)) ==> QPMask[o_3, edges] == PostMask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: if (has_node(node_map, this)) -- graph-copy.vpr@119.3--169.4 + if ((has_node(node_map_1, this): bool)) { + + // -- Translating statement: nodeCopy := lookup(node_map, this) -- graph-copy.vpr@120.5--120.39 + nodeCopy := (lookup(node_map_1, this): Ref); + assume state(Heap, Mask); + + // -- Translating statement: res_node_map := node_map -- graph-copy.vpr@121.5--121.29 + res_node_map := node_map_1; + assume state(Heap, Mask); + + // -- Translating statement: res_copy_nodes := node_map_image -- graph-copy.vpr@122.5--122.37 + res_copy_nodes := node_map_image; + assume state(Heap, Mask); + } else { + + // -- Translating statement: nodeCopy := new(val, edges) -- graph-copy.vpr@124.5--124.32 + havoc freshObj; + assume freshObj != null && !Heap[freshObj, $allocated]; + Heap[freshObj, $allocated] := true; + nodeCopy := freshObj; + Mask[nodeCopy, val] := Mask[nodeCopy, val] + FullPerm; + Mask[nodeCopy, edges] := Mask[nodeCopy, edges] + FullPerm; + assume state(Heap, Mask); + + // -- Translating statement: nodeCopy.val := this.val -- graph-copy.vpr@125.5--125.29 + + // -- Check definedness of this.val + assert {:msg " Assignment might fail. There might be insufficient permission to access this.val (graph-copy.vpr@125.5--125.29) [463]"} + HasDirectPerm(Mask, this, val); + assert {:msg " Assignment might fail. There might be insufficient permission to access nodeCopy.val (graph-copy.vpr@125.5--125.29) [464]"} + FullPerm == Mask[nodeCopy, val]; + Heap[nodeCopy, val] := Heap[this, val]; + assume state(Heap, Mask); + + // -- Translating statement: res_node_map := insert(node_map, this, nodeCopy) -- graph-copy.vpr@127.5--127.53 + res_node_map := (insert(node_map_1, this, nodeCopy): INodeMapDomainType); + assume state(Heap, Mask); + + // -- Translating statement: res_copy_nodes := (node_map_image union Set(nodeCopy)) -- graph-copy.vpr@129.5--129.57 + res_copy_nodes := Set#Union(node_map_image, Set#Singleton(nodeCopy)); + assume state(Heap, Mask); + + // -- Translating statement: assert ((setOfRef intersection node_map_image) union + // (setOfRef intersection Set(nodeCopy))) == + // (setOfRef intersection res_copy_nodes) -- graph-copy.vpr@137.5--138.51 + assert {:msg " Assert might fail. Assertion ((setOfRef intersection node_map_image) union (setOfRef intersection Set(nodeCopy))) == (setOfRef intersection res_copy_nodes) might not hold. (graph-copy.vpr@137.12--138.51) [465]"} + Set#Equal(Set#Union(Set#Intersection(setOfRef, node_map_image), Set#Intersection(setOfRef, Set#Singleton(nodeCopy))), Set#Intersection(setOfRef, res_copy_nodes)); + assume state(Heap, Mask); + + // -- Translating statement: S := edges_domain(this.edges) -- graph-copy.vpr@140.5--140.34 + + // -- Check definedness of edges_domain(this.edges) + assert {:msg " Assignment might fail. There might be insufficient permission to access this.edges (graph-copy.vpr@140.5--140.34) [466]"} + HasDirectPerm(Mask, this, edges); + S := (edges_domain(Heap[this, edges]): Set int); + assume state(Heap, Mask); + + // -- Translating statement: while (|S| > 0) -- graph-copy.vpr@142.5--168.6 + + // -- Before loop head + + // -- Exhale loop invariant before loop + assert {:msg " Loop invariant (nodeCopy in res_copy_nodes) might not hold on entry. Assertion (nodeCopy in res_copy_nodes) might not hold. (graph-copy.vpr@143.17--143.43) [467]"} + res_copy_nodes[nodeCopy]; + assert {:msg " Loop invariant (this in setOfRef) might not hold on entry. Assertion (this in setOfRef) might not hold. (graph-copy.vpr@144.17--144.33) [468]"} + setOfRef[this]; + havoc QPMask; + + // -- check that the permission amount is positive + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) might not hold on entry. Fraction rd might be negative. (graph-copy.vpr@145.17--145.66) [469]"} + (forall x_40: Ref :: + { Heap[x_40, val] } { QPMask[x_40, val] } { setOfRef[x_40] } + setOfRef[x_40] && dummyFunction(Heap[x_40, val]) ==> rd >= NoPerm + ); + + // -- check if receiver x is injective + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) might not hold on entry. Quantified resource x.val might not be injective. (graph-copy.vpr@145.17--145.66) [470]"} + (forall x_40: Ref, x_40_1: Ref :: + { neverTriggered13(x_40), neverTriggered13(x_40_1) } + (((x_40 != x_40_1 && setOfRef[x_40]) && setOfRef[x_40_1]) && NoPerm < rd) && NoPerm < rd ==> x_40 != x_40_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) might not hold on entry. There might be insufficient permission to access x.val (graph-copy.vpr@145.17--145.66) [471]"} + (forall x_40: Ref :: + { Heap[x_40, val] } { QPMask[x_40, val] } { setOfRef[x_40] } + setOfRef[x_40] ==> Mask[x_40, val] >= rd + ); + + // -- assumptions for inverse of receiver x + assume (forall x_40: Ref :: + { Heap[x_40, val] } { QPMask[x_40, val] } { setOfRef[x_40] } + setOfRef[x_40] && NoPerm < rd ==> qpRange13(x_40) && invRecv13(x_40) == x_40 + ); + assume (forall o_3: Ref :: + { invRecv13(o_3) } + setOfRef[invRecv13(o_3)] && (NoPerm < rd && qpRange13(o_3)) ==> invRecv13(o_3) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (setOfRef[invRecv13(o_3)] && (NoPerm < rd && qpRange13(o_3)) ==> invRecv13(o_3) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - rd) && (!(setOfRef[invRecv13(o_3)] && (NoPerm < rd && qpRange13(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (setOfRef[x_41]) { + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> x.val == old(x.val)) might not hold on entry. Assertion x.val == old(x.val) might not hold. (graph-copy.vpr@146.17--146.71) [472]"} + Heap[x_41, val] == old(Heap)[x_41, val]; + } + assume false; + } + assume (forall x_42_1: Ref :: + { setOfRef[x_42_1] } + setOfRef[x_42_1] ==> Heap[x_42_1, val] == old(Heap)[x_42_1, val] + ); + havoc QPMask; + + // -- check that the permission amount is positive + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) might not hold on entry. Fraction rd might be negative. (graph-copy.vpr@147.17--147.68) [473]"} + (forall x_43: Ref :: + { Heap[x_43, edges] } { QPMask[x_43, edges] } { setOfRef[x_43] } + setOfRef[x_43] && dummyFunction(Heap[x_43, edges]) ==> rd >= NoPerm + ); + + // -- check if receiver x is injective + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) might not hold on entry. Quantified resource x.edges might not be injective. (graph-copy.vpr@147.17--147.68) [474]"} + (forall x_43: Ref, x_43_1: Ref :: + { neverTriggered14(x_43), neverTriggered14(x_43_1) } + (((x_43 != x_43_1 && setOfRef[x_43]) && setOfRef[x_43_1]) && NoPerm < rd) && NoPerm < rd ==> x_43 != x_43_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) might not hold on entry. There might be insufficient permission to access x.edges (graph-copy.vpr@147.17--147.68) [475]"} + (forall x_43: Ref :: + { Heap[x_43, edges] } { QPMask[x_43, edges] } { setOfRef[x_43] } + setOfRef[x_43] ==> Mask[x_43, edges] >= rd + ); + + // -- assumptions for inverse of receiver x + assume (forall x_43: Ref :: + { Heap[x_43, edges] } { QPMask[x_43, edges] } { setOfRef[x_43] } + setOfRef[x_43] && NoPerm < rd ==> qpRange14(x_43) && invRecv14(x_43) == x_43 + ); + assume (forall o_3: Ref :: + { invRecv14(o_3) } + setOfRef[invRecv14(o_3)] && (NoPerm < rd && qpRange14(o_3)) ==> invRecv14(o_3) == o_3 + ); + + // -- assume permission updates for field edges + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + (setOfRef[invRecv14(o_3)] && (NoPerm < rd && qpRange14(o_3)) ==> invRecv14(o_3) == o_3 && QPMask[o_3, edges] == Mask[o_3, edges] - rd) && (!(setOfRef[invRecv14(o_3)] && (NoPerm < rd && qpRange14(o_3))) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (setOfRef[x_44]) { + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> x.edges == old(x.edges)) might not hold on entry. Assertion x.edges == old(x.edges) might not hold. (graph-copy.vpr@148.17--148.75) [476]"} + Heap[x_44, edges] == old(Heap)[x_44, edges]; + } + assume false; + } + assume (forall x_45_1: Ref :: + { setOfRef[x_45_1] } + setOfRef[x_45_1] ==> Heap[x_45_1, edges] == old(Heap)[x_45_1, edges] + ); + if (*) { + if (S[j]) { + assert {:msg " Loop invariant (forall j: Int :: { (j in S) } { (edge_lookup(this.edges, j) in setOfRef) } (j in S) ==> (edge_lookup(this.edges, j) in setOfRef)) might not hold on entry. Assertion (edge_lookup(this.edges, j) in setOfRef) might not hold. (graph-copy.vpr@149.17--149.83) [477]"} + setOfRef[(edge_lookup(Heap[this, edges], j): Ref)]; + } + assume false; + } + assume (forall j_1_1: int :: + { S[j_1_1] } { setOfRef[(edge_lookup(Heap[this, edges], j_1_1): Ref)] } + S[j_1_1] ==> setOfRef[(edge_lookup(Heap[this, edges], j_1_1): Ref)] + ); + if (*) { + if (setOfRef[r_1] && (edges_domain(Heap[r_1, edges]): Set int)[j_2]) { + assert {:msg " Loop invariant (forall r: Ref, j: Int :: { (r in setOfRef), (j in edges_domain(r.edges)) } { (r in setOfRef), edge_lookup(r.edges, j) } { (r in setOfRef), (edge_lookup(r.edges, j) in setOfRef) } { edges_domain(r.edges), edge_lookup(r.edges, j) } { edges_domain(r.edges), (edge_lookup(r.edges, j) in setOfRef) } { (j in edges_domain(r.edges)) } { (edge_lookup(r.edges, j) in setOfRef) } (r in setOfRef) && (j in edges_domain(r.edges)) ==> (edge_lookup(r.edges, j) in setOfRef)) might not hold on entry. Assertion (edge_lookup(r.edges, j) in setOfRef) might not hold. (graph-copy.vpr@150.17--150.125) [478]"} + setOfRef[(edge_lookup(Heap[r_1, edges], j_2): Ref)]; + } + assume false; + } + assume (forall r_1_1: Ref, j_3_1: int :: + { setOfRef[r_1_1], (edges_domain(Heap[r_1_1, edges]): Set int)[j_3_1] } { setOfRef[r_1_1], (edge_lookup(Heap[r_1_1, edges], j_3_1): Ref) } { setOfRef[r_1_1], setOfRef[(edge_lookup(Heap[r_1_1, edges], j_3_1): Ref)] } { (edges_domain(Heap[r_1_1, edges]): Set int), (edge_lookup(Heap[r_1_1, edges], j_3_1): Ref) } { (edges_domain(Heap[r_1_1, edges]): Set int), setOfRef[(edge_lookup(Heap[r_1_1, edges], j_3_1): Ref)] } { (edges_domain(Heap[r_1_1, edges]): Set int)[j_3_1] } { setOfRef[(edge_lookup(Heap[r_1_1, edges], j_3_1): Ref)] } + setOfRef[r_1_1] && (edges_domain(Heap[r_1_1, edges]): Set int)[j_3_1] ==> setOfRef[(edge_lookup(Heap[r_1_1, edges], j_3_1): Ref)] + ); + assert {:msg " Loop invariant (node_map_image subset res_copy_nodes) might not hold on entry. Assertion (node_map_image subset res_copy_nodes) might not hold. (graph-copy.vpr@151.32--151.53) [479]"} + Set#Subset(node_map_image, res_copy_nodes); + assert {:msg " Loop invariant |(setOfRef intersection res_copy_nodes)| == 0 might not hold on entry. Assertion |(setOfRef intersection res_copy_nodes)| == 0 might not hold. (graph-copy.vpr@152.17--152.60) [480]"} + Set#Card(Set#Intersection(setOfRef, res_copy_nodes)) == 0; + if (*) { + if (Seq#Contains((map_domain(res_node_map): Seq Ref), r_2)) { + assert {:msg " Loop invariant (forall r: Ref :: { (r in map_domain(res_node_map)) } { (lookup(res_node_map, r) in res_copy_nodes) } (r in map_domain(res_node_map)) ==> (lookup(res_node_map, r) in res_copy_nodes)) might not hold on entry. Assertion (lookup(res_node_map, r) in res_copy_nodes) might not hold. (graph-copy.vpr@153.17--153.108) [481]"} + res_copy_nodes[(lookup(res_node_map, r_2): Ref)]; + } + assume false; + } + assume (forall r_3_1: Ref :: + { Seq#ContainsTrigger((map_domain(res_node_map): Seq Ref), r_3_1) } { Seq#Contains((map_domain(res_node_map): Seq Ref), r_3_1) } { res_copy_nodes[(lookup(res_node_map, r_3_1): Ref)] } + Seq#Contains((map_domain(res_node_map): Seq Ref), r_3_1) ==> res_copy_nodes[(lookup(res_node_map, r_3_1): Ref)] + ); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver r is injective + assert {:msg " Loop invariant (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.val, write)) might not hold on entry. Quantified resource r.val might not be injective. (graph-copy.vpr@154.17--154.68) [482]"} + (forall r_4: Ref, r_4_1: Ref :: + { neverTriggered15(r_4), neverTriggered15(r_4_1) } + (((r_4 != r_4_1 && res_copy_nodes[r_4]) && res_copy_nodes[r_4_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_4 != r_4_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.val, write)) might not hold on entry. There might be insufficient permission to access r.val (graph-copy.vpr@154.17--154.68) [483]"} + (forall r_4: Ref :: + { Heap[r_4, val] } { QPMask[r_4, val] } { res_copy_nodes[r_4] } + res_copy_nodes[r_4] ==> Mask[r_4, val] >= FullPerm + ); + + // -- assumptions for inverse of receiver r + assume (forall r_4: Ref :: + { Heap[r_4, val] } { QPMask[r_4, val] } { res_copy_nodes[r_4] } + res_copy_nodes[r_4] && NoPerm < FullPerm ==> qpRange15(r_4) && invRecv15(r_4) == r_4 + ); + assume (forall o_3: Ref :: + { invRecv15(o_3) } + res_copy_nodes[invRecv15(o_3)] && (NoPerm < FullPerm && qpRange15(o_3)) ==> invRecv15(o_3) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (res_copy_nodes[invRecv15(o_3)] && (NoPerm < FullPerm && qpRange15(o_3)) ==> invRecv15(o_3) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!(res_copy_nodes[invRecv15(o_3)] && (NoPerm < FullPerm && qpRange15(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver r is injective + assert {:msg " Loop invariant (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.edges, write)) might not hold on entry. Quantified resource r.edges might not be injective. (graph-copy.vpr@155.17--155.70) [484]"} + (forall r_5: Ref, r_5_1: Ref :: + { neverTriggered16(r_5), neverTriggered16(r_5_1) } + (((r_5 != r_5_1 && res_copy_nodes[r_5]) && res_copy_nodes[r_5_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_5 != r_5_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.edges, write)) might not hold on entry. There might be insufficient permission to access r.edges (graph-copy.vpr@155.17--155.70) [485]"} + (forall r_5: Ref :: + { Heap[r_5, edges] } { QPMask[r_5, edges] } { res_copy_nodes[r_5] } + res_copy_nodes[r_5] ==> Mask[r_5, edges] >= FullPerm + ); + + // -- assumptions for inverse of receiver r + assume (forall r_5: Ref :: + { Heap[r_5, edges] } { QPMask[r_5, edges] } { res_copy_nodes[r_5] } + res_copy_nodes[r_5] && NoPerm < FullPerm ==> qpRange16(r_5) && invRecv16(r_5) == r_5 + ); + assume (forall o_3: Ref :: + { invRecv16(o_3) } + res_copy_nodes[invRecv16(o_3)] && (NoPerm < FullPerm && qpRange16(o_3)) ==> invRecv16(o_3) == o_3 + ); + + // -- assume permission updates for field edges + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + (res_copy_nodes[invRecv16(o_3)] && (NoPerm < FullPerm && qpRange16(o_3)) ==> invRecv16(o_3) == o_3 && QPMask[o_3, edges] == Mask[o_3, edges] - FullPerm) && (!(res_copy_nodes[invRecv16(o_3)] && (NoPerm < FullPerm && qpRange16(o_3))) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Havoc loop written variables (except locals) + havoc S, i_6, res_node_map, res_copy_nodes; + + // -- Check definedness of invariant + if (*) { + assume res_copy_nodes[nodeCopy]; + assume state(Heap, Mask); + assume setOfRef[this]; + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.val might not be injective. (graph-copy.vpr@145.17--145.66) [486]"} + (forall x_47: Ref, x_47_1: Ref :: + + (((x_47 != x_47_1 && setOfRef[x_47]) && setOfRef[x_47_1]) && NoPerm < rd) && NoPerm < rd ==> x_47 != x_47_1 + ); + + // -- Define Inverse Function + assume (forall x_47: Ref :: + { Heap[x_47, val] } { QPMask[x_47, val] } { setOfRef[x_47] } + setOfRef[x_47] && NoPerm < rd ==> qpRange17(x_47) && invRecv17(x_47) == x_47 + ); + assume (forall o_3: Ref :: + { invRecv17(o_3) } + (setOfRef[invRecv17(o_3)] && NoPerm < rd) && qpRange17(o_3) ==> invRecv17(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " Contract might not be well-formed. Fraction rd might be negative. (graph-copy.vpr@145.17--145.66) [487]"} + (forall x_47: Ref :: + { Heap[x_47, val] } { QPMask[x_47, val] } { setOfRef[x_47] } + setOfRef[x_47] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_47: Ref :: + { Heap[x_47, val] } { QPMask[x_47, val] } { setOfRef[x_47] } + setOfRef[x_47] && rd > NoPerm ==> x_47 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((setOfRef[invRecv17(o_3)] && NoPerm < rd) && qpRange17(o_3) ==> (NoPerm < rd ==> invRecv17(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + rd) && (!((setOfRef[invRecv17(o_3)] && NoPerm < rd) && qpRange17(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> x.val == old(x.val)) + if (*) { + if (setOfRef[x_8]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.val (graph-copy.vpr@146.17--146.71) [488]"} + HasDirectPerm(Mask, x_8, val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.val (graph-copy.vpr@146.17--146.71) [489]"} + HasDirectPerm(old(Mask), x_8, val); + } + assume false; + } + assume (forall x_49: Ref :: + { setOfRef[x_49] } + setOfRef[x_49] ==> Heap[x_49, val] == old(Heap)[x_49, val] + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource x.edges might not be injective. (graph-copy.vpr@147.17--147.68) [490]"} + (forall x_51: Ref, x_51_1: Ref :: + + (((x_51 != x_51_1 && setOfRef[x_51]) && setOfRef[x_51_1]) && NoPerm < rd) && NoPerm < rd ==> x_51 != x_51_1 + ); + + // -- Define Inverse Function + assume (forall x_51: Ref :: + { Heap[x_51, edges] } { QPMask[x_51, edges] } { setOfRef[x_51] } + setOfRef[x_51] && NoPerm < rd ==> qpRange18(x_51) && invRecv18(x_51) == x_51 + ); + assume (forall o_3: Ref :: + { invRecv18(o_3) } + (setOfRef[invRecv18(o_3)] && NoPerm < rd) && qpRange18(o_3) ==> invRecv18(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " Contract might not be well-formed. Fraction rd might be negative. (graph-copy.vpr@147.17--147.68) [491]"} + (forall x_51: Ref :: + { Heap[x_51, edges] } { QPMask[x_51, edges] } { setOfRef[x_51] } + setOfRef[x_51] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_51: Ref :: + { Heap[x_51, edges] } { QPMask[x_51, edges] } { setOfRef[x_51] } + setOfRef[x_51] && rd > NoPerm ==> x_51 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((setOfRef[invRecv18(o_3)] && NoPerm < rd) && qpRange18(o_3) ==> (NoPerm < rd ==> invRecv18(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + rd) && (!((setOfRef[invRecv18(o_3)] && NoPerm < rd) && qpRange18(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> x.edges == old(x.edges)) + if (*) { + if (setOfRef[x_10]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.edges (graph-copy.vpr@148.17--148.75) [492]"} + HasDirectPerm(Mask, x_10, edges); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.edges (graph-copy.vpr@148.17--148.75) [493]"} + HasDirectPerm(old(Mask), x_10, edges); + } + assume false; + } + assume (forall x_53: Ref :: + { setOfRef[x_53] } + setOfRef[x_53] ==> Heap[x_53, edges] == old(Heap)[x_53, edges] + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall j: Int :: { (j in S) } { (edge_lookup(this.edges, j) in setOfRef) } (j in S) ==> (edge_lookup(this.edges, j) in setOfRef)) + if (*) { + if (S[j_1]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access this.edges (graph-copy.vpr@149.17--149.83) [494]"} + HasDirectPerm(Mask, this, edges); + } + assume false; + } + assume (forall j_5: int :: + { S[j_5] } { setOfRef[(edge_lookup(Heap[this, edges], j_5): Ref)] } + S[j_5] ==> setOfRef[(edge_lookup(Heap[this, edges], j_5): Ref)] + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall r: Ref, j: Int :: { (r in setOfRef), (j in edges_domain(r.edges)) } { (r in setOfRef), edge_lookup(r.edges, j) } { (r in setOfRef), (edge_lookup(r.edges, j) in setOfRef) } { edges_domain(r.edges), edge_lookup(r.edges, j) } { edges_domain(r.edges), (edge_lookup(r.edges, j) in setOfRef) } { (j in edges_domain(r.edges)) } { (edge_lookup(r.edges, j) in setOfRef) } (r in setOfRef) && (j in edges_domain(r.edges)) ==> (edge_lookup(r.edges, j) in setOfRef)) + if (*) { + if (setOfRef[r_3]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access r.edges (graph-copy.vpr@150.17--150.125) [495]"} + HasDirectPerm(Mask, r_3, edges); + } + if (setOfRef[r_3] && (edges_domain(Heap[r_3, edges]): Set int)[j_3]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access r.edges (graph-copy.vpr@150.17--150.125) [496]"} + HasDirectPerm(Mask, r_3, edges); + } + assume false; + } + assume (forall r_7: Ref, j_7: int :: + { setOfRef[r_7], (edges_domain(Heap[r_7, edges]): Set int)[j_7] } { setOfRef[r_7], (edge_lookup(Heap[r_7, edges], j_7): Ref) } { setOfRef[r_7], setOfRef[(edge_lookup(Heap[r_7, edges], j_7): Ref)] } { (edges_domain(Heap[r_7, edges]): Set int), (edge_lookup(Heap[r_7, edges], j_7): Ref) } { (edges_domain(Heap[r_7, edges]): Set int), setOfRef[(edge_lookup(Heap[r_7, edges], j_7): Ref)] } { (edges_domain(Heap[r_7, edges]): Set int)[j_7] } { setOfRef[(edge_lookup(Heap[r_7, edges], j_7): Ref)] } + setOfRef[r_7] && (edges_domain(Heap[r_7, edges]): Set int)[j_7] ==> setOfRef[(edge_lookup(Heap[r_7, edges], j_7): Ref)] + ); + assume state(Heap, Mask); + assume Set#Subset(node_map_image, res_copy_nodes); + assume state(Heap, Mask); + assume Set#Card(Set#Intersection(setOfRef, res_copy_nodes)) == 0; + assume state(Heap, Mask); + + // -- Check definedness of (forall r: Ref :: { (r in map_domain(res_node_map)) } { (lookup(res_node_map, r) in res_copy_nodes) } (r in map_domain(res_node_map)) ==> (lookup(res_node_map, r) in res_copy_nodes)) + if (*) { + assume false; + } + assume (forall r_9: Ref :: + { Seq#ContainsTrigger((map_domain(res_node_map): Seq Ref), r_9) } { Seq#Contains((map_domain(res_node_map): Seq Ref), r_9) } { res_copy_nodes[(lookup(res_node_map, r_9): Ref)] } + Seq#Contains((map_domain(res_node_map): Seq Ref), r_9) ==> res_copy_nodes[(lookup(res_node_map, r_9): Ref)] + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource r.val might not be injective. (graph-copy.vpr@154.17--154.68) [497]"} + (forall r_11: Ref, r_11_1: Ref :: + + (((r_11 != r_11_1 && res_copy_nodes[r_11]) && res_copy_nodes[r_11_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_11 != r_11_1 + ); + + // -- Define Inverse Function + assume (forall r_11: Ref :: + { Heap[r_11, val] } { QPMask[r_11, val] } { res_copy_nodes[r_11] } + res_copy_nodes[r_11] && NoPerm < FullPerm ==> qpRange19(r_11) && invRecv19(r_11) == r_11 + ); + assume (forall o_3: Ref :: + { invRecv19(o_3) } + (res_copy_nodes[invRecv19(o_3)] && NoPerm < FullPerm) && qpRange19(o_3) ==> invRecv19(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall r_11: Ref :: + { Heap[r_11, val] } { QPMask[r_11, val] } { res_copy_nodes[r_11] } + res_copy_nodes[r_11] ==> r_11 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((res_copy_nodes[invRecv19(o_3)] && NoPerm < FullPerm) && qpRange19(o_3) ==> (NoPerm < FullPerm ==> invRecv19(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!((res_copy_nodes[invRecv19(o_3)] && NoPerm < FullPerm) && qpRange19(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.edges, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource r.edges might not be injective. (graph-copy.vpr@155.17--155.70) [498]"} + (forall r_13: Ref, r_13_1: Ref :: + + (((r_13 != r_13_1 && res_copy_nodes[r_13]) && res_copy_nodes[r_13_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_13 != r_13_1 + ); + + // -- Define Inverse Function + assume (forall r_13: Ref :: + { Heap[r_13, edges] } { QPMask[r_13, edges] } { res_copy_nodes[r_13] } + res_copy_nodes[r_13] && NoPerm < FullPerm ==> qpRange20(r_13) && invRecv20(r_13) == r_13 + ); + assume (forall o_3: Ref :: + { invRecv20(o_3) } + (res_copy_nodes[invRecv20(o_3)] && NoPerm < FullPerm) && qpRange20(o_3) ==> invRecv20(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall r_13: Ref :: + { Heap[r_13, edges] } { QPMask[r_13, edges] } { res_copy_nodes[r_13] } + res_copy_nodes[r_13] ==> r_13 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((res_copy_nodes[invRecv20(o_3)] && NoPerm < FullPerm) && qpRange20(o_3) ==> (NoPerm < FullPerm ==> invRecv20(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + FullPerm) && (!((res_copy_nodes[invRecv20(o_3)] && NoPerm < FullPerm) && qpRange20(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + assume res_copy_nodes[nodeCopy]; + assume setOfRef[this]; + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource x.val might not be injective. (graph-copy.vpr@145.17--145.66) [499]"} + (forall x_54: Ref, x_54_1: Ref :: + + (((x_54 != x_54_1 && setOfRef[x_54]) && setOfRef[x_54_1]) && NoPerm < rd) && NoPerm < rd ==> x_54 != x_54_1 + ); + + // -- Define Inverse Function + assume (forall x_54: Ref :: + { Heap[x_54, val] } { QPMask[x_54, val] } { setOfRef[x_54] } + setOfRef[x_54] && NoPerm < rd ==> qpRange21(x_54) && invRecv21(x_54) == x_54 + ); + assume (forall o_3: Ref :: + { invRecv21(o_3) } + (setOfRef[invRecv21(o_3)] && NoPerm < rd) && qpRange21(o_3) ==> invRecv21(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " While statement might fail. Fraction rd might be negative. (graph-copy.vpr@145.17--145.66) [500]"} + (forall x_54: Ref :: + { Heap[x_54, val] } { QPMask[x_54, val] } { setOfRef[x_54] } + setOfRef[x_54] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_54: Ref :: + { Heap[x_54, val] } { QPMask[x_54, val] } { setOfRef[x_54] } + setOfRef[x_54] && rd > NoPerm ==> x_54 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((setOfRef[invRecv21(o_3)] && NoPerm < rd) && qpRange21(o_3) ==> (NoPerm < rd ==> invRecv21(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + rd) && (!((setOfRef[invRecv21(o_3)] && NoPerm < rd) && qpRange21(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall x_55: Ref :: + { setOfRef[x_55] } + setOfRef[x_55] ==> Heap[x_55, val] == old(Heap)[x_55, val] + ); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource x.edges might not be injective. (graph-copy.vpr@147.17--147.68) [501]"} + (forall x_56: Ref, x_56_1: Ref :: + + (((x_56 != x_56_1 && setOfRef[x_56]) && setOfRef[x_56_1]) && NoPerm < rd) && NoPerm < rd ==> x_56 != x_56_1 + ); + + // -- Define Inverse Function + assume (forall x_56: Ref :: + { Heap[x_56, edges] } { QPMask[x_56, edges] } { setOfRef[x_56] } + setOfRef[x_56] && NoPerm < rd ==> qpRange22(x_56) && invRecv22(x_56) == x_56 + ); + assume (forall o_3: Ref :: + { invRecv22(o_3) } + (setOfRef[invRecv22(o_3)] && NoPerm < rd) && qpRange22(o_3) ==> invRecv22(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " While statement might fail. Fraction rd might be negative. (graph-copy.vpr@147.17--147.68) [502]"} + (forall x_56: Ref :: + { Heap[x_56, edges] } { QPMask[x_56, edges] } { setOfRef[x_56] } + setOfRef[x_56] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_56: Ref :: + { Heap[x_56, edges] } { QPMask[x_56, edges] } { setOfRef[x_56] } + setOfRef[x_56] && rd > NoPerm ==> x_56 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((setOfRef[invRecv22(o_3)] && NoPerm < rd) && qpRange22(o_3) ==> (NoPerm < rd ==> invRecv22(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + rd) && (!((setOfRef[invRecv22(o_3)] && NoPerm < rd) && qpRange22(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall x_57: Ref :: + { setOfRef[x_57] } + setOfRef[x_57] ==> Heap[x_57, edges] == old(Heap)[x_57, edges] + ); + assume (forall j_8: int :: + { S[j_8] } { setOfRef[(edge_lookup(Heap[this, edges], j_8): Ref)] } + S[j_8] ==> setOfRef[(edge_lookup(Heap[this, edges], j_8): Ref)] + ); + assume (forall r_14: Ref, j_9: int :: + { setOfRef[r_14], (edges_domain(Heap[r_14, edges]): Set int)[j_9] } { setOfRef[r_14], (edge_lookup(Heap[r_14, edges], j_9): Ref) } { setOfRef[r_14], setOfRef[(edge_lookup(Heap[r_14, edges], j_9): Ref)] } { (edges_domain(Heap[r_14, edges]): Set int), (edge_lookup(Heap[r_14, edges], j_9): Ref) } { (edges_domain(Heap[r_14, edges]): Set int), setOfRef[(edge_lookup(Heap[r_14, edges], j_9): Ref)] } { (edges_domain(Heap[r_14, edges]): Set int)[j_9] } { setOfRef[(edge_lookup(Heap[r_14, edges], j_9): Ref)] } + setOfRef[r_14] && (edges_domain(Heap[r_14, edges]): Set int)[j_9] ==> setOfRef[(edge_lookup(Heap[r_14, edges], j_9): Ref)] + ); + assume Set#Subset(node_map_image, res_copy_nodes); + assume Set#Card(Set#Intersection(setOfRef, res_copy_nodes)) == 0; + assume (forall r_15: Ref :: + { Seq#ContainsTrigger((map_domain(res_node_map): Seq Ref), r_15) } { Seq#Contains((map_domain(res_node_map): Seq Ref), r_15) } { res_copy_nodes[(lookup(res_node_map, r_15): Ref)] } + Seq#Contains((map_domain(res_node_map): Seq Ref), r_15) ==> res_copy_nodes[(lookup(res_node_map, r_15): Ref)] + ); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource r.val might not be injective. (graph-copy.vpr@154.17--154.68) [503]"} + (forall r_16: Ref, r_16_1: Ref :: + + (((r_16 != r_16_1 && res_copy_nodes[r_16]) && res_copy_nodes[r_16_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_16 != r_16_1 + ); + + // -- Define Inverse Function + assume (forall r_16: Ref :: + { Heap[r_16, val] } { QPMask[r_16, val] } { res_copy_nodes[r_16] } + res_copy_nodes[r_16] && NoPerm < FullPerm ==> qpRange23(r_16) && invRecv23(r_16) == r_16 + ); + assume (forall o_3: Ref :: + { invRecv23(o_3) } + (res_copy_nodes[invRecv23(o_3)] && NoPerm < FullPerm) && qpRange23(o_3) ==> invRecv23(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall r_16: Ref :: + { Heap[r_16, val] } { QPMask[r_16, val] } { res_copy_nodes[r_16] } + res_copy_nodes[r_16] ==> r_16 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((res_copy_nodes[invRecv23(o_3)] && NoPerm < FullPerm) && qpRange23(o_3) ==> (NoPerm < FullPerm ==> invRecv23(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!((res_copy_nodes[invRecv23(o_3)] && NoPerm < FullPerm) && qpRange23(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource r.edges might not be injective. (graph-copy.vpr@155.17--155.70) [504]"} + (forall r_17: Ref, r_17_1: Ref :: + + (((r_17 != r_17_1 && res_copy_nodes[r_17]) && res_copy_nodes[r_17_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_17 != r_17_1 + ); + + // -- Define Inverse Function + assume (forall r_17: Ref :: + { Heap[r_17, edges] } { QPMask[r_17, edges] } { res_copy_nodes[r_17] } + res_copy_nodes[r_17] && NoPerm < FullPerm ==> qpRange24(r_17) && invRecv24(r_17) == r_17 + ); + assume (forall o_3: Ref :: + { invRecv24(o_3) } + (res_copy_nodes[invRecv24(o_3)] && NoPerm < FullPerm) && qpRange24(o_3) ==> invRecv24(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall r_17: Ref :: + { Heap[r_17, edges] } { QPMask[r_17, edges] } { res_copy_nodes[r_17] } + res_copy_nodes[r_17] ==> r_17 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((res_copy_nodes[invRecv24(o_3)] && NoPerm < FullPerm) && qpRange24(o_3) ==> (NoPerm < FullPerm ==> invRecv24(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + FullPerm) && (!((res_copy_nodes[invRecv24(o_3)] && NoPerm < FullPerm) && qpRange24(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + // Check and assume guard + assume Set#Card(S) > 0; + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Assumptions about local variables + assume Heap[newNode, $allocated]; + assume Heap[nodeForId, $allocated]; + + // -- Translating statement: S, i := pop(S) -- graph-copy.vpr@157.7--157.21 + PreCallHeap := Heap; + PreCallMask := Mask; + arg_s1 := S; + havoc S, i_6; + + // -- Exhaling precondition + assert {:msg " The precondition of method pop might not hold. Assertion 0 < |S| might not hold. (graph-copy.vpr@157.7--157.21) [505]"} + 0 < Set#Card(arg_s1); + + // -- Inhaling postcondition + assume arg_s1[i_6]; + assume Set#Equal(S, Set#Difference(arg_s1, Set#Singleton(i_6))); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: nodeForId := edge_lookup(this.edges, i) -- graph-copy.vpr@163.7--163.46 + + // -- Check definedness of edge_lookup(this.edges, i) + assert {:msg " Assignment might fail. There might be insufficient permission to access this.edges (graph-copy.vpr@163.7--163.46) [506]"} + HasDirectPerm(Mask, this, edges); + nodeForId := (edge_lookup(Heap[this, edges], i_6): Ref); + assume state(Heap, Mask); + + // -- Translating statement: newNode, res_node_map, res_copy_nodes := graph_copy_rec(nodeForId, res_node_map, + // setOfRef, res_copy_nodes, rd / 2) -- graph-copy.vpr@165.7--165.119 + PreCallHeap := Heap; + PreCallMask := Mask; + arg_node_map := res_node_map; + arg_node_map_image := res_copy_nodes; + arg_rd := rd / 2; + havoc newNode, res_node_map, res_copy_nodes; + + // -- Exhaling precondition + assert {:msg " The precondition of method graph_copy_rec might not hold. Assertion none < rd / 2 might not hold. (graph-copy.vpr@165.7--165.119) [507]"} + NoPerm < arg_rd; + assert {:msg " The precondition of method graph_copy_rec might not hold. Assertion nodeForId != null might not hold. (graph-copy.vpr@165.7--165.119) [508]"} + nodeForId != null; + assert {:msg " The precondition of method graph_copy_rec might not hold. Assertion (nodeForId in setOfRef) might not hold. (graph-copy.vpr@165.7--165.119) [509]"} + setOfRef[nodeForId]; + assert {:msg " The precondition of method graph_copy_rec might not hold. Assertion |(setOfRef intersection res_copy_nodes)| == 0 might not hold. (graph-copy.vpr@165.7--165.119) [510]"} + Set#Card(Set#Intersection(setOfRef, arg_node_map_image)) == 0; + havoc QPMask; + + // -- check that the permission amount is positive + assert {:msg " The precondition of method graph_copy_rec might not hold. Fraction rd / 2 might be negative. (graph-copy.vpr@165.7--165.119) [511]"} + (forall x_58: Ref :: + { Heap[x_58, val] } { QPMask[x_58, val] } { setOfRef[x_58] } + setOfRef[x_58] && dummyFunction(Heap[x_58, val]) ==> arg_rd >= NoPerm + ); + + // -- check if receiver x is injective + assert {:msg " The precondition of method graph_copy_rec might not hold. Quantified resource x.val might not be injective. (graph-copy.vpr@165.7--165.119) [512]"} + (forall x_58: Ref, x_58_1: Ref :: + { neverTriggered25(x_58), neverTriggered25(x_58_1) } + (((x_58 != x_58_1 && setOfRef[x_58]) && setOfRef[x_58_1]) && NoPerm < arg_rd) && NoPerm < arg_rd ==> x_58 != x_58_1 + ); + + // -- check if sufficient permission is held + assert {:msg " The precondition of method graph_copy_rec might not hold. There might be insufficient permission to access x.val (graph-copy.vpr@165.7--165.119) [513]"} + (forall x_58: Ref :: + { Heap[x_58, val] } { QPMask[x_58, val] } { setOfRef[x_58] } + setOfRef[x_58] ==> Mask[x_58, val] >= arg_rd + ); + + // -- assumptions for inverse of receiver x + assume (forall x_58: Ref :: + { Heap[x_58, val] } { QPMask[x_58, val] } { setOfRef[x_58] } + setOfRef[x_58] && NoPerm < arg_rd ==> qpRange25(x_58) && invRecv25(x_58) == x_58 + ); + assume (forall o_3: Ref :: + { invRecv25(o_3) } + setOfRef[invRecv25(o_3)] && (NoPerm < arg_rd && qpRange25(o_3)) ==> invRecv25(o_3) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (setOfRef[invRecv25(o_3)] && (NoPerm < arg_rd && qpRange25(o_3)) ==> invRecv25(o_3) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - arg_rd) && (!(setOfRef[invRecv25(o_3)] && (NoPerm < arg_rd && qpRange25(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + assert {:msg " The precondition of method graph_copy_rec might not hold. Fraction rd / 2 might be negative. (graph-copy.vpr@165.7--165.119) [514]"} + (forall x_59: Ref :: + { Heap[x_59, edges] } { QPMask[x_59, edges] } { setOfRef[x_59] } + setOfRef[x_59] && dummyFunction(Heap[x_59, edges]) ==> arg_rd >= NoPerm + ); + + // -- check if receiver x is injective + assert {:msg " The precondition of method graph_copy_rec might not hold. Quantified resource x.edges might not be injective. (graph-copy.vpr@165.7--165.119) [515]"} + (forall x_59: Ref, x_59_1: Ref :: + { neverTriggered26(x_59), neverTriggered26(x_59_1) } + (((x_59 != x_59_1 && setOfRef[x_59]) && setOfRef[x_59_1]) && NoPerm < arg_rd) && NoPerm < arg_rd ==> x_59 != x_59_1 + ); + + // -- check if sufficient permission is held + assert {:msg " The precondition of method graph_copy_rec might not hold. There might be insufficient permission to access x.edges (graph-copy.vpr@165.7--165.119) [516]"} + (forall x_59: Ref :: + { Heap[x_59, edges] } { QPMask[x_59, edges] } { setOfRef[x_59] } + setOfRef[x_59] ==> Mask[x_59, edges] >= arg_rd + ); + + // -- assumptions for inverse of receiver x + assume (forall x_59: Ref :: + { Heap[x_59, edges] } { QPMask[x_59, edges] } { setOfRef[x_59] } + setOfRef[x_59] && NoPerm < arg_rd ==> qpRange26(x_59) && invRecv26(x_59) == x_59 + ); + assume (forall o_3: Ref :: + { invRecv26(o_3) } + setOfRef[invRecv26(o_3)] && (NoPerm < arg_rd && qpRange26(o_3)) ==> invRecv26(o_3) == o_3 + ); + + // -- assume permission updates for field edges + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + (setOfRef[invRecv26(o_3)] && (NoPerm < arg_rd && qpRange26(o_3)) ==> invRecv26(o_3) == o_3 && QPMask[o_3, edges] == Mask[o_3, edges] - arg_rd) && (!(setOfRef[invRecv26(o_3)] && (NoPerm < arg_rd && qpRange26(o_3))) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (setOfRef[x_60] && (edges_domain(Heap[x_60, edges]): Set int)[i$0]) { + assert {:msg " The precondition of method graph_copy_rec might not hold. Assertion (edge_lookup(x.edges, i$0) in setOfRef) might not hold. (graph-copy.vpr@165.7--165.119) [517]"} + setOfRef[(edge_lookup(Heap[x_60, edges], i$0): Ref)]; + } + assume false; + } + assume (forall x_61_1: Ref, i$0_1_1: int :: + { setOfRef[x_61_1], (edges_domain(Heap[x_61_1, edges]): Set int)[i$0_1_1] } { setOfRef[x_61_1], (edge_lookup(Heap[x_61_1, edges], i$0_1_1): Ref) } { setOfRef[x_61_1], setOfRef[(edge_lookup(Heap[x_61_1, edges], i$0_1_1): Ref)] } { (edges_domain(Heap[x_61_1, edges]): Set int), (edge_lookup(Heap[x_61_1, edges], i$0_1_1): Ref) } { (edges_domain(Heap[x_61_1, edges]): Set int), setOfRef[(edge_lookup(Heap[x_61_1, edges], i$0_1_1): Ref)] } { (edges_domain(Heap[x_61_1, edges]): Set int)[i$0_1_1] } { setOfRef[(edge_lookup(Heap[x_61_1, edges], i$0_1_1): Ref)] } + setOfRef[x_61_1] && (edges_domain(Heap[x_61_1, edges]): Set int)[i$0_1_1] ==> setOfRef[(edge_lookup(Heap[x_61_1, edges], i$0_1_1): Ref)] + ); + if (*) { + if (Seq#Contains((map_domain(arg_node_map): Seq Ref), x_62)) { + assert {:msg " The precondition of method graph_copy_rec might not hold. Assertion (lookup(res_node_map, x) in res_copy_nodes) might not hold. (graph-copy.vpr@165.7--165.119) [518]"} + arg_node_map_image[(lookup(arg_node_map, x_62): Ref)]; + } + assume false; + } + assume (forall x_63_1: Ref :: + { Seq#ContainsTrigger((map_domain(arg_node_map): Seq Ref), x_63_1) } { Seq#Contains((map_domain(arg_node_map): Seq Ref), x_63_1) } { arg_node_map_image[(lookup(arg_node_map, x_63_1): Ref)] } + Seq#Contains((map_domain(arg_node_map): Seq Ref), x_63_1) ==> arg_node_map_image[(lookup(arg_node_map, x_63_1): Ref)] + ); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver x is injective + assert {:msg " The precondition of method graph_copy_rec might not hold. Quantified resource x.val might not be injective. (graph-copy.vpr@165.7--165.119) [519]"} + (forall x_64: Ref, x_64_1: Ref :: + { neverTriggered27(x_64), neverTriggered27(x_64_1) } + (((x_64 != x_64_1 && arg_node_map_image[x_64]) && arg_node_map_image[x_64_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_64 != x_64_1 + ); + + // -- check if sufficient permission is held + assert {:msg " The precondition of method graph_copy_rec might not hold. There might be insufficient permission to access x.val (graph-copy.vpr@165.7--165.119) [520]"} + (forall x_64: Ref :: + { Heap[x_64, val] } { QPMask[x_64, val] } { arg_node_map_image[x_64] } + arg_node_map_image[x_64] ==> Mask[x_64, val] >= FullPerm + ); + + // -- assumptions for inverse of receiver x + assume (forall x_64: Ref :: + { Heap[x_64, val] } { QPMask[x_64, val] } { arg_node_map_image[x_64] } + arg_node_map_image[x_64] && NoPerm < FullPerm ==> qpRange27(x_64) && invRecv27(x_64) == x_64 + ); + assume (forall o_3: Ref :: + { invRecv27(o_3) } + arg_node_map_image[invRecv27(o_3)] && (NoPerm < FullPerm && qpRange27(o_3)) ==> invRecv27(o_3) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (arg_node_map_image[invRecv27(o_3)] && (NoPerm < FullPerm && qpRange27(o_3)) ==> invRecv27(o_3) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!(arg_node_map_image[invRecv27(o_3)] && (NoPerm < FullPerm && qpRange27(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver x is injective + assert {:msg " The precondition of method graph_copy_rec might not hold. Quantified resource x.edges might not be injective. (graph-copy.vpr@165.7--165.119) [521]"} + (forall x_65: Ref, x_65_1: Ref :: + { neverTriggered28(x_65), neverTriggered28(x_65_1) } + (((x_65 != x_65_1 && arg_node_map_image[x_65]) && arg_node_map_image[x_65_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_65 != x_65_1 + ); + + // -- check if sufficient permission is held + assert {:msg " The precondition of method graph_copy_rec might not hold. There might be insufficient permission to access x.edges (graph-copy.vpr@165.7--165.119) [522]"} + (forall x_65: Ref :: + { Heap[x_65, edges] } { QPMask[x_65, edges] } { arg_node_map_image[x_65] } + arg_node_map_image[x_65] ==> Mask[x_65, edges] >= FullPerm + ); + + // -- assumptions for inverse of receiver x + assume (forall x_65: Ref :: + { Heap[x_65, edges] } { QPMask[x_65, edges] } { arg_node_map_image[x_65] } + arg_node_map_image[x_65] && NoPerm < FullPerm ==> qpRange28(x_65) && invRecv28(x_65) == x_65 + ); + assume (forall o_3: Ref :: + { invRecv28(o_3) } + arg_node_map_image[invRecv28(o_3)] && (NoPerm < FullPerm && qpRange28(o_3)) ==> invRecv28(o_3) == o_3 + ); + + // -- assume permission updates for field edges + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + (arg_node_map_image[invRecv28(o_3)] && (NoPerm < FullPerm && qpRange28(o_3)) ==> invRecv28(o_3) == o_3 && QPMask[o_3, edges] == Mask[o_3, edges] - FullPerm) && (!(arg_node_map_image[invRecv28(o_3)] && (NoPerm < FullPerm && qpRange28(o_3))) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + assume newNode != null; + assume res_copy_nodes[newNode]; + assume Set#Card(Set#Intersection(setOfRef, res_copy_nodes)) == 0; + havoc QPMask; + assert {:msg " Method call might fail. Quantified resource x.val might not be injective. (graph-copy.vpr@165.7--165.119) [523]"} + (forall x_66: Ref, x_66_1: Ref :: + + (((x_66 != x_66_1 && setOfRef[x_66]) && setOfRef[x_66_1]) && NoPerm < arg_rd) && NoPerm < arg_rd ==> x_66 != x_66_1 + ); + + // -- Define Inverse Function + assume (forall x_66: Ref :: + { Heap[x_66, val] } { QPMask[x_66, val] } { setOfRef[x_66] } + setOfRef[x_66] && NoPerm < arg_rd ==> qpRange29(x_66) && invRecv29(x_66) == x_66 + ); + assume (forall o_3: Ref :: + { invRecv29(o_3) } + (setOfRef[invRecv29(o_3)] && NoPerm < arg_rd) && qpRange29(o_3) ==> invRecv29(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " Method call might fail. Fraction rd / 2 might be negative. (graph-copy.vpr@165.7--165.119) [524]"} + (forall x_66: Ref :: + { Heap[x_66, val] } { QPMask[x_66, val] } { setOfRef[x_66] } + setOfRef[x_66] ==> arg_rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_66: Ref :: + { Heap[x_66, val] } { QPMask[x_66, val] } { setOfRef[x_66] } + setOfRef[x_66] && arg_rd > NoPerm ==> x_66 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((setOfRef[invRecv29(o_3)] && NoPerm < arg_rd) && qpRange29(o_3) ==> (NoPerm < arg_rd ==> invRecv29(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + arg_rd) && (!((setOfRef[invRecv29(o_3)] && NoPerm < arg_rd) && qpRange29(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall x_67: Ref :: + { setOfRef[x_67] } + setOfRef[x_67] ==> Heap[x_67, val] == old(PreCallHeap)[x_67, val] + ); + havoc QPMask; + assert {:msg " Method call might fail. Quantified resource x.edges might not be injective. (graph-copy.vpr@165.7--165.119) [525]"} + (forall x_68: Ref, x_68_1: Ref :: + + (((x_68 != x_68_1 && setOfRef[x_68]) && setOfRef[x_68_1]) && NoPerm < arg_rd) && NoPerm < arg_rd ==> x_68 != x_68_1 + ); + + // -- Define Inverse Function + assume (forall x_68: Ref :: + { Heap[x_68, edges] } { QPMask[x_68, edges] } { setOfRef[x_68] } + setOfRef[x_68] && NoPerm < arg_rd ==> qpRange30(x_68) && invRecv30(x_68) == x_68 + ); + assume (forall o_3: Ref :: + { invRecv30(o_3) } + (setOfRef[invRecv30(o_3)] && NoPerm < arg_rd) && qpRange30(o_3) ==> invRecv30(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " Method call might fail. Fraction rd / 2 might be negative. (graph-copy.vpr@165.7--165.119) [526]"} + (forall x_68: Ref :: + { Heap[x_68, edges] } { QPMask[x_68, edges] } { setOfRef[x_68] } + setOfRef[x_68] ==> arg_rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_68: Ref :: + { Heap[x_68, edges] } { QPMask[x_68, edges] } { setOfRef[x_68] } + setOfRef[x_68] && arg_rd > NoPerm ==> x_68 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((setOfRef[invRecv30(o_3)] && NoPerm < arg_rd) && qpRange30(o_3) ==> (NoPerm < arg_rd ==> invRecv30(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + arg_rd) && (!((setOfRef[invRecv30(o_3)] && NoPerm < arg_rd) && qpRange30(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall x_69: Ref :: + { setOfRef[x_69] } + setOfRef[x_69] ==> Heap[x_69, edges] == old(PreCallHeap)[x_69, edges] + ); + assume (forall x_70: Ref, i$0_2: int :: + { setOfRef[x_70], (edges_domain(Heap[x_70, edges]): Set int)[i$0_2] } { setOfRef[x_70], (edge_lookup(Heap[x_70, edges], i$0_2): Ref) } { setOfRef[x_70], setOfRef[(edge_lookup(Heap[x_70, edges], i$0_2): Ref)] } { (edges_domain(Heap[x_70, edges]): Set int), (edge_lookup(Heap[x_70, edges], i$0_2): Ref) } { (edges_domain(Heap[x_70, edges]): Set int), setOfRef[(edge_lookup(Heap[x_70, edges], i$0_2): Ref)] } { (edges_domain(Heap[x_70, edges]): Set int)[i$0_2] } { setOfRef[(edge_lookup(Heap[x_70, edges], i$0_2): Ref)] } + setOfRef[x_70] && (edges_domain(Heap[x_70, edges]): Set int)[i$0_2] ==> setOfRef[(edge_lookup(Heap[x_70, edges], i$0_2): Ref)] + ); + assume Set#Equal(res_copy_nodes, Set#Union(res_copy_nodes, arg_node_map_image)); + assume (forall x_71: Ref :: + { Seq#ContainsTrigger((map_domain(res_node_map): Seq Ref), x_71) } { Seq#Contains((map_domain(res_node_map): Seq Ref), x_71) } { res_copy_nodes[(lookup(res_node_map, x_71): Ref)] } + Seq#Contains((map_domain(res_node_map): Seq Ref), x_71) ==> res_copy_nodes[(lookup(res_node_map, x_71): Ref)] + ); + havoc QPMask; + assert {:msg " Method call might fail. Quantified resource x.val might not be injective. (graph-copy.vpr@165.7--165.119) [527]"} + (forall x_72: Ref, x_72_1: Ref :: + + (((x_72 != x_72_1 && res_copy_nodes[x_72]) && res_copy_nodes[x_72_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_72 != x_72_1 + ); + + // -- Define Inverse Function + assume (forall x_72: Ref :: + { Heap[x_72, val] } { QPMask[x_72, val] } { res_copy_nodes[x_72] } + res_copy_nodes[x_72] && NoPerm < FullPerm ==> qpRange31(x_72) && invRecv31(x_72) == x_72 + ); + assume (forall o_3: Ref :: + { invRecv31(o_3) } + (res_copy_nodes[invRecv31(o_3)] && NoPerm < FullPerm) && qpRange31(o_3) ==> invRecv31(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall x_72: Ref :: + { Heap[x_72, val] } { QPMask[x_72, val] } { res_copy_nodes[x_72] } + res_copy_nodes[x_72] ==> x_72 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((res_copy_nodes[invRecv31(o_3)] && NoPerm < FullPerm) && qpRange31(o_3) ==> (NoPerm < FullPerm ==> invRecv31(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!((res_copy_nodes[invRecv31(o_3)] && NoPerm < FullPerm) && qpRange31(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " Method call might fail. Quantified resource x.edges might not be injective. (graph-copy.vpr@165.7--165.119) [528]"} + (forall x_73: Ref, x_73_1: Ref :: + + (((x_73 != x_73_1 && res_copy_nodes[x_73]) && res_copy_nodes[x_73_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_73 != x_73_1 + ); + + // -- Define Inverse Function + assume (forall x_73: Ref :: + { Heap[x_73, edges] } { QPMask[x_73, edges] } { res_copy_nodes[x_73] } + res_copy_nodes[x_73] && NoPerm < FullPerm ==> qpRange32(x_73) && invRecv32(x_73) == x_73 + ); + assume (forall o_3: Ref :: + { invRecv32(o_3) } + (res_copy_nodes[invRecv32(o_3)] && NoPerm < FullPerm) && qpRange32(o_3) ==> invRecv32(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall x_73: Ref :: + { Heap[x_73, edges] } { QPMask[x_73, edges] } { res_copy_nodes[x_73] } + res_copy_nodes[x_73] ==> x_73 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((res_copy_nodes[invRecv32(o_3)] && NoPerm < FullPerm) && qpRange32(o_3) ==> (NoPerm < FullPerm ==> invRecv32(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + FullPerm) && (!((res_copy_nodes[invRecv32(o_3)] && NoPerm < FullPerm) && qpRange32(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume Heap[newNode, $allocated]; + assume state(Heap, Mask); + + // -- Translating statement: nodeCopy.edges := insert_edge(nodeCopy.edges, i, newNode) -- graph-copy.vpr@167.7--167.64 + + // -- Check definedness of insert_edge(nodeCopy.edges, i, newNode) + assert {:msg " Assignment might fail. There might be insufficient permission to access nodeCopy.edges (graph-copy.vpr@167.7--167.64) [529]"} + HasDirectPerm(Mask, nodeCopy, edges); + assert {:msg " Assignment might fail. There might be insufficient permission to access nodeCopy.edges (graph-copy.vpr@167.7--167.64) [530]"} + FullPerm == Mask[nodeCopy, edges]; + Heap[nodeCopy, edges] := (insert_edge(Heap[nodeCopy, edges], i_6, newNode): IEdgesDomainType); + assume state(Heap, Mask); + // Exhale invariant + assert {:msg " Loop invariant (nodeCopy in res_copy_nodes) might not be preserved. Assertion (nodeCopy in res_copy_nodes) might not hold. (graph-copy.vpr@143.17--143.43) [531]"} + res_copy_nodes[nodeCopy]; + assert {:msg " Loop invariant (this in setOfRef) might not be preserved. Assertion (this in setOfRef) might not hold. (graph-copy.vpr@144.17--144.33) [532]"} + setOfRef[this]; + havoc QPMask; + + // -- check that the permission amount is positive + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) might not be preserved. Fraction rd might be negative. (graph-copy.vpr@145.17--145.66) [533]"} + (forall x_74: Ref :: + { Heap[x_74, val] } { QPMask[x_74, val] } { setOfRef[x_74] } + setOfRef[x_74] && dummyFunction(Heap[x_74, val]) ==> rd >= NoPerm + ); + + // -- check if receiver x is injective + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) might not be preserved. Quantified resource x.val might not be injective. (graph-copy.vpr@145.17--145.66) [534]"} + (forall x_74: Ref, x_74_1: Ref :: + { neverTriggered33(x_74), neverTriggered33(x_74_1) } + (((x_74 != x_74_1 && setOfRef[x_74]) && setOfRef[x_74_1]) && NoPerm < rd) && NoPerm < rd ==> x_74 != x_74_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.val, rd)) might not be preserved. There might be insufficient permission to access x.val (graph-copy.vpr@145.17--145.66) [535]"} + (forall x_74: Ref :: + { Heap[x_74, val] } { QPMask[x_74, val] } { setOfRef[x_74] } + setOfRef[x_74] ==> Mask[x_74, val] >= rd + ); + + // -- assumptions for inverse of receiver x + assume (forall x_74: Ref :: + { Heap[x_74, val] } { QPMask[x_74, val] } { setOfRef[x_74] } + setOfRef[x_74] && NoPerm < rd ==> qpRange33(x_74) && invRecv33(x_74) == x_74 + ); + assume (forall o_3: Ref :: + { invRecv33(o_3) } + setOfRef[invRecv33(o_3)] && (NoPerm < rd && qpRange33(o_3)) ==> invRecv33(o_3) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (setOfRef[invRecv33(o_3)] && (NoPerm < rd && qpRange33(o_3)) ==> invRecv33(o_3) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - rd) && (!(setOfRef[invRecv33(o_3)] && (NoPerm < rd && qpRange33(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (setOfRef[x_75]) { + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> x.val == old(x.val)) might not be preserved. Assertion x.val == old(x.val) might not hold. (graph-copy.vpr@146.17--146.71) [536]"} + Heap[x_75, val] == old(Heap)[x_75, val]; + } + assume false; + } + assume (forall x_76_1: Ref :: + { setOfRef[x_76_1] } + setOfRef[x_76_1] ==> Heap[x_76_1, val] == old(Heap)[x_76_1, val] + ); + havoc QPMask; + + // -- check that the permission amount is positive + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) might not be preserved. Fraction rd might be negative. (graph-copy.vpr@147.17--147.68) [537]"} + (forall x_77: Ref :: + { Heap[x_77, edges] } { QPMask[x_77, edges] } { setOfRef[x_77] } + setOfRef[x_77] && dummyFunction(Heap[x_77, edges]) ==> rd >= NoPerm + ); + + // -- check if receiver x is injective + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) might not be preserved. Quantified resource x.edges might not be injective. (graph-copy.vpr@147.17--147.68) [538]"} + (forall x_77: Ref, x_77_1: Ref :: + { neverTriggered34(x_77), neverTriggered34(x_77_1) } + (((x_77 != x_77_1 && setOfRef[x_77]) && setOfRef[x_77_1]) && NoPerm < rd) && NoPerm < rd ==> x_77 != x_77_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> acc(x.edges, rd)) might not be preserved. There might be insufficient permission to access x.edges (graph-copy.vpr@147.17--147.68) [539]"} + (forall x_77: Ref :: + { Heap[x_77, edges] } { QPMask[x_77, edges] } { setOfRef[x_77] } + setOfRef[x_77] ==> Mask[x_77, edges] >= rd + ); + + // -- assumptions for inverse of receiver x + assume (forall x_77: Ref :: + { Heap[x_77, edges] } { QPMask[x_77, edges] } { setOfRef[x_77] } + setOfRef[x_77] && NoPerm < rd ==> qpRange34(x_77) && invRecv34(x_77) == x_77 + ); + assume (forall o_3: Ref :: + { invRecv34(o_3) } + setOfRef[invRecv34(o_3)] && (NoPerm < rd && qpRange34(o_3)) ==> invRecv34(o_3) == o_3 + ); + + // -- assume permission updates for field edges + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + (setOfRef[invRecv34(o_3)] && (NoPerm < rd && qpRange34(o_3)) ==> invRecv34(o_3) == o_3 && QPMask[o_3, edges] == Mask[o_3, edges] - rd) && (!(setOfRef[invRecv34(o_3)] && (NoPerm < rd && qpRange34(o_3))) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (setOfRef[x_78]) { + assert {:msg " Loop invariant (forall x: Ref :: { (x in setOfRef) } (x in setOfRef) ==> x.edges == old(x.edges)) might not be preserved. Assertion x.edges == old(x.edges) might not hold. (graph-copy.vpr@148.17--148.75) [540]"} + Heap[x_78, edges] == old(Heap)[x_78, edges]; + } + assume false; + } + assume (forall x_79_1: Ref :: + { setOfRef[x_79_1] } + setOfRef[x_79_1] ==> Heap[x_79_1, edges] == old(Heap)[x_79_1, edges] + ); + if (*) { + if (S[j_10]) { + assert {:msg " Loop invariant (forall j: Int :: { (j in S) } { (edge_lookup(this.edges, j) in setOfRef) } (j in S) ==> (edge_lookup(this.edges, j) in setOfRef)) might not be preserved. Assertion (edge_lookup(this.edges, j) in setOfRef) might not hold. (graph-copy.vpr@149.17--149.83) [541]"} + setOfRef[(edge_lookup(Heap[this, edges], j_10): Ref)]; + } + assume false; + } + assume (forall j_11_1: int :: + { S[j_11_1] } { setOfRef[(edge_lookup(Heap[this, edges], j_11_1): Ref)] } + S[j_11_1] ==> setOfRef[(edge_lookup(Heap[this, edges], j_11_1): Ref)] + ); + if (*) { + if (setOfRef[r_18] && (edges_domain(Heap[r_18, edges]): Set int)[j_12]) { + assert {:msg " Loop invariant (forall r: Ref, j: Int :: { (r in setOfRef), (j in edges_domain(r.edges)) } { (r in setOfRef), edge_lookup(r.edges, j) } { (r in setOfRef), (edge_lookup(r.edges, j) in setOfRef) } { edges_domain(r.edges), edge_lookup(r.edges, j) } { edges_domain(r.edges), (edge_lookup(r.edges, j) in setOfRef) } { (j in edges_domain(r.edges)) } { (edge_lookup(r.edges, j) in setOfRef) } (r in setOfRef) && (j in edges_domain(r.edges)) ==> (edge_lookup(r.edges, j) in setOfRef)) might not be preserved. Assertion (edge_lookup(r.edges, j) in setOfRef) might not hold. (graph-copy.vpr@150.17--150.125) [542]"} + setOfRef[(edge_lookup(Heap[r_18, edges], j_12): Ref)]; + } + assume false; + } + assume (forall r_19_1: Ref, j_13_1: int :: + { setOfRef[r_19_1], (edges_domain(Heap[r_19_1, edges]): Set int)[j_13_1] } { setOfRef[r_19_1], (edge_lookup(Heap[r_19_1, edges], j_13_1): Ref) } { setOfRef[r_19_1], setOfRef[(edge_lookup(Heap[r_19_1, edges], j_13_1): Ref)] } { (edges_domain(Heap[r_19_1, edges]): Set int), (edge_lookup(Heap[r_19_1, edges], j_13_1): Ref) } { (edges_domain(Heap[r_19_1, edges]): Set int), setOfRef[(edge_lookup(Heap[r_19_1, edges], j_13_1): Ref)] } { (edges_domain(Heap[r_19_1, edges]): Set int)[j_13_1] } { setOfRef[(edge_lookup(Heap[r_19_1, edges], j_13_1): Ref)] } + setOfRef[r_19_1] && (edges_domain(Heap[r_19_1, edges]): Set int)[j_13_1] ==> setOfRef[(edge_lookup(Heap[r_19_1, edges], j_13_1): Ref)] + ); + assert {:msg " Loop invariant (node_map_image subset res_copy_nodes) might not be preserved. Assertion (node_map_image subset res_copy_nodes) might not hold. (graph-copy.vpr@151.32--151.53) [543]"} + Set#Subset(node_map_image, res_copy_nodes); + assert {:msg " Loop invariant |(setOfRef intersection res_copy_nodes)| == 0 might not be preserved. Assertion |(setOfRef intersection res_copy_nodes)| == 0 might not hold. (graph-copy.vpr@152.17--152.60) [544]"} + Set#Card(Set#Intersection(setOfRef, res_copy_nodes)) == 0; + if (*) { + if (Seq#Contains((map_domain(res_node_map): Seq Ref), r_20)) { + assert {:msg " Loop invariant (forall r: Ref :: { (r in map_domain(res_node_map)) } { (lookup(res_node_map, r) in res_copy_nodes) } (r in map_domain(res_node_map)) ==> (lookup(res_node_map, r) in res_copy_nodes)) might not be preserved. Assertion (lookup(res_node_map, r) in res_copy_nodes) might not hold. (graph-copy.vpr@153.17--153.108) [545]"} + res_copy_nodes[(lookup(res_node_map, r_20): Ref)]; + } + assume false; + } + assume (forall r_21_1: Ref :: + { Seq#ContainsTrigger((map_domain(res_node_map): Seq Ref), r_21_1) } { Seq#Contains((map_domain(res_node_map): Seq Ref), r_21_1) } { res_copy_nodes[(lookup(res_node_map, r_21_1): Ref)] } + Seq#Contains((map_domain(res_node_map): Seq Ref), r_21_1) ==> res_copy_nodes[(lookup(res_node_map, r_21_1): Ref)] + ); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver r is injective + assert {:msg " Loop invariant (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.val, write)) might not be preserved. Quantified resource r.val might not be injective. (graph-copy.vpr@154.17--154.68) [546]"} + (forall r_22: Ref, r_22_1: Ref :: + { neverTriggered35(r_22), neverTriggered35(r_22_1) } + (((r_22 != r_22_1 && res_copy_nodes[r_22]) && res_copy_nodes[r_22_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_22 != r_22_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.val, write)) might not be preserved. There might be insufficient permission to access r.val (graph-copy.vpr@154.17--154.68) [547]"} + (forall r_22: Ref :: + { Heap[r_22, val] } { QPMask[r_22, val] } { res_copy_nodes[r_22] } + res_copy_nodes[r_22] ==> Mask[r_22, val] >= FullPerm + ); + + // -- assumptions for inverse of receiver r + assume (forall r_22: Ref :: + { Heap[r_22, val] } { QPMask[r_22, val] } { res_copy_nodes[r_22] } + res_copy_nodes[r_22] && NoPerm < FullPerm ==> qpRange35(r_22) && invRecv35(r_22) == r_22 + ); + assume (forall o_3: Ref :: + { invRecv35(o_3) } + res_copy_nodes[invRecv35(o_3)] && (NoPerm < FullPerm && qpRange35(o_3)) ==> invRecv35(o_3) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (res_copy_nodes[invRecv35(o_3)] && (NoPerm < FullPerm && qpRange35(o_3)) ==> invRecv35(o_3) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!(res_copy_nodes[invRecv35(o_3)] && (NoPerm < FullPerm && qpRange35(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver r is injective + assert {:msg " Loop invariant (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.edges, write)) might not be preserved. Quantified resource r.edges might not be injective. (graph-copy.vpr@155.17--155.70) [548]"} + (forall r_23: Ref, r_23_1: Ref :: + { neverTriggered36(r_23), neverTriggered36(r_23_1) } + (((r_23 != r_23_1 && res_copy_nodes[r_23]) && res_copy_nodes[r_23_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_23 != r_23_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall r: Ref :: { (r in res_copy_nodes) } (r in res_copy_nodes) ==> acc(r.edges, write)) might not be preserved. There might be insufficient permission to access r.edges (graph-copy.vpr@155.17--155.70) [549]"} + (forall r_23: Ref :: + { Heap[r_23, edges] } { QPMask[r_23, edges] } { res_copy_nodes[r_23] } + res_copy_nodes[r_23] ==> Mask[r_23, edges] >= FullPerm + ); + + // -- assumptions for inverse of receiver r + assume (forall r_23: Ref :: + { Heap[r_23, edges] } { QPMask[r_23, edges] } { res_copy_nodes[r_23] } + res_copy_nodes[r_23] && NoPerm < FullPerm ==> qpRange36(r_23) && invRecv36(r_23) == r_23 + ); + assume (forall o_3: Ref :: + { invRecv36(o_3) } + res_copy_nodes[invRecv36(o_3)] && (NoPerm < FullPerm && qpRange36(o_3)) ==> invRecv36(o_3) == o_3 + ); + + // -- assume permission updates for field edges + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + (res_copy_nodes[invRecv36(o_3)] && (NoPerm < FullPerm && qpRange36(o_3)) ==> invRecv36(o_3) == o_3 && QPMask[o_3, edges] == Mask[o_3, edges] - FullPerm) && (!(res_copy_nodes[invRecv36(o_3)] && (NoPerm < FullPerm && qpRange36(o_3))) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(Set#Card(S) > 0); + assume state(Heap, Mask); + assume res_copy_nodes[nodeCopy]; + assume setOfRef[this]; + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource x.val might not be injective. (graph-copy.vpr@145.17--145.66) [550]"} + (forall x_80: Ref, x_80_1: Ref :: + + (((x_80 != x_80_1 && setOfRef[x_80]) && setOfRef[x_80_1]) && NoPerm < rd) && NoPerm < rd ==> x_80 != x_80_1 + ); + + // -- Define Inverse Function + assume (forall x_80: Ref :: + { Heap[x_80, val] } { QPMask[x_80, val] } { setOfRef[x_80] } + setOfRef[x_80] && NoPerm < rd ==> qpRange37(x_80) && invRecv37(x_80) == x_80 + ); + assume (forall o_3: Ref :: + { invRecv37(o_3) } + (setOfRef[invRecv37(o_3)] && NoPerm < rd) && qpRange37(o_3) ==> invRecv37(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " While statement might fail. Fraction rd might be negative. (graph-copy.vpr@145.17--145.66) [551]"} + (forall x_80: Ref :: + { Heap[x_80, val] } { QPMask[x_80, val] } { setOfRef[x_80] } + setOfRef[x_80] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_80: Ref :: + { Heap[x_80, val] } { QPMask[x_80, val] } { setOfRef[x_80] } + setOfRef[x_80] && rd > NoPerm ==> x_80 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((setOfRef[invRecv37(o_3)] && NoPerm < rd) && qpRange37(o_3) ==> (NoPerm < rd ==> invRecv37(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + rd) && (!((setOfRef[invRecv37(o_3)] && NoPerm < rd) && qpRange37(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall x_81: Ref :: + { setOfRef[x_81] } + setOfRef[x_81] ==> Heap[x_81, val] == old(Heap)[x_81, val] + ); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource x.edges might not be injective. (graph-copy.vpr@147.17--147.68) [552]"} + (forall x_82: Ref, x_82_1: Ref :: + + (((x_82 != x_82_1 && setOfRef[x_82]) && setOfRef[x_82_1]) && NoPerm < rd) && NoPerm < rd ==> x_82 != x_82_1 + ); + + // -- Define Inverse Function + assume (forall x_82: Ref :: + { Heap[x_82, edges] } { QPMask[x_82, edges] } { setOfRef[x_82] } + setOfRef[x_82] && NoPerm < rd ==> qpRange38(x_82) && invRecv38(x_82) == x_82 + ); + assume (forall o_3: Ref :: + { invRecv38(o_3) } + (setOfRef[invRecv38(o_3)] && NoPerm < rd) && qpRange38(o_3) ==> invRecv38(o_3) == o_3 + ); + // Check that permission expression is non-negative for all fields + assert {:msg " While statement might fail. Fraction rd might be negative. (graph-copy.vpr@147.17--147.68) [553]"} + (forall x_82: Ref :: + { Heap[x_82, edges] } { QPMask[x_82, edges] } { setOfRef[x_82] } + setOfRef[x_82] ==> rd >= NoPerm + ); + + // -- Assume set of fields is nonNull + assume (forall x_82: Ref :: + { Heap[x_82, edges] } { QPMask[x_82, edges] } { setOfRef[x_82] } + setOfRef[x_82] && rd > NoPerm ==> x_82 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((setOfRef[invRecv38(o_3)] && NoPerm < rd) && qpRange38(o_3) ==> (NoPerm < rd ==> invRecv38(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + rd) && (!((setOfRef[invRecv38(o_3)] && NoPerm < rd) && qpRange38(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall x_83: Ref :: + { setOfRef[x_83] } + setOfRef[x_83] ==> Heap[x_83, edges] == old(Heap)[x_83, edges] + ); + assume (forall j_14: int :: + { S[j_14] } { setOfRef[(edge_lookup(Heap[this, edges], j_14): Ref)] } + S[j_14] ==> setOfRef[(edge_lookup(Heap[this, edges], j_14): Ref)] + ); + assume (forall r_24: Ref, j_15: int :: + { setOfRef[r_24], (edges_domain(Heap[r_24, edges]): Set int)[j_15] } { setOfRef[r_24], (edge_lookup(Heap[r_24, edges], j_15): Ref) } { setOfRef[r_24], setOfRef[(edge_lookup(Heap[r_24, edges], j_15): Ref)] } { (edges_domain(Heap[r_24, edges]): Set int), (edge_lookup(Heap[r_24, edges], j_15): Ref) } { (edges_domain(Heap[r_24, edges]): Set int), setOfRef[(edge_lookup(Heap[r_24, edges], j_15): Ref)] } { (edges_domain(Heap[r_24, edges]): Set int)[j_15] } { setOfRef[(edge_lookup(Heap[r_24, edges], j_15): Ref)] } + setOfRef[r_24] && (edges_domain(Heap[r_24, edges]): Set int)[j_15] ==> setOfRef[(edge_lookup(Heap[r_24, edges], j_15): Ref)] + ); + assume Set#Subset(node_map_image, res_copy_nodes); + assume Set#Card(Set#Intersection(setOfRef, res_copy_nodes)) == 0; + assume (forall r_25: Ref :: + { Seq#ContainsTrigger((map_domain(res_node_map): Seq Ref), r_25) } { Seq#Contains((map_domain(res_node_map): Seq Ref), r_25) } { res_copy_nodes[(lookup(res_node_map, r_25): Ref)] } + Seq#Contains((map_domain(res_node_map): Seq Ref), r_25) ==> res_copy_nodes[(lookup(res_node_map, r_25): Ref)] + ); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource r.val might not be injective. (graph-copy.vpr@154.17--154.68) [554]"} + (forall r_26: Ref, r_26_1: Ref :: + + (((r_26 != r_26_1 && res_copy_nodes[r_26]) && res_copy_nodes[r_26_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_26 != r_26_1 + ); + + // -- Define Inverse Function + assume (forall r_26: Ref :: + { Heap[r_26, val] } { QPMask[r_26, val] } { res_copy_nodes[r_26] } + res_copy_nodes[r_26] && NoPerm < FullPerm ==> qpRange39(r_26) && invRecv39(r_26) == r_26 + ); + assume (forall o_3: Ref :: + { invRecv39(o_3) } + (res_copy_nodes[invRecv39(o_3)] && NoPerm < FullPerm) && qpRange39(o_3) ==> invRecv39(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall r_26: Ref :: + { Heap[r_26, val] } { QPMask[r_26, val] } { res_copy_nodes[r_26] } + res_copy_nodes[r_26] ==> r_26 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((res_copy_nodes[invRecv39(o_3)] && NoPerm < FullPerm) && qpRange39(o_3) ==> (NoPerm < FullPerm ==> invRecv39(o_3) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!((res_copy_nodes[invRecv39(o_3)] && NoPerm < FullPerm) && qpRange39(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource r.edges might not be injective. (graph-copy.vpr@155.17--155.70) [555]"} + (forall r_27: Ref, r_27_1: Ref :: + + (((r_27 != r_27_1 && res_copy_nodes[r_27]) && res_copy_nodes[r_27_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> r_27 != r_27_1 + ); + + // -- Define Inverse Function + assume (forall r_27: Ref :: + { Heap[r_27, edges] } { QPMask[r_27, edges] } { res_copy_nodes[r_27] } + res_copy_nodes[r_27] && NoPerm < FullPerm ==> qpRange40(r_27) && invRecv40(r_27) == r_27 + ); + assume (forall o_3: Ref :: + { invRecv40(o_3) } + (res_copy_nodes[invRecv40(o_3)] && NoPerm < FullPerm) && qpRange40(o_3) ==> invRecv40(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall r_27: Ref :: + { Heap[r_27, edges] } { QPMask[r_27, edges] } { res_copy_nodes[r_27] } + res_copy_nodes[r_27] ==> r_27 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + ((res_copy_nodes[invRecv40(o_3)] && NoPerm < FullPerm) && qpRange40(o_3) ==> (NoPerm < FullPerm ==> invRecv40(o_3) == o_3) && QPMask[o_3, edges] == Mask[o_3, edges] + FullPerm) && (!((res_copy_nodes[invRecv40(o_3)] && NoPerm < FullPerm) && qpRange40(o_3)) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of graph_copy_rec might not hold. Assertion nodeCopy != null might not hold. (graph-copy.vpr@104.11--104.57) [556]"} + nodeCopy != null; + assert {:msg " Postcondition of graph_copy_rec might not hold. Assertion (nodeCopy in res_copy_nodes) might not hold. (graph-copy.vpr@104.11--104.57) [557]"} + res_copy_nodes[nodeCopy]; + assert {:msg " Postcondition of graph_copy_rec might not hold. Assertion |(setOfRef intersection res_copy_nodes)| == 0 might not hold. (graph-copy.vpr@105.11--105.54) [558]"} + Set#Card(Set#Intersection(setOfRef, res_copy_nodes)) == 0; + havoc QPMask; + + // -- check that the permission amount is positive + assert {:msg " Postcondition of graph_copy_rec might not hold. Fraction rd might be negative. (graph-copy.vpr@106.11--106.60) [559]"} + (forall x_28: Ref :: + { Heap[x_28, val] } { QPMask[x_28, val] } { setOfRef[x_28] } + setOfRef[x_28] && dummyFunction(Heap[x_28, val]) ==> rd >= NoPerm + ); + + // -- check if receiver x is injective + assert {:msg " Contract might not be well-formed. Quantified resource x.val might not be injective. (graph-copy.vpr@106.11--106.60) [560]"} + (forall x_28: Ref, x_28_1: Ref :: + { neverTriggered9(x_28), neverTriggered9(x_28_1) } + (((x_28 != x_28_1 && setOfRef[x_28]) && setOfRef[x_28_1]) && NoPerm < rd) && NoPerm < rd ==> x_28 != x_28_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of graph_copy_rec might not hold. There might be insufficient permission to access x.val (graph-copy.vpr@106.11--106.60) [561]"} + (forall x_28: Ref :: + { Heap[x_28, val] } { QPMask[x_28, val] } { setOfRef[x_28] } + setOfRef[x_28] ==> Mask[x_28, val] >= rd + ); + + // -- assumptions for inverse of receiver x + assume (forall x_28: Ref :: + { Heap[x_28, val] } { QPMask[x_28, val] } { setOfRef[x_28] } + setOfRef[x_28] && NoPerm < rd ==> qpRange9(x_28) && invRecv9(x_28) == x_28 + ); + assume (forall o_3: Ref :: + { invRecv9(o_3) } + setOfRef[invRecv9(o_3)] && (NoPerm < rd && qpRange9(o_3)) ==> invRecv9(o_3) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (setOfRef[invRecv9(o_3)] && (NoPerm < rd && qpRange9(o_3)) ==> invRecv9(o_3) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - rd) && (!(setOfRef[invRecv9(o_3)] && (NoPerm < rd && qpRange9(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (setOfRef[x_29]) { + assert {:msg " Postcondition of graph_copy_rec might not hold. Assertion x.val == old(x.val) might not hold. (graph-copy.vpr@107.11--107.65) [562]"} + Heap[x_29, val] == old(Heap)[x_29, val]; + } + assume false; + } + assume (forall x_30_1: Ref :: + { setOfRef[x_30_1] } + setOfRef[x_30_1] ==> Heap[x_30_1, val] == old(Heap)[x_30_1, val] + ); + havoc QPMask; + + // -- check that the permission amount is positive + assert {:msg " Postcondition of graph_copy_rec might not hold. Fraction rd might be negative. (graph-copy.vpr@108.11--108.62) [563]"} + (forall x_31: Ref :: + { Heap[x_31, edges] } { QPMask[x_31, edges] } { setOfRef[x_31] } + setOfRef[x_31] && dummyFunction(Heap[x_31, edges]) ==> rd >= NoPerm + ); + + // -- check if receiver x is injective + assert {:msg " Contract might not be well-formed. Quantified resource x.edges might not be injective. (graph-copy.vpr@108.11--108.62) [564]"} + (forall x_31: Ref, x_31_1: Ref :: + { neverTriggered10(x_31), neverTriggered10(x_31_1) } + (((x_31 != x_31_1 && setOfRef[x_31]) && setOfRef[x_31_1]) && NoPerm < rd) && NoPerm < rd ==> x_31 != x_31_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of graph_copy_rec might not hold. There might be insufficient permission to access x.edges (graph-copy.vpr@108.11--108.62) [565]"} + (forall x_31: Ref :: + { Heap[x_31, edges] } { QPMask[x_31, edges] } { setOfRef[x_31] } + setOfRef[x_31] ==> Mask[x_31, edges] >= rd + ); + + // -- assumptions for inverse of receiver x + assume (forall x_31: Ref :: + { Heap[x_31, edges] } { QPMask[x_31, edges] } { setOfRef[x_31] } + setOfRef[x_31] && NoPerm < rd ==> qpRange10(x_31) && invRecv10(x_31) == x_31 + ); + assume (forall o_3: Ref :: + { invRecv10(o_3) } + setOfRef[invRecv10(o_3)] && (NoPerm < rd && qpRange10(o_3)) ==> invRecv10(o_3) == o_3 + ); + + // -- assume permission updates for field edges + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + (setOfRef[invRecv10(o_3)] && (NoPerm < rd && qpRange10(o_3)) ==> invRecv10(o_3) == o_3 && QPMask[o_3, edges] == Mask[o_3, edges] - rd) && (!(setOfRef[invRecv10(o_3)] && (NoPerm < rd && qpRange10(o_3))) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (setOfRef[x_32]) { + assert {:msg " Postcondition of graph_copy_rec might not hold. Assertion x.edges == old(x.edges) might not hold. (graph-copy.vpr@109.11--109.69) [566]"} + Heap[x_32, edges] == old(Heap)[x_32, edges]; + } + assume false; + } + assume (forall x_33_1: Ref :: + { setOfRef[x_33_1] } + setOfRef[x_33_1] ==> Heap[x_33_1, edges] == old(Heap)[x_33_1, edges] + ); + if (*) { + if (setOfRef[x_34] && (edges_domain(Heap[x_34, edges]): Set int)[i_4]) { + assert {:msg " Postcondition of graph_copy_rec might not hold. Assertion (edge_lookup(x.edges, i) in setOfRef) might not hold. (graph-copy.vpr@110.11--110.119) [567]"} + setOfRef[(edge_lookup(Heap[x_34, edges], i_4): Ref)]; + } + assume false; + } + assume (forall x_35_1: Ref, i_5_1: int :: + { setOfRef[x_35_1], (edges_domain(Heap[x_35_1, edges]): Set int)[i_5_1] } { setOfRef[x_35_1], (edge_lookup(Heap[x_35_1, edges], i_5_1): Ref) } { setOfRef[x_35_1], setOfRef[(edge_lookup(Heap[x_35_1, edges], i_5_1): Ref)] } { (edges_domain(Heap[x_35_1, edges]): Set int), (edge_lookup(Heap[x_35_1, edges], i_5_1): Ref) } { (edges_domain(Heap[x_35_1, edges]): Set int), setOfRef[(edge_lookup(Heap[x_35_1, edges], i_5_1): Ref)] } { (edges_domain(Heap[x_35_1, edges]): Set int)[i_5_1] } { setOfRef[(edge_lookup(Heap[x_35_1, edges], i_5_1): Ref)] } + setOfRef[x_35_1] && (edges_domain(Heap[x_35_1, edges]): Set int)[i_5_1] ==> setOfRef[(edge_lookup(Heap[x_35_1, edges], i_5_1): Ref)] + ); + assert {:msg " Postcondition of graph_copy_rec might not hold. Assertion res_copy_nodes == (res_copy_nodes union old(node_map_image)) might not hold. (graph-copy.vpr@111.11--111.69) [568]"} + Set#Equal(res_copy_nodes, Set#Union(res_copy_nodes, node_map_image)); + if (*) { + if (Seq#Contains((map_domain(res_node_map): Seq Ref), x_36)) { + assert {:msg " Postcondition of graph_copy_rec might not hold. Assertion (lookup(res_node_map, x) in res_copy_nodes) might not hold. (graph-copy.vpr@112.11--112.102) [569]"} + res_copy_nodes[(lookup(res_node_map, x_36): Ref)]; + } + assume false; + } + assume (forall x_37_1: Ref :: + { Seq#ContainsTrigger((map_domain(res_node_map): Seq Ref), x_37_1) } { Seq#Contains((map_domain(res_node_map): Seq Ref), x_37_1) } { res_copy_nodes[(lookup(res_node_map, x_37_1): Ref)] } + Seq#Contains((map_domain(res_node_map): Seq Ref), x_37_1) ==> res_copy_nodes[(lookup(res_node_map, x_37_1): Ref)] + ); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver x is injective + assert {:msg " Contract might not be well-formed. Quantified resource x.val might not be injective. (graph-copy.vpr@113.11--113.62) [570]"} + (forall x_38: Ref, x_38_1: Ref :: + { neverTriggered11(x_38), neverTriggered11(x_38_1) } + (((x_38 != x_38_1 && res_copy_nodes[x_38]) && res_copy_nodes[x_38_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_38 != x_38_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of graph_copy_rec might not hold. There might be insufficient permission to access x.val (graph-copy.vpr@113.11--113.62) [571]"} + (forall x_38: Ref :: + { Heap[x_38, val] } { QPMask[x_38, val] } { res_copy_nodes[x_38] } + res_copy_nodes[x_38] ==> Mask[x_38, val] >= FullPerm + ); + + // -- assumptions for inverse of receiver x + assume (forall x_38: Ref :: + { Heap[x_38, val] } { QPMask[x_38, val] } { res_copy_nodes[x_38] } + res_copy_nodes[x_38] && NoPerm < FullPerm ==> qpRange11(x_38) && invRecv11(x_38) == x_38 + ); + assume (forall o_3: Ref :: + { invRecv11(o_3) } + res_copy_nodes[invRecv11(o_3)] && (NoPerm < FullPerm && qpRange11(o_3)) ==> invRecv11(o_3) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (res_copy_nodes[invRecv11(o_3)] && (NoPerm < FullPerm && qpRange11(o_3)) ==> invRecv11(o_3) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!(res_copy_nodes[invRecv11(o_3)] && (NoPerm < FullPerm && qpRange11(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver x is injective + assert {:msg " Contract might not be well-formed. Quantified resource x.edges might not be injective. (graph-copy.vpr@114.11--114.64) [572]"} + (forall x_39: Ref, x_39_1: Ref :: + { neverTriggered12(x_39), neverTriggered12(x_39_1) } + (((x_39 != x_39_1 && res_copy_nodes[x_39]) && res_copy_nodes[x_39_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_39 != x_39_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of graph_copy_rec might not hold. There might be insufficient permission to access x.edges (graph-copy.vpr@114.11--114.64) [573]"} + (forall x_39: Ref :: + { Heap[x_39, edges] } { QPMask[x_39, edges] } { res_copy_nodes[x_39] } + res_copy_nodes[x_39] ==> Mask[x_39, edges] >= FullPerm + ); + + // -- assumptions for inverse of receiver x + assume (forall x_39: Ref :: + { Heap[x_39, edges] } { QPMask[x_39, edges] } { res_copy_nodes[x_39] } + res_copy_nodes[x_39] && NoPerm < FullPerm ==> qpRange12(x_39) && invRecv12(x_39) == x_39 + ); + assume (forall o_3: Ref :: + { invRecv12(o_3) } + res_copy_nodes[invRecv12(o_3)] && (NoPerm < FullPerm && qpRange12(o_3)) ==> invRecv12(o_3) == o_3 + ); + + // -- assume permission updates for field edges + assume (forall o_3: Ref :: + { QPMask[o_3, edges] } + (res_copy_nodes[invRecv12(o_3)] && (NoPerm < FullPerm && qpRange12(o_3)) ==> invRecv12(o_3) == o_3 && QPMask[o_3, edges] == Mask[o_3, edges] - FullPerm) && (!(res_copy_nodes[invRecv12(o_3)] && (NoPerm < FullPerm && qpRange12(o_3))) ==> QPMask[o_3, edges] == Mask[o_3, edges]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != edges ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method pop +// ================================================== + +procedure vpop(s1: (Set int)) returns (s2: (Set int), i_1: int) + modifies Heap, Mask; +{ + var PostHeap: HeapType; + var PostMask: MaskType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Checked inhaling of precondition + assume 0 < Set#Card(s1); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + assume s1[i_1]; + assume state(PostHeap, PostMask); + assume Set#Equal(s2, Set#Difference(s1, Set#Singleton(i_1))); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: inhale false -- graph-copy.vpr@177.10--177.15 + assume false; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of pop might not hold. Assertion (i in s1) might not hold. (graph-copy.vpr@175.11--175.18) [574]"} + s1[i_1]; + assert {:msg " Postcondition of pop might not hold. Assertion s2 == (s1 setminus Set(i)) might not hold. (graph-copy.vpr@176.12--176.36) [575]"} + Set#Equal(s2, Set#Difference(s1, Set#Singleton(i_1))); +} diff --git a/Test/monomorphize/viper/graph_mark.bpl b/Test/monomorphize/viper/graph_mark.bpl new file mode 100644 index 000000000..e988ad390 --- /dev/null +++ b/Test/monomorphize/viper/graph_mark.bpl @@ -0,0 +1,3308 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(n_3: Ref): bool; +function neverTriggered2(n$0_3: Ref): bool; +function neverTriggered3(n$2_1: Ref): bool; +function neverTriggered4(n$3_1: Ref): bool; +function neverTriggered5(n$6_1: Ref): bool; +function neverTriggered6(n$7_1: Ref): bool; +function neverTriggered7(n: Ref): bool; +function neverTriggered8(n$0_2: Ref): bool; +function neverTriggered9(n_1: Ref): bool; +function neverTriggered10(n$0_3: Ref): bool; +function neverTriggered11(n$6_2: Ref): bool; +function neverTriggered12(n$7_2: Ref): bool; +function neverTriggered13(n$10: Ref): bool; +function neverTriggered14(n$11: Ref): bool; +function neverTriggered15(n$10_2: Ref): bool; +function neverTriggered16(n$11_2: Ref): bool; +function neverTriggered17(n_7: Ref): bool; +function neverTriggered18(n$0_4: Ref): bool; +function neverTriggered19(n_8: Ref): bool; +function neverTriggered20(n$0_5: Ref): bool; +function neverTriggered21(n_9: Ref): bool; +function neverTriggered22(n$0_6: Ref): bool; +function neverTriggered23(n_10: Ref): bool; +function neverTriggered24(n$0_7: Ref): bool; +function neverTriggered25(n_11: Ref): bool; +function neverTriggered26(n$0_8: Ref): bool; +function neverTriggered27(n_12: Ref): bool; +function neverTriggered28(n$0_9: Ref): bool; +function neverTriggered29(n_13: Ref): bool; +function neverTriggered30(n$0_10: Ref): bool; +function neverTriggered31(n$0_11: Ref): bool; +function neverTriggered32(n$0_12: Ref): bool; +function neverTriggered33(n_25: Ref): bool; +function neverTriggered34(n$0_13: Ref): bool; +function neverTriggered35(n$10_3: Ref): bool; +function neverTriggered36(n$11_3: Ref): bool; +function neverTriggered37(n$10_4: Ref): bool; +function neverTriggered38(n$11_4: Ref): bool; +function neverTriggered39(n$10_5: Ref): bool; +function neverTriggered40(n$11_5: Ref): bool; +function neverTriggered41(n_46: Ref): bool; +function neverTriggered42(n$0_14: Ref): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(recv: Ref): Ref; +function invRecv2(recv: Ref): Ref; +function invRecv3(recv: Ref): Ref; +function invRecv4(recv: Ref): Ref; +function invRecv5(recv: Ref): Ref; +function invRecv6(recv: Ref): Ref; +function invRecv7(recv: Ref): Ref; +function invRecv8(recv: Ref): Ref; +function invRecv9(recv: Ref): Ref; +function invRecv10(recv: Ref): Ref; +function invRecv11(recv: Ref): Ref; +function invRecv12(recv: Ref): Ref; +function invRecv13(recv: Ref): Ref; +function invRecv14(recv: Ref): Ref; +function invRecv15(recv: Ref): Ref; +function invRecv16(recv: Ref): Ref; +function invRecv17(recv: Ref): Ref; +function invRecv18(recv: Ref): Ref; +function invRecv19(recv: Ref): Ref; +function invRecv20(recv: Ref): Ref; +function invRecv21(recv: Ref): Ref; +function invRecv22(recv: Ref): Ref; +function invRecv23(recv: Ref): Ref; +function invRecv24(recv: Ref): Ref; +function invRecv25(recv: Ref): Ref; +function invRecv26(recv: Ref): Ref; +function invRecv27(recv: Ref): Ref; +function invRecv28(recv: Ref): Ref; +function invRecv29(recv: Ref): Ref; +function invRecv30(recv: Ref): Ref; +function invRecv31(recv: Ref): Ref; +function invRecv32(recv: Ref): Ref; +function invRecv33(recv: Ref): Ref; +function invRecv34(recv: Ref): Ref; +function invRecv35(recv: Ref): Ref; +function invRecv36(recv: Ref): Ref; +function invRecv37(recv: Ref): Ref; +function invRecv38(recv: Ref): Ref; +function invRecv39(recv: Ref): Ref; +function invRecv40(recv: Ref): Ref; +function invRecv41(recv: Ref): Ref; +function invRecv42(recv: Ref): Ref; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(recv: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(recv: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(recv: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(recv: Ref): bool; +function qpRange8(recv: Ref): bool; +function qpRange9(recv: Ref): bool; +function qpRange10(recv: Ref): bool; +function qpRange11(recv: Ref): bool; +function qpRange12(recv: Ref): bool; +function qpRange13(recv: Ref): bool; +function qpRange14(recv: Ref): bool; +function qpRange15(recv: Ref): bool; +function qpRange16(recv: Ref): bool; +function qpRange17(recv: Ref): bool; +function qpRange18(recv: Ref): bool; +function qpRange19(recv: Ref): bool; +function qpRange20(recv: Ref): bool; +function qpRange21(recv: Ref): bool; +function qpRange22(recv: Ref): bool; +function qpRange23(recv: Ref): bool; +function qpRange24(recv: Ref): bool; +function qpRange25(recv: Ref): bool; +function qpRange26(recv: Ref): bool; +function qpRange27(recv: Ref): bool; +function qpRange28(recv: Ref): bool; +function qpRange29(recv: Ref): bool; +function qpRange30(recv: Ref): bool; +function qpRange31(recv: Ref): bool; +function qpRange32(recv: Ref): bool; +function qpRange33(recv: Ref): bool; +function qpRange34(recv: Ref): bool; +function qpRange35(recv: Ref): bool; +function qpRange36(recv: Ref): bool; +function qpRange37(recv: Ref): bool; +function qpRange38(recv: Ref): bool; +function qpRange39(recv: Ref): bool; +function qpRange40(recv: Ref): bool; +function qpRange41(recv: Ref): bool; +function qpRange42(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Function heights (higher height means its body is available earlier): +// - height 1: $$ +// - height 0: get +const AssumeFunctionsAbove: int; +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Set module. +// ================================================== + + +type Set T = [T]bool; + +function Set#Card(Set T): int; +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty(): Set T; +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); +axiom (forall s: Set T :: { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) && + (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T): Set T; +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); +axiom (forall r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o); +axiom (forall r: T :: { Set#Card(Set#Singleton(r)) } Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T): Set T; +axiom (forall a: Set T, x: T, o: T :: { Set#UnionOne(a,x)[o] } + Set#UnionOne(a,x)[o] <==> o == x || a[o]); +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } + Set#UnionOne(a, x)[x]); +axiom (forall a: Set T, x: T, y: T :: { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); +axiom (forall a: Set T, x: T :: { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); +axiom (forall a: Set T, x: T :: { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Union(a,b)[o] } + Set#Union(a,b)[o] <==> a[o] || b[o]); +axiom (forall a, b: Set T, y: T :: { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); +axiom (forall a, b: Set T, y: T :: { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); +//axiom (forall a, b: Set T :: { Set#Union(a, b) } +// Set#Disjoint(a, b) ==> +// Set#Difference(Set#Union(a, b), a) == b && +// Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Intersection(a,b)[o] } {Set#Intersection(a,b), a[o]} {Set#Intersection(a,b), b[o]} // AS: added alternative triggers 20/06/19 + Set#Intersection(a,b)[o] <==> a[o] && b[o]); + +axiom (forall a, b: Set T :: { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); +axiom (forall a, b: Set T :: { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); +axiom (forall a, b: Set T :: { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); +axiom (forall a, b: Set T :: { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); +axiom (forall a, b: Set T :: { Set#Card(Set#Union(a, b)) }{ Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Difference(a,b)[o] } { Set#Difference(a,b), a[o] } + Set#Difference(a,b)[o] <==> a[o] && !b[o]); +axiom (forall a, b: Set T, y: T :: { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y] ); +axiom (forall a, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) && + Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T): bool; +axiom(forall a: Set T, b: Set T :: { Set#Subset(a,b) } + Set#Subset(a,b) <==> (forall o: T :: {a[o]} {b[o]} a[o] ==> b[o])); +// axiom(forall a: Set T, b: Set T :: +// { Set#Subset(a,b), Set#Card(a), Set#Card(b) } // very restrictive trigger +// Set#Subset(a,b) ==> Set#Card(a) <= Set#Card(b)); + + +function Set#Equal(Set T, Set T): bool; +axiom(forall a: Set T, b: Set T :: { Set#Equal(a,b) } + Set#Equal(a,b) <==> (forall o: T :: {a[o]} {b[o]} a[o] <==> b[o])); +axiom(forall a: Set T, b: Set T :: { Set#Equal(a,b) } // extensionality axiom for sets + Set#Equal(a,b) ==> a == b); + +//function Set#Disjoint(Set T, Set T): bool; +//axiom (forall a: Set T, b: Set T :: { Set#Disjoint(a,b) } +// Set#Disjoint(a,b) <==> (forall o: T :: {a[o]} {b[o]} !a[o] || !b[o])); + +// --------------------------------------------------------------- +// -- Axiomatization of multisets -------------------------------- +// --------------------------------------------------------------- + +function Math#min(a: int, b: int): int; +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); +axiom (forall a: int, b: int :: { Math#min(a, b) } Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int): int; +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T; // = [T]int; + +function MultiSet#Select(ms: MultiSet T, x:T): int; + +//function $IsGoodMultiSet(ms: MultiSet T): bool; +// ints are non-negative, used after havocing, and for conversion from sequences to multisets. +//axiom (forall ms: MultiSet T :: { $IsGoodMultiSet(ms) } +// $IsGoodMultiSet(ms) <==> +// (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +axiom (forall ms: MultiSet T, x: T :: {MultiSet#Select(ms,x)} MultiSet#Select(ms,x) >= 0); // NEW + +function MultiSet#Card(MultiSet T): int; +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); +//axiom (forall s: MultiSet T, x: T, n: int :: { MultiSet#Card(s[x := n]) } +// 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); +// +function MultiSet#Empty(): MultiSet T; +axiom (forall o: T :: { MultiSet#Select(MultiSet#Empty(),o) } MultiSet#Select(MultiSet#Empty(),o) == 0); +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) && + (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < MultiSet#Select(s,x)))); + +function MultiSet#Singleton(T): MultiSet T; +axiom (forall r: T, o: T :: { MultiSet#Select(MultiSet#Singleton(r),o) } (MultiSet#Select(MultiSet#Singleton(r),o) == 1 <==> r == o) && + (MultiSet#Select(MultiSet#Singleton(r),o) == 0 <==> r != o)); +axiom (forall r: T :: { MultiSet#Singleton(r) } MultiSet#Card(MultiSet#Singleton(r)) == 1 && MultiSet#Select(MultiSet#Singleton(r),r) == 1); // AS: added +axiom (forall r: T :: { MultiSet#Singleton(r) } MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); // AS: remove this? + +function MultiSet#UnionOne(MultiSet T, T): MultiSet T; +// union-ing increases count by one for x, not for others +axiom (forall a: MultiSet T, x: T, o: T :: { MultiSet#Select(MultiSet#UnionOne(a,x),o) } { MultiSet#UnionOne(a, x), MultiSet#Select(a,o) } // AS: added back this trigger (used on a similar axiom before) + MultiSet#Select(MultiSet#UnionOne(a, x),o) == (if x==o then MultiSet#Select(a,o) + 1 else MultiSet#Select(a,o))); +// non-decreasing +axiom (forall a: MultiSet T, x: T :: { MultiSet#Card(MultiSet#UnionOne(a, x)) } {MultiSet#UnionOne(a, x), MultiSet#Card(a)} // AS: added alternative trigger + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); +// AS: added - concrete knowledge of element added +axiom (forall a: MultiSet T, x: T :: { MultiSet#UnionOne(a,x)} + MultiSet#Select(MultiSet#UnionOne(a, x),x) > 0 && MultiSet#Card(MultiSet#UnionOne(a, x)) > 0); + +function MultiSet#Union(MultiSet T, MultiSet T): MultiSet T; +// union-ing is the sum of the contents +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Union(a,b),o) } {MultiSet#Union(a,b), MultiSet#Select(a,o), MultiSet#Select(b,o)}// AS: added triggers + MultiSet#Select(MultiSet#Union(a,b),o) == MultiSet#Select(a,o) + MultiSet#Select(b,o)); +axiom (forall a: MultiSet T, b: MultiSet T :: { MultiSet#Card(MultiSet#Union(a,b)) } {MultiSet#Card(a), MultiSet#Union(a,b)} {MultiSet#Card(b), MultiSet#Union(a,b)} + MultiSet#Card(MultiSet#Union(a,b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T): MultiSet T; +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Intersection(a,b),o) } + MultiSet#Select(MultiSet#Intersection(a,b),o) == Math#min(MultiSet#Select(a,o), MultiSet#Select(b,o))); + +// left and right pseudo-idempotence +axiom (forall a, b: MultiSet T :: { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) == MultiSet#Intersection(a, b)); +axiom (forall a, b: MultiSet T :: { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) == MultiSet#Intersection(a, b)); + +// multiset difference, a - b. clip() makes it positive. +function MultiSet#Difference(MultiSet T, MultiSet T): MultiSet T; +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Difference(a,b),o) } + MultiSet#Select(MultiSet#Difference(a,b),o) == Math#clip(MultiSet#Select(a,o) - MultiSet#Select(b,o))); +axiom (forall a, b: MultiSet T, y: T :: { MultiSet#Difference(a, b), MultiSet#Select(b,y), MultiSet#Select(a,y) } + MultiSet#Select(a,y) <= MultiSet#Select(b,y) ==> MultiSet#Select(MultiSet#Difference(a, b),y) == 0 ); +axiom (forall a, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) && + MultiSet#Card(MultiSet#Difference(a, b)) == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +// multiset subset means a must have at most as many of each element as b +function MultiSet#Subset(MultiSet T, MultiSet T): bool; +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Subset(a,b) } + MultiSet#Subset(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) <= MultiSet#Select(b,o))); + +function MultiSet#Equal(MultiSet T, MultiSet T): bool; +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Equal(a,b) } + MultiSet#Equal(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) == MultiSet#Select(b,o))); +// extensionality axiom for multisets +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Equal(a,b) } + MultiSet#Equal(a,b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T): bool; +axiom (forall a: MultiSet T, b: MultiSet T :: { MultiSet#Disjoint(a,b) } + MultiSet#Disjoint(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) == 0 || MultiSet#Select(b,o) == 0)); + + + +// ================================================== +// Translation of domain Edge +// ================================================== + +// The type for domain Edge +type EdgeDomainType; + +// Translation of domain function edge_pred +function edge_pred(e: EdgeDomainType): Ref; + +// Translation of domain function edge_succ +function edge_succ(e: EdgeDomainType): Ref; + +// Translation of domain function create_edge +function create_edge(p_1: Ref, s: Ref): EdgeDomainType; + +// Translation of domain axiom edge_injectivity +axiom (forall p_2: Ref, s_1: Ref :: + { (create_edge(p_2, s_1): EdgeDomainType) } + (edge_pred((create_edge(p_2, s_1): EdgeDomainType)): Ref) == p_2 && (edge_succ((create_edge(p_2, s_1): EdgeDomainType)): Ref) == s_1 +); + +// ================================================== +// Translation of domain TrClo +// ================================================== + +// The type for domain TrClo +type TrCloDomainType; + +// Translation of domain function exists_path +function exists_path(EG: (Set EdgeDomainType), start: Ref, end: Ref): bool; + +// Translation of domain function exists_path_ +function exists_path_(EG: (Set EdgeDomainType), start: Ref, end: Ref): bool; + +// Translation of domain function exists_spath +function exists_spath(EG: (Set EdgeDomainType), from: (Set Ref), to: Ref): bool; + +// Translation of domain function is_on_path +function is_on_path(EG: (Set EdgeDomainType), start: Ref, w_1: Ref, end: Ref): bool; + +// Translation of domain function apply_IND +function apply_IND(EG: (Set EdgeDomainType), Z: (Set Ref), P: (Set Ref)): bool; + +// Translation of domain function apply_noExit +function apply_noExit(EG: (Set EdgeDomainType), U: (Set Ref), M: (Set Ref)): bool; + +// Translation of domain function apply_goOut +function apply_goOut(EG: (Set EdgeDomainType), U: (Set Ref), A: (Set Ref), B: (Set Ref)): bool; + +// Translation of domain function apply_newStart +function apply_newStart(U: (Set Ref), A: (Set Ref), EG1: (Set EdgeDomainType), EG2: (Set EdgeDomainType)): bool; + +// Translation of domain function inst_uReach +function inst_uReach(EG: (Set EdgeDomainType), x: Ref): Set Ref; + +// Translation of domain function acyclic_graph +function acyclic_graph(EG: (Set EdgeDomainType)): bool; + +// Translation of domain function unshared_graph +function unshared_graph(EG: (Set EdgeDomainType)): bool; + +// Translation of domain function func_graph +function func_graph(EG: (Set EdgeDomainType)): bool; + +// Translation of domain axiom ax_NoExit +axiom (forall EG_1: (Set EdgeDomainType), U_1: (Set Ref), M_1: (Set Ref) :: + { (apply_noExit(EG_1, U_1, M_1): bool) } + (apply_noExit(EG_1, U_1, M_1): bool) ==> (forall u_1: Ref, v_2: Ref :: + { EG_1[(create_edge(u_1, v_2): EdgeDomainType)] } { M_1[u_1], M_1[v_2] } + M_1[u_1] && (U_1[v_2] && !M_1[v_2]) ==> !EG_1[(create_edge(u_1, v_2): EdgeDomainType)] + ) ==> (forall u_1_1: Ref, v_1_1: Ref :: + { (exists_path(EG_1, u_1_1, v_1_1): bool) } { M_1[u_1_1], M_1[v_1_1] } + M_1[u_1_1] && (U_1[v_1_1] && !M_1[v_1_1]) ==> !(exists_path(EG_1, u_1_1, v_1_1): bool) + ) +); + +// Translation of domain axiom ax_instantiation_uReach +axiom (forall EG_1: (Set EdgeDomainType), x_1: Ref, v_2: Ref :: + { (inst_uReach(EG_1, x_1): Set Ref)[v_2] } { (exists_path(EG_1, x_1, v_2): bool) } + (inst_uReach(EG_1, x_1): Set Ref)[v_2] == (exists_path(EG_1, x_1, v_2): bool) +); + +// Translation of domain axiom ax_Alias +axiom (forall EG_1: (Set EdgeDomainType), start_1: Ref, end_1: Ref :: + { (exists_path(EG_1, start_1, end_1): bool) } + (exists_path(EG_1, start_1, end_1): bool) == (exists_path_(EG_1, start_1, end_1): bool) +); + +// Translation of domain axiom ax_IsOnPath +axiom (forall EG_1: (Set EdgeDomainType), start_1: Ref, mid: Ref, end_1: Ref :: + { (is_on_path(EG_1, start_1, mid, end_1): bool) } { EG_1[(create_edge(start_1, mid): EdgeDomainType)], (exists_path_(EG_1, mid, end_1): bool) } + (is_on_path(EG_1, start_1, mid, end_1): bool) == (EG_1[(create_edge(start_1, mid): EdgeDomainType)] && (exists_path_(EG_1, mid, end_1): bool)) +); + +// Translation of domain axiom ax_ExistsPath +axiom (forall EG_1: (Set EdgeDomainType), start_1: Ref, end_1: Ref :: + { (exists_path(EG_1, start_1, end_1): bool) } { EG_1[(create_edge(start_1, end_1): EdgeDomainType)] } + (exists_path_(EG_1, start_1, end_1): bool) == (start_1 == end_1 || (exists w_2: Ref :: + { EG_1[(create_edge(start_1, w_2): EdgeDomainType)] } { (exists_path_(EG_1, w_2, end_1): bool) } + EG_1[(create_edge(start_1, w_2): EdgeDomainType)] && (exists_path_(EG_1, w_2, end_1): bool) + )) +); + +// Translation of domain axiom ax_ExistsPathTrans +axiom (forall EG_1: (Set EdgeDomainType), u_1: Ref, v_2: Ref, w_2: Ref :: + { (exists_path(EG_1, u_1, w_2): bool), (exists_path(EG_1, w_2, v_2): bool) } + (exists_path_(EG_1, u_1, w_2): bool) && (exists_path_(EG_1, w_2, v_2): bool) ==> (exists_path_(EG_1, u_1, v_2): bool) +); + +// Translation of domain axiom ax_ExistsSetPath +axiom (forall EG_1: (Set EdgeDomainType), from_1: (Set Ref), to_1: Ref :: + { (exists_spath(EG_1, from_1, to_1): bool) } + (exists_spath(EG_1, from_1, to_1): bool) == (exists f_7: Ref :: + { from_1[f_7] } { (exists_path(EG_1, f_7, to_1): bool) } + from_1[f_7] && (exists_path(EG_1, f_7, to_1): bool) + ) +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique car: Field NormalField Ref; +axiom !IsPredicateField(car); +axiom !IsWandField(car); +const unique cdr: Field NormalField Ref; +axiom !IsPredicateField(cdr); +axiom !IsWandField(cdr); + +// ================================================== +// Translation of function $$ +// ================================================== + +// Uninterpreted function definitions +function $$(Heap: HeapType, refs: (Set Ref)): Set EdgeDomainType; +function $$'(Heap: HeapType, refs: (Set Ref)): Set EdgeDomainType; +axiom (forall Heap: HeapType, refs: (Set Ref) :: + { $$(Heap, refs) } + $$(Heap, refs) == $$'(Heap, refs) && dummyFunction($$#triggerStateless(refs)) +); +axiom (forall Heap: HeapType, refs: (Set Ref) :: + { $$'(Heap, refs) } + dummyFunction($$#triggerStateless(refs)) +); + +// Framing axioms +function $$#frame(frame: FrameType, refs: (Set Ref)): Set EdgeDomainType; +axiom (forall Heap: HeapType, Mask: MaskType, refs: (Set Ref) :: + { state(Heap, Mask), $$'(Heap, refs) } + state(Heap, Mask) ==> $$'(Heap, refs) == $$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, refs)), FrameFragment($$#condqp2(Heap, refs))), refs) +); +// ================================================== +// Function used for framing of quantified permission (forall n: Ref :: { n.car } (n in refs) ==> acc(n.car, write)) in function $$ +// ================================================== + +function $$#condqp1(Heap: HeapType, refs_1_1: (Set Ref)): int; +axiom (forall Heap2Heap: HeapType, Heap1Heap: HeapType, refs: (Set Ref) :: + { $$#condqp1(Heap2Heap, refs), $$#condqp1(Heap1Heap, refs), succHeapTrans(Heap2Heap, Heap1Heap) } + (forall n: Ref :: + + (refs[n] && NoPerm < FullPerm <==> refs[n] && NoPerm < FullPerm) && (refs[n] && NoPerm < FullPerm ==> Heap2Heap[n, car] == Heap1Heap[n, car]) + ) ==> $$#condqp1(Heap2Heap, refs) == $$#condqp1(Heap1Heap, refs) +); +// ================================================== +// Function used for framing of quantified permission (forall n$0: Ref :: { n$0.cdr } (n$0 in refs) ==> acc(n$0.cdr, write)) in function $$ +// ================================================== + +function $$#condqp2(Heap: HeapType, refs_1_1: (Set Ref)): int; +axiom (forall Heap2Heap: HeapType, Heap1Heap: HeapType, refs: (Set Ref) :: + { $$#condqp2(Heap2Heap, refs), $$#condqp2(Heap1Heap, refs), succHeapTrans(Heap2Heap, Heap1Heap) } + (forall n$0: Ref :: + + (refs[n$0] && NoPerm < FullPerm <==> refs[n$0] && NoPerm < FullPerm) && (refs[n$0] && NoPerm < FullPerm ==> Heap2Heap[n$0, cdr] == Heap1Heap[n$0, cdr]) + ) ==> $$#condqp2(Heap2Heap, refs) == $$#condqp2(Heap1Heap, refs) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, refs: (Set Ref) :: + { state(Heap, Mask), $$'(Heap, refs) } + state(Heap, Mask) && (AssumeFunctionsAbove < 1 || $$#trigger(CombineFrames(FrameFragment($$#condqp1(Heap, refs)), FrameFragment($$#condqp2(Heap, refs))), refs)) ==> (forall p_2: Ref, s_1: Ref :: + { $$'(Heap, refs)[(create_edge(p_2, s_1): EdgeDomainType)] } + (refs[p_2] && (refs[s_1] && (Heap[p_2, car] == s_1 || Heap[p_2, cdr] == s_1))) == $$'(Heap, refs)[(create_edge(p_2, s_1): EdgeDomainType)] + ) +); + +// Trigger function (controlling recursive postconditions) +function $$#trigger(frame: FrameType, refs: (Set Ref)): bool; + +// State-independent trigger function +function $$#triggerStateless(refs: (Set Ref)): Set EdgeDomainType; + +// Check contract well-formedness and postcondition +procedure $$#definedness(refs: (Set Ref)) returns (Result: (Set EdgeDomainType)) + modifies Heap, Mask; +{ + var QPMask: MaskType; + var p_3: Ref; + var s_2: Ref; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 1; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + + // -- Check definedness of (forall n: Ref :: { n.car } (n in refs) ==> acc(n.car, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource n.car might not be injective. (graph_mark.vpr@158.14--158.25) [544]"} + (forall n_3: Ref, n_3_1: Ref :: + + (((n_3 != n_3_1 && refs[n_3]) && refs[n_3_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_3 != n_3_1 + ); + + // -- Define Inverse Function + assume (forall n_3: Ref :: + { Heap[n_3, car] } { QPMask[n_3, car] } { Heap[n_3, car] } + refs[n_3] && NoPerm < FullPerm ==> qpRange1(n_3) && invRecv1(n_3) == n_3 + ); + assume (forall o_3: Ref :: + { invRecv1(o_3) } + (refs[invRecv1(o_3)] && NoPerm < FullPerm) && qpRange1(o_3) ==> invRecv1(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n_3: Ref :: + { Heap[n_3, car] } { QPMask[n_3, car] } { Heap[n_3, car] } + refs[n_3] ==> n_3 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + ((refs[invRecv1(o_3)] && NoPerm < FullPerm) && qpRange1(o_3) ==> (NoPerm < FullPerm ==> invRecv1(o_3) == o_3) && QPMask[o_3, car] == Mask[o_3, car] + FullPerm) && (!((refs[invRecv1(o_3)] && NoPerm < FullPerm) && qpRange1(o_3)) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + + // -- Check definedness of (forall n$0: Ref :: { n$0.cdr } (n$0 in refs) ==> acc(n$0.cdr, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@158.14--158.25) [545]"} + (forall n$0_3: Ref, n$0_3_1: Ref :: + + (((n$0_3 != n$0_3_1 && refs[n$0_3]) && refs[n$0_3_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_3 != n$0_3_1 + ); + + // -- Define Inverse Function + assume (forall n$0_3: Ref :: + { Heap[n$0_3, cdr] } { QPMask[n$0_3, cdr] } { Heap[n$0_3, cdr] } + refs[n$0_3] && NoPerm < FullPerm ==> qpRange2(n$0_3) && invRecv2(n$0_3) == n$0_3 + ); + assume (forall o_3: Ref :: + { invRecv2(o_3) } + (refs[invRecv2(o_3)] && NoPerm < FullPerm) && qpRange2(o_3) ==> invRecv2(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$0_3: Ref :: + { Heap[n$0_3, cdr] } { QPMask[n$0_3, cdr] } { Heap[n$0_3, cdr] } + refs[n$0_3] ==> n$0_3 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + ((refs[invRecv2(o_3)] && NoPerm < FullPerm) && qpRange2(o_3) ==> (NoPerm < FullPerm ==> invRecv2(o_3) == o_3) && QPMask[o_3, cdr] == Mask[o_3, cdr] + FullPerm) && (!((refs[invRecv2(o_3)] && NoPerm < FullPerm) && qpRange2(o_3)) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Checking definedness of postcondition (no body) + + // -- Check definedness of (forall p: Ref, s: Ref :: { (create_edge(p, s) in result) } ((p in refs) && ((s in refs) && (p.car == s || p.cdr == s))) == (create_edge(p, s) in result)) + if (*) { + if (refs[p_3]) { + if (refs[s_2]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access p.car (graph_mark.vpr@159.13--163.34) [546]"} + HasDirectPerm(Mask, p_3, car); + if (!(Heap[p_3, car] == s_2)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access p.cdr (graph_mark.vpr@159.13--163.34) [547]"} + HasDirectPerm(Mask, p_3, cdr); + } + } + } + assume false; + } + assume (forall p_2_1: Ref, s_2_1: Ref :: + { Result[(create_edge(p_2_1, s_2_1): EdgeDomainType)] } + (refs[p_2_1] && (refs[s_2_1] && (Heap[p_2_1, car] == s_2_1 || Heap[p_2_1, cdr] == s_2_1))) == Result[(create_edge(p_2_1, s_2_1): EdgeDomainType)] + ); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function get +// ================================================== + +// Uninterpreted function definitions +function get(Heap: HeapType, s_1: (Set Ref)): Ref; +function get'(Heap: HeapType, s_1: (Set Ref)): Ref; +axiom (forall Heap: HeapType, s_1: (Set Ref) :: + { get(Heap, s_1) } + get(Heap, s_1) == get'(Heap, s_1) && dummyFunction(get#triggerStateless(s_1)) +); +axiom (forall Heap: HeapType, s_1: (Set Ref) :: + { get'(Heap, s_1) } + dummyFunction(get#triggerStateless(s_1)) +); + +// Framing axioms +function get#frame(frame: FrameType, s_1: (Set Ref)): Ref; +axiom (forall Heap: HeapType, Mask: MaskType, s_1: (Set Ref) :: + { state(Heap, Mask), get'(Heap, s_1) } + state(Heap, Mask) ==> get'(Heap, s_1) == get#frame(EmptyFrame, s_1) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, s_1: (Set Ref) :: + { state(Heap, Mask), get'(Heap, s_1) } + state(Heap, Mask) && (AssumeFunctionsAbove < 0 || get#trigger(EmptyFrame, s_1)) ==> Set#Card(s_1) > 0 ==> s_1[get'(Heap, s_1)] +); + +// Trigger function (controlling recursive postconditions) +function get#trigger(frame: FrameType, s_1: (Set Ref)): bool; + +// State-independent trigger function +function get#triggerStateless(s_1: (Set Ref)): Ref; + +// Check contract well-formedness and postcondition +procedure get#definedness(s_1: (Set Ref)) returns (Result: Ref) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 0; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume Set#Card(s_1) > 0; + assume state(Heap, Mask); + + // -- Checking definedness of postcondition (no body) + assume s_1[Result]; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method mark +// ================================================== + +procedure mark(g: (Set Ref), roots: (Set Ref)) returns (marked: (Set Ref)) + modifies Heap, Mask; +{ + var QPMask: MaskType; + var n$0_1: Ref; + var n$1: Ref; + var PostHeap: HeapType; + var PostMask: MaskType; + var n$4: Ref; + var n$5: Ref; + var v_3: Ref; + var ExhaleHeap: HeapType; + var v_4: Ref; + var x_1: Ref; + var pending: (Set Ref); + var n$8: Ref; + var n$9: Ref; + var n$8_1: Ref; + var n$9_1: Ref; + var n_14: Ref; + var n1_1: Ref; + var n2_1: Ref; + var loopHeap: HeapType; + var loopMask: MaskType; + var n$8_5: Ref; + var n$9_5: Ref; + var n$4_2: Ref; + var n$5_2: Ref; + var v_4_1: Ref; + var v_6: Ref; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Checked inhaling of precondition + assume Set#Card(roots) > 0; + assume state(Heap, Mask); + assume !g[null]; + + // -- Check definedness of (forall n$2: Ref :: { n$2.car } (n$2 in g) ==> acc(n$2.car, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource n$2.car might not be injective. (graph_mark.vpr@191.14--191.22) [548]"} + (forall n$2_1: Ref, n$2_1_1: Ref :: + + (((n$2_1 != n$2_1_1 && g[n$2_1]) && g[n$2_1_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$2_1 != n$2_1_1 + ); + + // -- Define Inverse Function + assume (forall n$2_1: Ref :: + { Heap[n$2_1, car] } { QPMask[n$2_1, car] } { Heap[n$2_1, car] } + g[n$2_1] && NoPerm < FullPerm ==> qpRange3(n$2_1) && invRecv3(n$2_1) == n$2_1 + ); + assume (forall o_3: Ref :: + { invRecv3(o_3) } + (g[invRecv3(o_3)] && NoPerm < FullPerm) && qpRange3(o_3) ==> invRecv3(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$2_1: Ref :: + { Heap[n$2_1, car] } { QPMask[n$2_1, car] } { Heap[n$2_1, car] } + g[n$2_1] ==> n$2_1 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + ((g[invRecv3(o_3)] && NoPerm < FullPerm) && qpRange3(o_3) ==> (NoPerm < FullPerm ==> invRecv3(o_3) == o_3) && QPMask[o_3, car] == Mask[o_3, car] + FullPerm) && (!((g[invRecv3(o_3)] && NoPerm < FullPerm) && qpRange3(o_3)) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + + // -- Check definedness of (forall n$3: Ref :: { n$3.cdr } (n$3 in g) ==> acc(n$3.cdr, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource n$3.cdr might not be injective. (graph_mark.vpr@191.14--191.22) [549]"} + (forall n$3_1: Ref, n$3_1_1: Ref :: + + (((n$3_1 != n$3_1_1 && g[n$3_1]) && g[n$3_1_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$3_1 != n$3_1_1 + ); + + // -- Define Inverse Function + assume (forall n$3_1: Ref :: + { Heap[n$3_1, cdr] } { QPMask[n$3_1, cdr] } { Heap[n$3_1, cdr] } + g[n$3_1] && NoPerm < FullPerm ==> qpRange4(n$3_1) && invRecv4(n$3_1) == n$3_1 + ); + assume (forall o_3: Ref :: + { invRecv4(o_3) } + (g[invRecv4(o_3)] && NoPerm < FullPerm) && qpRange4(o_3) ==> invRecv4(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$3_1: Ref :: + { Heap[n$3_1, cdr] } { QPMask[n$3_1, cdr] } { Heap[n$3_1, cdr] } + g[n$3_1] ==> n$3_1 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + ((g[invRecv4(o_3)] && NoPerm < FullPerm) && qpRange4(o_3) ==> (NoPerm < FullPerm ==> invRecv4(o_3) == o_3) && QPMask[o_3, cdr] == Mask[o_3, cdr] + FullPerm) && (!((g[invRecv4(o_3)] && NoPerm < FullPerm) && qpRange4(o_3)) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + + // -- Check definedness of (forall n$0: Ref :: { (n$0.car in g) } { (n$0 in g), n$0.car } (n$0 in g) ==> (n$0.car in g)) + if (*) { + if (g[n$0_1]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access n$0.car (graph_mark.vpr@191.14--191.22) [550]"} + HasDirectPerm(Mask, n$0_1, car); + } + assume false; + } + assume (forall n$0_1_1: Ref :: + { g[Heap[n$0_1_1, car]] } { g[n$0_1_1], Heap[n$0_1_1, car] } + g[n$0_1_1] ==> g[Heap[n$0_1_1, car]] + ); + + // -- Check definedness of (forall n$1: Ref :: { (n$1.cdr in g) } { (n$1 in g), n$1.cdr } (n$1 in g) ==> (n$1.cdr in g)) + if (*) { + if (g[n$1]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access n$1.cdr (graph_mark.vpr@191.14--191.22) [551]"} + HasDirectPerm(Mask, n$1, cdr); + } + assume false; + } + assume (forall n$1_1: Ref :: + { g[Heap[n$1_1, cdr]] } { g[n$1_1], Heap[n$1_1, cdr] } + g[n$1_1] ==> g[Heap[n$1_1, cdr]] + ); + assume state(Heap, Mask); + assume Set#Subset(roots, g); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + assume Set#Subset(roots, marked); + assume state(PostHeap, PostMask); + assume Set#Subset(marked, g); + assume state(PostHeap, PostMask); + assume !g[null]; + + // -- Check definedness of (forall n$6: Ref :: { n$6.car } (n$6 in g) ==> acc(n$6.car, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource n$6.car might not be injective. (graph_mark.vpr@195.13--195.21) [552]"} + (forall n$6_1: Ref, n$6_1_1: Ref :: + + (((n$6_1 != n$6_1_1 && g[n$6_1]) && g[n$6_1_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$6_1 != n$6_1_1 + ); + + // -- Define Inverse Function + assume (forall n$6_1: Ref :: + { PostHeap[n$6_1, car] } { QPMask[n$6_1, car] } { PostHeap[n$6_1, car] } + g[n$6_1] && NoPerm < FullPerm ==> qpRange5(n$6_1) && invRecv5(n$6_1) == n$6_1 + ); + assume (forall o_3: Ref :: + { invRecv5(o_3) } + (g[invRecv5(o_3)] && NoPerm < FullPerm) && qpRange5(o_3) ==> invRecv5(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$6_1: Ref :: + { PostHeap[n$6_1, car] } { QPMask[n$6_1, car] } { PostHeap[n$6_1, car] } + g[n$6_1] ==> n$6_1 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + ((g[invRecv5(o_3)] && NoPerm < FullPerm) && qpRange5(o_3) ==> (NoPerm < FullPerm ==> invRecv5(o_3) == o_3) && QPMask[o_3, car] == PostMask[o_3, car] + FullPerm) && (!((g[invRecv5(o_3)] && NoPerm < FullPerm) && qpRange5(o_3)) ==> QPMask[o_3, car] == PostMask[o_3, car]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != car ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall n$7: Ref :: { n$7.cdr } (n$7 in g) ==> acc(n$7.cdr, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource n$7.cdr might not be injective. (graph_mark.vpr@195.13--195.21) [553]"} + (forall n$7_1: Ref, n$7_1_1: Ref :: + + (((n$7_1 != n$7_1_1 && g[n$7_1]) && g[n$7_1_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$7_1 != n$7_1_1 + ); + + // -- Define Inverse Function + assume (forall n$7_1: Ref :: + { PostHeap[n$7_1, cdr] } { QPMask[n$7_1, cdr] } { PostHeap[n$7_1, cdr] } + g[n$7_1] && NoPerm < FullPerm ==> qpRange6(n$7_1) && invRecv6(n$7_1) == n$7_1 + ); + assume (forall o_3: Ref :: + { invRecv6(o_3) } + (g[invRecv6(o_3)] && NoPerm < FullPerm) && qpRange6(o_3) ==> invRecv6(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$7_1: Ref :: + { PostHeap[n$7_1, cdr] } { QPMask[n$7_1, cdr] } { PostHeap[n$7_1, cdr] } + g[n$7_1] ==> n$7_1 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + ((g[invRecv6(o_3)] && NoPerm < FullPerm) && qpRange6(o_3) ==> (NoPerm < FullPerm ==> invRecv6(o_3) == o_3) && QPMask[o_3, cdr] == PostMask[o_3, cdr] + FullPerm) && (!((g[invRecv6(o_3)] && NoPerm < FullPerm) && qpRange6(o_3)) ==> QPMask[o_3, cdr] == PostMask[o_3, cdr]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != cdr ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall n$4: Ref :: { (n$4.car in g) } { (n$4 in g), n$4.car } (n$4 in g) ==> (n$4.car in g)) + if (*) { + if (g[n$4]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access n$4.car (graph_mark.vpr@195.13--195.21) [554]"} + HasDirectPerm(PostMask, n$4, car); + } + assume false; + } + assume (forall n$4_1: Ref :: + { g[PostHeap[n$4_1, car]] } { g[n$4_1], PostHeap[n$4_1, car] } + g[n$4_1] ==> g[PostHeap[n$4_1, car]] + ); + + // -- Check definedness of (forall n$5: Ref :: { (n$5.cdr in g) } { (n$5 in g), n$5.cdr } (n$5 in g) ==> (n$5.cdr in g)) + if (*) { + if (g[n$5]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access n$5.cdr (graph_mark.vpr@195.13--195.21) [555]"} + HasDirectPerm(PostMask, n$5, cdr); + } + assume false; + } + assume (forall n$5_1: Ref :: + { g[PostHeap[n$5_1, cdr]] } { g[n$5_1], PostHeap[n$5_1, cdr] } + g[n$5_1] ==> g[PostHeap[n$5_1, cdr]] + ); + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall v: Ref :: { (v in marked) } { exists_spath($$(g), roots, v) } (v in g) ==> (v in marked) ==> exists_spath($$(g), roots, v)) + if (*) { + if (g[v_3]) { + if (marked[v_3]) { + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@196.114--196.119) [556]"} + (forall n: Ref, n_2: Ref :: + { neverTriggered7(n), neverTriggered7(n_2) } + (((n != n_2 && g[n]) && g[n_2]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n != n_2 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@196.114--196.119) [557]"} + (forall n: Ref :: + { PostHeap[n, car] } { QPMask[n, car] } { PostHeap[n, car] } + g[n] ==> PostMask[n, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n: Ref :: + { PostHeap[n, car] } { QPMask[n, car] } { PostHeap[n, car] } + g[n] && NoPerm < FullPerm ==> qpRange7(n) && invRecv7(n) == n + ); + assume (forall o_3: Ref :: + { invRecv7(o_3) } + g[invRecv7(o_3)] && (NoPerm < FullPerm && qpRange7(o_3)) ==> invRecv7(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv7(o_3)] && (NoPerm < FullPerm && qpRange7(o_3)) ==> invRecv7(o_3) == o_3 && QPMask[o_3, car] == PostMask[o_3, car] - FullPerm) && (!(g[invRecv7(o_3)] && (NoPerm < FullPerm && qpRange7(o_3))) ==> QPMask[o_3, car] == PostMask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@196.114--196.119) [558]"} + (forall n$0_2: Ref, n$0_2_1: Ref :: + { neverTriggered8(n$0_2), neverTriggered8(n$0_2_1) } + (((n$0_2 != n$0_2_1 && g[n$0_2]) && g[n$0_2_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_2 != n$0_2_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@196.114--196.119) [559]"} + (forall n$0_2: Ref :: + { PostHeap[n$0_2, cdr] } { QPMask[n$0_2, cdr] } { PostHeap[n$0_2, cdr] } + g[n$0_2] ==> PostMask[n$0_2, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_2: Ref :: + { PostHeap[n$0_2, cdr] } { QPMask[n$0_2, cdr] } { PostHeap[n$0_2, cdr] } + g[n$0_2] && NoPerm < FullPerm ==> qpRange8(n$0_2) && invRecv8(n$0_2) == n$0_2 + ); + assume (forall o_3: Ref :: + { invRecv8(o_3) } + g[invRecv8(o_3)] && (NoPerm < FullPerm && qpRange8(o_3)) ==> invRecv8(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv8(o_3)] && (NoPerm < FullPerm && qpRange8(o_3)) ==> invRecv8(o_3) == o_3 && QPMask[o_3, cdr] == PostMask[o_3, cdr] - FullPerm) && (!(g[invRecv8(o_3)] && (NoPerm < FullPerm && qpRange8(o_3))) ==> QPMask[o_3, cdr] == PostMask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(PostHeap, ExhaleHeap, PostMask); + PostHeap := ExhaleHeap; + // Stop execution + assume false; + } + } + } + assume false; + } + assume (forall v_1_1: Ref :: + { marked[v_1_1] } { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(PostHeap, g)), FrameFragment($$#condqp2(PostHeap, g))), g), roots, v_1_1): bool) } + g[v_1_1] ==> marked[v_1_1] ==> (exists_spath($$(PostHeap, g), roots, v_1_1): bool) + ); + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall v: Ref :: { (v in marked) } { exists_spath($$(g), roots, v) } (v in g) ==> exists_spath($$(g), roots, v) ==> (v in marked)) + if (*) { + if (g[v_4]) { + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@197.98--197.103) [560]"} + (forall n_1: Ref, n_1_1: Ref :: + { neverTriggered9(n_1), neverTriggered9(n_1_1) } + (((n_1 != n_1_1 && g[n_1]) && g[n_1_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_1 != n_1_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@197.98--197.103) [561]"} + (forall n_1: Ref :: + { PostHeap[n_1, car] } { QPMask[n_1, car] } { PostHeap[n_1, car] } + g[n_1] ==> PostMask[n_1, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_1: Ref :: + { PostHeap[n_1, car] } { QPMask[n_1, car] } { PostHeap[n_1, car] } + g[n_1] && NoPerm < FullPerm ==> qpRange9(n_1) && invRecv9(n_1) == n_1 + ); + assume (forall o_3: Ref :: + { invRecv9(o_3) } + g[invRecv9(o_3)] && (NoPerm < FullPerm && qpRange9(o_3)) ==> invRecv9(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv9(o_3)] && (NoPerm < FullPerm && qpRange9(o_3)) ==> invRecv9(o_3) == o_3 && QPMask[o_3, car] == PostMask[o_3, car] - FullPerm) && (!(g[invRecv9(o_3)] && (NoPerm < FullPerm && qpRange9(o_3))) ==> QPMask[o_3, car] == PostMask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@197.98--197.103) [562]"} + (forall n$0_3: Ref, n$0_3_1: Ref :: + { neverTriggered10(n$0_3), neverTriggered10(n$0_3_1) } + (((n$0_3 != n$0_3_1 && g[n$0_3]) && g[n$0_3_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_3 != n$0_3_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@197.98--197.103) [563]"} + (forall n$0_3: Ref :: + { PostHeap[n$0_3, cdr] } { QPMask[n$0_3, cdr] } { PostHeap[n$0_3, cdr] } + g[n$0_3] ==> PostMask[n$0_3, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_3: Ref :: + { PostHeap[n$0_3, cdr] } { QPMask[n$0_3, cdr] } { PostHeap[n$0_3, cdr] } + g[n$0_3] && NoPerm < FullPerm ==> qpRange10(n$0_3) && invRecv10(n$0_3) == n$0_3 + ); + assume (forall o_3: Ref :: + { invRecv10(o_3) } + g[invRecv10(o_3)] && (NoPerm < FullPerm && qpRange10(o_3)) ==> invRecv10(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv10(o_3)] && (NoPerm < FullPerm && qpRange10(o_3)) ==> invRecv10(o_3) == o_3 && QPMask[o_3, cdr] == PostMask[o_3, cdr] - FullPerm) && (!(g[invRecv10(o_3)] && (NoPerm < FullPerm && qpRange10(o_3))) ==> QPMask[o_3, cdr] == PostMask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(PostHeap, ExhaleHeap, PostMask); + PostHeap := ExhaleHeap; + // Stop execution + assume false; + } + } + assume false; + } + assume (forall v_3_1: Ref :: + { marked[v_3_1] } { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(PostHeap, g)), FrameFragment($$#condqp2(PostHeap, g))), g), roots, v_3_1): bool) } + g[v_3_1] ==> (exists_spath($$(PostHeap, g), roots, v_3_1): bool) ==> marked[v_3_1] + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Assumptions about local variables + assume Heap[x_1, $allocated]; + + // -- Translating statement: x := get(roots) -- graph_mark.vpr@199.5--199.28 + + // -- Check definedness of get(roots) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function get might not hold. Assertion |roots| > 0 might not hold. (graph_mark.vpr@199.18--199.28) [564]"} + Set#Card(roots) > 0; + // Stop execution + assume false; + } + x_1 := get(Heap, roots); + assume state(Heap, Mask); + + // -- Translating statement: pending := roots -- graph_mark.vpr@200.5--200.34 + pending := roots; + assume state(Heap, Mask); + + // -- Translating statement: marked := Set[Ref]() -- graph_mark.vpr@201.5--201.20 + marked := (Set#Empty(): Set Ref); + assume state(Heap, Mask); + + // -- Translating statement: while (|pending| > 0) -- graph_mark.vpr@203.5--238.6 + + // -- Before loop head + + // -- Exhale loop invariant before loop + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not hold on entry. Assertion !((null in g)) might not hold. (graph_mark.vpr@205.19--205.27) [565]"} + !g[null]; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$10 is injective + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not hold on entry. Quantified resource n$10.car might not be injective. (graph_mark.vpr@205.19--205.27) [566]"} + (forall n$10: Ref, n$10_1: Ref :: + { neverTriggered13(n$10), neverTriggered13(n$10_1) } + (((n$10 != n$10_1 && g[n$10]) && g[n$10_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$10 != n$10_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not hold on entry. There might be insufficient permission to access n$10.car (graph_mark.vpr@205.19--205.27) [567]"} + (forall n$10: Ref :: + { Heap[n$10, car] } { QPMask[n$10, car] } { Heap[n$10, car] } + g[n$10] ==> Mask[n$10, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$10 + assume (forall n$10: Ref :: + { Heap[n$10, car] } { QPMask[n$10, car] } { Heap[n$10, car] } + g[n$10] && NoPerm < FullPerm ==> qpRange13(n$10) && invRecv13(n$10) == n$10 + ); + assume (forall o_3: Ref :: + { invRecv13(o_3) } + g[invRecv13(o_3)] && (NoPerm < FullPerm && qpRange13(o_3)) ==> invRecv13(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv13(o_3)] && (NoPerm < FullPerm && qpRange13(o_3)) ==> invRecv13(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv13(o_3)] && (NoPerm < FullPerm && qpRange13(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$11 is injective + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not hold on entry. Quantified resource n$11.cdr might not be injective. (graph_mark.vpr@205.19--205.27) [568]"} + (forall n$11: Ref, n$11_1: Ref :: + { neverTriggered14(n$11), neverTriggered14(n$11_1) } + (((n$11 != n$11_1 && g[n$11]) && g[n$11_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$11 != n$11_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not hold on entry. There might be insufficient permission to access n$11.cdr (graph_mark.vpr@205.19--205.27) [569]"} + (forall n$11: Ref :: + { Heap[n$11, cdr] } { QPMask[n$11, cdr] } { Heap[n$11, cdr] } + g[n$11] ==> Mask[n$11, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$11 + assume (forall n$11: Ref :: + { Heap[n$11, cdr] } { QPMask[n$11, cdr] } { Heap[n$11, cdr] } + g[n$11] && NoPerm < FullPerm ==> qpRange14(n$11) && invRecv14(n$11) == n$11 + ); + assume (forall o_3: Ref :: + { invRecv14(o_3) } + g[invRecv14(o_3)] && (NoPerm < FullPerm && qpRange14(o_3)) ==> invRecv14(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv14(o_3)] && (NoPerm < FullPerm && qpRange14(o_3)) ==> invRecv14(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv14(o_3)] && (NoPerm < FullPerm && qpRange14(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (g[n$8]) { + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not hold on entry. Assertion (n$8.car in g) might not hold. (graph_mark.vpr@205.19--205.27) [570]"} + g[Heap[n$8, car]]; + } + assume false; + } + assume (forall n$8_1_1: Ref :: + { g[Heap[n$8_1_1, car]] } { g[n$8_1_1], Heap[n$8_1_1, car] } + g[n$8_1_1] ==> g[Heap[n$8_1_1, car]] + ); + if (*) { + if (g[n$9]) { + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not hold on entry. Assertion (n$9.cdr in g) might not hold. (graph_mark.vpr@205.19--205.27) [571]"} + g[Heap[n$9, cdr]]; + } + assume false; + } + assume (forall n$9_1_1: Ref :: + { g[Heap[n$9_1_1, cdr]] } { g[n$9_1_1], Heap[n$9_1_1, cdr] } + g[n$9_1_1] ==> g[Heap[n$9_1_1, cdr]] + ); + assert {:msg " Loop invariant (x in g) might not hold on entry. Assertion (x in g) might not hold. (graph_mark.vpr@208.19--208.25) [572]"} + g[x_1]; + assert {:msg " Loop invariant (pending subset g) might not hold on entry. Assertion (pending subset g) might not hold. (graph_mark.vpr@209.27--209.35) [573]"} + Set#Subset(pending, g); + assert {:msg " Loop invariant (marked subset g) might not hold on entry. Assertion (marked subset g) might not hold. (graph_mark.vpr@210.26--210.34) [574]"} + Set#Subset(marked, g); + assert {:msg " Loop invariant exists_spath($$(g), roots, x) && ((x.cdr != null ==> (create_edge(x, x.cdr) in $$(g)) && exists_path($$(g), x.cdr, x.cdr) ==> exists_path($$(g), x, x.cdr)) && (x.car != null ==> (create_edge(x, x.car) in $$(g)) && exists_path($$(g), x.car, x.car) ==> exists_path($$(g), x, x.car))) might not hold on entry. Assertion exists_spath($$(g), roots, x) might not hold. (graph_mark.vpr@212.19--214.118) [575]"} + (exists_spath($$(Heap, g), roots, x_1): bool); + if (Heap[x_1, cdr] != null) { + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, cdr]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, cdr], Heap[x_1, cdr]): bool)) { + assert {:msg " Loop invariant exists_spath($$(g), roots, x) && ((x.cdr != null ==> (create_edge(x, x.cdr) in $$(g)) && exists_path($$(g), x.cdr, x.cdr) ==> exists_path($$(g), x, x.cdr)) && (x.car != null ==> (create_edge(x, x.car) in $$(g)) && exists_path($$(g), x.car, x.car) ==> exists_path($$(g), x, x.car))) might not hold on entry. Assertion exists_path($$(g), x, x.cdr) might not hold. (graph_mark.vpr@212.19--214.118) [576]"} + (exists_path($$(Heap, g), x_1, Heap[x_1, cdr]): bool); + } + } + if (Heap[x_1, car] != null) { + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, car]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, car], Heap[x_1, car]): bool)) { + assert {:msg " Loop invariant exists_spath($$(g), roots, x) && ((x.cdr != null ==> (create_edge(x, x.cdr) in $$(g)) && exists_path($$(g), x.cdr, x.cdr) ==> exists_path($$(g), x, x.cdr)) && (x.car != null ==> (create_edge(x, x.car) in $$(g)) && exists_path($$(g), x.car, x.car) ==> exists_path($$(g), x, x.car))) might not hold on entry. Assertion exists_path($$(g), x, x.car) might not hold. (graph_mark.vpr@212.19--214.118) [577]"} + (exists_path($$(Heap, g), x_1, Heap[x_1, car]): bool); + } + } + assert {:msg " Loop invariant (forall n: Ref :: { (n in pending) } { (n in roots) } (n in roots) == (n in pending)) && (forall n: Ref :: { (n in marked) } (n in g) ==> !((n in marked))) || (forall n: Ref :: { (n in pending) } { (n in marked) } (n in roots) ==> (n in marked) || (n in pending)) && ((forall n: Ref :: { (n in pending) } (n in g) ==> !((n in marked) && (n in pending))) && ((forall n: Ref :: { exists_spath($$(g), roots, n) } (n in pending) || (n in marked) ==> exists_spath($$(g), roots, n)) && (forall n1: Ref, n2: Ref :: { (n1 in marked), (n2 in marked) } (n1 in marked) && ((n2 in g) && (!((n2 in marked)) && !((n2 in pending)))) ==> !((create_edge(n1, n2) in $$(g)))))) might not hold on entry. Assertion (forall n: Ref :: { (n in pending) } { (n in roots) } (n in roots) == (n in pending)) && (forall n: Ref :: { (n in marked) } (n in g) ==> !((n in marked))) || (forall n: Ref :: { (n in pending) } { (n in marked) } (n in roots) ==> (n in marked) || (n in pending)) && ((forall n: Ref :: { (n in pending) } (n in g) ==> !((n in marked) && (n in pending))) && ((forall n: Ref :: { exists_spath($$(g), roots, n) } (n in pending) || (n in marked) ==> exists_spath($$(g), roots, n)) && (forall n1: Ref, n2: Ref :: { (n1 in marked), (n2 in marked) } (n1 in marked) && ((n2 in g) && (!((n2 in marked)) && !((n2 in pending)))) ==> !((create_edge(n1, n2) in $$(g)))))) might not hold. (graph_mark.vpr@217.9--223.152) [578]"} + ((forall n_2_1: Ref :: + { pending[n_2_1] } { roots[n_2_1] } + roots[n_2_1] == pending[n_2_1] + ) && (forall n_3: Ref :: + { marked[n_3] } + g[n_3] ==> !marked[n_3] + )) || ((forall n_4: Ref :: + { pending[n_4] } { marked[n_4] } + roots[n_4] ==> marked[n_4] || pending[n_4] + ) && ((forall n_5: Ref :: + { pending[n_5] } + g[n_5] ==> !(marked[n_5] && pending[n_5]) + ) && ((forall n_6: Ref :: + { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, g)), FrameFragment($$#condqp2(Heap, g))), g), roots, n_6): bool) } + pending[n_6] || marked[n_6] ==> (exists_spath($$(Heap, g), roots, n_6): bool) + ) && (forall n1: Ref, n2: Ref :: + { marked[n1], marked[n2] } + marked[n1] && (g[n2] && (!marked[n2] && !pending[n2])) ==> !$$(Heap, g)[(create_edge(n1, n2): EdgeDomainType)] + )))); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Havoc loop written variables (except locals) + havoc pending, marked, x_1; + assume Heap[x_1, $allocated]; + + // -- Check definedness of invariant + if (*) { + assume !g[null]; + + // -- Check definedness of (forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource n$10.car might not be injective. (graph_mark.vpr@205.19--205.27) [579]"} + (forall n$10_2: Ref, n$10_2_1: Ref :: + + (((n$10_2 != n$10_2_1 && g[n$10_2]) && g[n$10_2_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$10_2 != n$10_2_1 + ); + + // -- Define Inverse Function + assume (forall n$10_2: Ref :: + { Heap[n$10_2, car] } { QPMask[n$10_2, car] } { Heap[n$10_2, car] } + g[n$10_2] && NoPerm < FullPerm ==> qpRange15(n$10_2) && invRecv15(n$10_2) == n$10_2 + ); + assume (forall o_3: Ref :: + { invRecv15(o_3) } + (g[invRecv15(o_3)] && NoPerm < FullPerm) && qpRange15(o_3) ==> invRecv15(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$10_2: Ref :: + { Heap[n$10_2, car] } { QPMask[n$10_2, car] } { Heap[n$10_2, car] } + g[n$10_2] ==> n$10_2 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + ((g[invRecv15(o_3)] && NoPerm < FullPerm) && qpRange15(o_3) ==> (NoPerm < FullPerm ==> invRecv15(o_3) == o_3) && QPMask[o_3, car] == Mask[o_3, car] + FullPerm) && (!((g[invRecv15(o_3)] && NoPerm < FullPerm) && qpRange15(o_3)) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + + // -- Check definedness of (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource n$11.cdr might not be injective. (graph_mark.vpr@205.19--205.27) [580]"} + (forall n$11_2: Ref, n$11_2_1: Ref :: + + (((n$11_2 != n$11_2_1 && g[n$11_2]) && g[n$11_2_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$11_2 != n$11_2_1 + ); + + // -- Define Inverse Function + assume (forall n$11_2: Ref :: + { Heap[n$11_2, cdr] } { QPMask[n$11_2, cdr] } { Heap[n$11_2, cdr] } + g[n$11_2] && NoPerm < FullPerm ==> qpRange16(n$11_2) && invRecv16(n$11_2) == n$11_2 + ); + assume (forall o_3: Ref :: + { invRecv16(o_3) } + (g[invRecv16(o_3)] && NoPerm < FullPerm) && qpRange16(o_3) ==> invRecv16(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$11_2: Ref :: + { Heap[n$11_2, cdr] } { QPMask[n$11_2, cdr] } { Heap[n$11_2, cdr] } + g[n$11_2] ==> n$11_2 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + ((g[invRecv16(o_3)] && NoPerm < FullPerm) && qpRange16(o_3) ==> (NoPerm < FullPerm ==> invRecv16(o_3) == o_3) && QPMask[o_3, cdr] == Mask[o_3, cdr] + FullPerm) && (!((g[invRecv16(o_3)] && NoPerm < FullPerm) && qpRange16(o_3)) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + + // -- Check definedness of (forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) + if (*) { + if (g[n$8_1]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access n$8.car (graph_mark.vpr@205.19--205.27) [581]"} + HasDirectPerm(Mask, n$8_1, car); + } + assume false; + } + assume (forall n$8_3: Ref :: + { g[Heap[n$8_3, car]] } { g[n$8_3], Heap[n$8_3, car] } + g[n$8_3] ==> g[Heap[n$8_3, car]] + ); + + // -- Check definedness of (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)) + if (*) { + if (g[n$9_1]) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access n$9.cdr (graph_mark.vpr@205.19--205.27) [582]"} + HasDirectPerm(Mask, n$9_1, cdr); + } + assume false; + } + assume (forall n$9_3: Ref :: + { g[Heap[n$9_3, cdr]] } { g[n$9_3], Heap[n$9_3, cdr] } + g[n$9_3] ==> g[Heap[n$9_3, cdr]] + ); + assume state(Heap, Mask); + assume g[x_1]; + assume state(Heap, Mask); + assume Set#Subset(pending, g); + assume state(Heap, Mask); + assume Set#Subset(marked, g); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of exists_spath($$(g), roots, x) + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@212.32--212.37) [583]"} + (forall n_7: Ref, n_7_1: Ref :: + { neverTriggered17(n_7), neverTriggered17(n_7_1) } + (((n_7 != n_7_1 && g[n_7]) && g[n_7_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_7 != n_7_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@212.32--212.37) [584]"} + (forall n_7: Ref :: + { Heap[n_7, car] } { QPMask[n_7, car] } { Heap[n_7, car] } + g[n_7] ==> Mask[n_7, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_7: Ref :: + { Heap[n_7, car] } { QPMask[n_7, car] } { Heap[n_7, car] } + g[n_7] && NoPerm < FullPerm ==> qpRange17(n_7) && invRecv17(n_7) == n_7 + ); + assume (forall o_3: Ref :: + { invRecv17(o_3) } + g[invRecv17(o_3)] && (NoPerm < FullPerm && qpRange17(o_3)) ==> invRecv17(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv17(o_3)] && (NoPerm < FullPerm && qpRange17(o_3)) ==> invRecv17(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv17(o_3)] && (NoPerm < FullPerm && qpRange17(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@212.32--212.37) [585]"} + (forall n$0_4: Ref, n$0_4_1: Ref :: + { neverTriggered18(n$0_4), neverTriggered18(n$0_4_1) } + (((n$0_4 != n$0_4_1 && g[n$0_4]) && g[n$0_4_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_4 != n$0_4_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@212.32--212.37) [586]"} + (forall n$0_4: Ref :: + { Heap[n$0_4, cdr] } { QPMask[n$0_4, cdr] } { Heap[n$0_4, cdr] } + g[n$0_4] ==> Mask[n$0_4, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_4: Ref :: + { Heap[n$0_4, cdr] } { QPMask[n$0_4, cdr] } { Heap[n$0_4, cdr] } + g[n$0_4] && NoPerm < FullPerm ==> qpRange18(n$0_4) && invRecv18(n$0_4) == n$0_4 + ); + assume (forall o_3: Ref :: + { invRecv18(o_3) } + g[invRecv18(o_3)] && (NoPerm < FullPerm && qpRange18(o_3)) ==> invRecv18(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv18(o_3)] && (NoPerm < FullPerm && qpRange18(o_3)) ==> invRecv18(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv18(o_3)] && (NoPerm < FullPerm && qpRange18(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assume (exists_spath($$(Heap, g), roots, x_1): bool); + + // -- Check definedness of x.cdr != null + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.cdr (graph_mark.vpr@212.19--214.118) [587]"} + HasDirectPerm(Mask, x_1, cdr); + if (Heap[x_1, cdr] != null) { + + // -- Check definedness of (create_edge(x, x.cdr) in $$(g)) && exists_path($$(g), x.cdr, x.cdr) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.cdr (graph_mark.vpr@212.19--214.118) [588]"} + HasDirectPerm(Mask, x_1, cdr); + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@213.32--213.51) [589]"} + (forall n_8: Ref, n_8_1: Ref :: + { neverTriggered19(n_8), neverTriggered19(n_8_1) } + (((n_8 != n_8_1 && g[n_8]) && g[n_8_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_8 != n_8_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@213.32--213.51) [590]"} + (forall n_8: Ref :: + { Heap[n_8, car] } { QPMask[n_8, car] } { Heap[n_8, car] } + g[n_8] ==> Mask[n_8, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_8: Ref :: + { Heap[n_8, car] } { QPMask[n_8, car] } { Heap[n_8, car] } + g[n_8] && NoPerm < FullPerm ==> qpRange19(n_8) && invRecv19(n_8) == n_8 + ); + assume (forall o_3: Ref :: + { invRecv19(o_3) } + g[invRecv19(o_3)] && (NoPerm < FullPerm && qpRange19(o_3)) ==> invRecv19(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv19(o_3)] && (NoPerm < FullPerm && qpRange19(o_3)) ==> invRecv19(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv19(o_3)] && (NoPerm < FullPerm && qpRange19(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@213.32--213.51) [591]"} + (forall n$0_5: Ref, n$0_5_1: Ref :: + { neverTriggered20(n$0_5), neverTriggered20(n$0_5_1) } + (((n$0_5 != n$0_5_1 && g[n$0_5]) && g[n$0_5_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_5 != n$0_5_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@213.32--213.51) [592]"} + (forall n$0_5: Ref :: + { Heap[n$0_5, cdr] } { QPMask[n$0_5, cdr] } { Heap[n$0_5, cdr] } + g[n$0_5] ==> Mask[n$0_5, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_5: Ref :: + { Heap[n$0_5, cdr] } { QPMask[n$0_5, cdr] } { Heap[n$0_5, cdr] } + g[n$0_5] && NoPerm < FullPerm ==> qpRange20(n$0_5) && invRecv20(n$0_5) == n$0_5 + ); + assume (forall o_3: Ref :: + { invRecv20(o_3) } + g[invRecv20(o_3)] && (NoPerm < FullPerm && qpRange20(o_3)) ==> invRecv20(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv20(o_3)] && (NoPerm < FullPerm && qpRange20(o_3)) ==> invRecv20(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv20(o_3)] && (NoPerm < FullPerm && qpRange20(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, cdr]): EdgeDomainType)]) { + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@213.67--213.72) [593]"} + (forall n_9: Ref, n_9_1: Ref :: + { neverTriggered21(n_9), neverTriggered21(n_9_1) } + (((n_9 != n_9_1 && g[n_9]) && g[n_9_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_9 != n_9_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@213.67--213.72) [594]"} + (forall n_9: Ref :: + { Heap[n_9, car] } { QPMask[n_9, car] } { Heap[n_9, car] } + g[n_9] ==> Mask[n_9, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_9: Ref :: + { Heap[n_9, car] } { QPMask[n_9, car] } { Heap[n_9, car] } + g[n_9] && NoPerm < FullPerm ==> qpRange21(n_9) && invRecv21(n_9) == n_9 + ); + assume (forall o_3: Ref :: + { invRecv21(o_3) } + g[invRecv21(o_3)] && (NoPerm < FullPerm && qpRange21(o_3)) ==> invRecv21(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv21(o_3)] && (NoPerm < FullPerm && qpRange21(o_3)) ==> invRecv21(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv21(o_3)] && (NoPerm < FullPerm && qpRange21(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@213.67--213.72) [595]"} + (forall n$0_6: Ref, n$0_6_1: Ref :: + { neverTriggered22(n$0_6), neverTriggered22(n$0_6_1) } + (((n$0_6 != n$0_6_1 && g[n$0_6]) && g[n$0_6_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_6 != n$0_6_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@213.67--213.72) [596]"} + (forall n$0_6: Ref :: + { Heap[n$0_6, cdr] } { QPMask[n$0_6, cdr] } { Heap[n$0_6, cdr] } + g[n$0_6] ==> Mask[n$0_6, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_6: Ref :: + { Heap[n$0_6, cdr] } { QPMask[n$0_6, cdr] } { Heap[n$0_6, cdr] } + g[n$0_6] && NoPerm < FullPerm ==> qpRange22(n$0_6) && invRecv22(n$0_6) == n$0_6 + ); + assume (forall o_3: Ref :: + { invRecv22(o_3) } + g[invRecv22(o_3)] && (NoPerm < FullPerm && qpRange22(o_3)) ==> invRecv22(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv22(o_3)] && (NoPerm < FullPerm && qpRange22(o_3)) ==> invRecv22(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv22(o_3)] && (NoPerm < FullPerm && qpRange22(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.cdr (graph_mark.vpr@212.19--214.118) [597]"} + HasDirectPerm(Mask, x_1, cdr); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.cdr (graph_mark.vpr@212.19--214.118) [598]"} + HasDirectPerm(Mask, x_1, cdr); + } + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, cdr]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, cdr], Heap[x_1, cdr]): bool)) { + assume state(Heap, Mask); + + // -- Check definedness of exists_path($$(g), x, x.cdr) + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@213.102--213.107) [599]"} + (forall n_10: Ref, n_10_1: Ref :: + { neverTriggered23(n_10), neverTriggered23(n_10_1) } + (((n_10 != n_10_1 && g[n_10]) && g[n_10_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_10 != n_10_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@213.102--213.107) [600]"} + (forall n_10: Ref :: + { Heap[n_10, car] } { QPMask[n_10, car] } { Heap[n_10, car] } + g[n_10] ==> Mask[n_10, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_10: Ref :: + { Heap[n_10, car] } { QPMask[n_10, car] } { Heap[n_10, car] } + g[n_10] && NoPerm < FullPerm ==> qpRange23(n_10) && invRecv23(n_10) == n_10 + ); + assume (forall o_3: Ref :: + { invRecv23(o_3) } + g[invRecv23(o_3)] && (NoPerm < FullPerm && qpRange23(o_3)) ==> invRecv23(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv23(o_3)] && (NoPerm < FullPerm && qpRange23(o_3)) ==> invRecv23(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv23(o_3)] && (NoPerm < FullPerm && qpRange23(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@213.102--213.107) [601]"} + (forall n$0_7: Ref, n$0_7_1: Ref :: + { neverTriggered24(n$0_7), neverTriggered24(n$0_7_1) } + (((n$0_7 != n$0_7_1 && g[n$0_7]) && g[n$0_7_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_7 != n$0_7_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@213.102--213.107) [602]"} + (forall n$0_7: Ref :: + { Heap[n$0_7, cdr] } { QPMask[n$0_7, cdr] } { Heap[n$0_7, cdr] } + g[n$0_7] ==> Mask[n$0_7, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_7: Ref :: + { Heap[n$0_7, cdr] } { QPMask[n$0_7, cdr] } { Heap[n$0_7, cdr] } + g[n$0_7] && NoPerm < FullPerm ==> qpRange24(n$0_7) && invRecv24(n$0_7) == n$0_7 + ); + assume (forall o_3: Ref :: + { invRecv24(o_3) } + g[invRecv24(o_3)] && (NoPerm < FullPerm && qpRange24(o_3)) ==> invRecv24(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv24(o_3)] && (NoPerm < FullPerm && qpRange24(o_3)) ==> invRecv24(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv24(o_3)] && (NoPerm < FullPerm && qpRange24(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.cdr (graph_mark.vpr@212.19--214.118) [603]"} + HasDirectPerm(Mask, x_1, cdr); + assume (exists_path($$(Heap, g), x_1, Heap[x_1, cdr]): bool); + } + } + + // -- Check definedness of x.car != null + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.car (graph_mark.vpr@212.19--214.118) [604]"} + HasDirectPerm(Mask, x_1, car); + if (Heap[x_1, car] != null) { + + // -- Check definedness of (create_edge(x, x.car) in $$(g)) && exists_path($$(g), x.car, x.car) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.car (graph_mark.vpr@212.19--214.118) [605]"} + HasDirectPerm(Mask, x_1, car); + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@214.32--214.51) [606]"} + (forall n_11: Ref, n_11_1: Ref :: + { neverTriggered25(n_11), neverTriggered25(n_11_1) } + (((n_11 != n_11_1 && g[n_11]) && g[n_11_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_11 != n_11_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@214.32--214.51) [607]"} + (forall n_11: Ref :: + { Heap[n_11, car] } { QPMask[n_11, car] } { Heap[n_11, car] } + g[n_11] ==> Mask[n_11, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_11: Ref :: + { Heap[n_11, car] } { QPMask[n_11, car] } { Heap[n_11, car] } + g[n_11] && NoPerm < FullPerm ==> qpRange25(n_11) && invRecv25(n_11) == n_11 + ); + assume (forall o_3: Ref :: + { invRecv25(o_3) } + g[invRecv25(o_3)] && (NoPerm < FullPerm && qpRange25(o_3)) ==> invRecv25(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv25(o_3)] && (NoPerm < FullPerm && qpRange25(o_3)) ==> invRecv25(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv25(o_3)] && (NoPerm < FullPerm && qpRange25(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@214.32--214.51) [608]"} + (forall n$0_8: Ref, n$0_8_1: Ref :: + { neverTriggered26(n$0_8), neverTriggered26(n$0_8_1) } + (((n$0_8 != n$0_8_1 && g[n$0_8]) && g[n$0_8_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_8 != n$0_8_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@214.32--214.51) [609]"} + (forall n$0_8: Ref :: + { Heap[n$0_8, cdr] } { QPMask[n$0_8, cdr] } { Heap[n$0_8, cdr] } + g[n$0_8] ==> Mask[n$0_8, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_8: Ref :: + { Heap[n$0_8, cdr] } { QPMask[n$0_8, cdr] } { Heap[n$0_8, cdr] } + g[n$0_8] && NoPerm < FullPerm ==> qpRange26(n$0_8) && invRecv26(n$0_8) == n$0_8 + ); + assume (forall o_3: Ref :: + { invRecv26(o_3) } + g[invRecv26(o_3)] && (NoPerm < FullPerm && qpRange26(o_3)) ==> invRecv26(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv26(o_3)] && (NoPerm < FullPerm && qpRange26(o_3)) ==> invRecv26(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv26(o_3)] && (NoPerm < FullPerm && qpRange26(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, car]): EdgeDomainType)]) { + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@214.67--214.72) [610]"} + (forall n_12: Ref, n_12_1: Ref :: + { neverTriggered27(n_12), neverTriggered27(n_12_1) } + (((n_12 != n_12_1 && g[n_12]) && g[n_12_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_12 != n_12_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@214.67--214.72) [611]"} + (forall n_12: Ref :: + { Heap[n_12, car] } { QPMask[n_12, car] } { Heap[n_12, car] } + g[n_12] ==> Mask[n_12, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_12: Ref :: + { Heap[n_12, car] } { QPMask[n_12, car] } { Heap[n_12, car] } + g[n_12] && NoPerm < FullPerm ==> qpRange27(n_12) && invRecv27(n_12) == n_12 + ); + assume (forall o_3: Ref :: + { invRecv27(o_3) } + g[invRecv27(o_3)] && (NoPerm < FullPerm && qpRange27(o_3)) ==> invRecv27(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv27(o_3)] && (NoPerm < FullPerm && qpRange27(o_3)) ==> invRecv27(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv27(o_3)] && (NoPerm < FullPerm && qpRange27(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@214.67--214.72) [612]"} + (forall n$0_9: Ref, n$0_9_1: Ref :: + { neverTriggered28(n$0_9), neverTriggered28(n$0_9_1) } + (((n$0_9 != n$0_9_1 && g[n$0_9]) && g[n$0_9_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_9 != n$0_9_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@214.67--214.72) [613]"} + (forall n$0_9: Ref :: + { Heap[n$0_9, cdr] } { QPMask[n$0_9, cdr] } { Heap[n$0_9, cdr] } + g[n$0_9] ==> Mask[n$0_9, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_9: Ref :: + { Heap[n$0_9, cdr] } { QPMask[n$0_9, cdr] } { Heap[n$0_9, cdr] } + g[n$0_9] && NoPerm < FullPerm ==> qpRange28(n$0_9) && invRecv28(n$0_9) == n$0_9 + ); + assume (forall o_3: Ref :: + { invRecv28(o_3) } + g[invRecv28(o_3)] && (NoPerm < FullPerm && qpRange28(o_3)) ==> invRecv28(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv28(o_3)] && (NoPerm < FullPerm && qpRange28(o_3)) ==> invRecv28(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv28(o_3)] && (NoPerm < FullPerm && qpRange28(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.car (graph_mark.vpr@212.19--214.118) [614]"} + HasDirectPerm(Mask, x_1, car); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.car (graph_mark.vpr@212.19--214.118) [615]"} + HasDirectPerm(Mask, x_1, car); + } + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, car]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, car], Heap[x_1, car]): bool)) { + assume state(Heap, Mask); + + // -- Check definedness of exists_path($$(g), x, x.car) + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@214.102--214.107) [616]"} + (forall n_13: Ref, n_13_1: Ref :: + { neverTriggered29(n_13), neverTriggered29(n_13_1) } + (((n_13 != n_13_1 && g[n_13]) && g[n_13_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_13 != n_13_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@214.102--214.107) [617]"} + (forall n_13: Ref :: + { Heap[n_13, car] } { QPMask[n_13, car] } { Heap[n_13, car] } + g[n_13] ==> Mask[n_13, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_13: Ref :: + { Heap[n_13, car] } { QPMask[n_13, car] } { Heap[n_13, car] } + g[n_13] && NoPerm < FullPerm ==> qpRange29(n_13) && invRecv29(n_13) == n_13 + ); + assume (forall o_3: Ref :: + { invRecv29(o_3) } + g[invRecv29(o_3)] && (NoPerm < FullPerm && qpRange29(o_3)) ==> invRecv29(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv29(o_3)] && (NoPerm < FullPerm && qpRange29(o_3)) ==> invRecv29(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv29(o_3)] && (NoPerm < FullPerm && qpRange29(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@214.102--214.107) [618]"} + (forall n$0_10: Ref, n$0_10_1: Ref :: + { neverTriggered30(n$0_10), neverTriggered30(n$0_10_1) } + (((n$0_10 != n$0_10_1 && g[n$0_10]) && g[n$0_10_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_10 != n$0_10_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@214.102--214.107) [619]"} + (forall n$0_10: Ref :: + { Heap[n$0_10, cdr] } { QPMask[n$0_10, cdr] } { Heap[n$0_10, cdr] } + g[n$0_10] ==> Mask[n$0_10, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_10: Ref :: + { Heap[n$0_10, cdr] } { QPMask[n$0_10, cdr] } { Heap[n$0_10, cdr] } + g[n$0_10] && NoPerm < FullPerm ==> qpRange30(n$0_10) && invRecv30(n$0_10) == n$0_10 + ); + assume (forall o_3: Ref :: + { invRecv30(o_3) } + g[invRecv30(o_3)] && (NoPerm < FullPerm && qpRange30(o_3)) ==> invRecv30(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv30(o_3)] && (NoPerm < FullPerm && qpRange30(o_3)) ==> invRecv30(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv30(o_3)] && (NoPerm < FullPerm && qpRange30(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access x.car (graph_mark.vpr@212.19--214.118) [620]"} + HasDirectPerm(Mask, x_1, car); + assume (exists_path($$(Heap, g), x_1, Heap[x_1, car]): bool); + } + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall n: Ref :: { (n in pending) } { (n in roots) } (n in roots) == (n in pending)) && (forall n: Ref :: { (n in marked) } (n in g) ==> !((n in marked))) || (forall n: Ref :: { (n in pending) } { (n in marked) } (n in roots) ==> (n in marked) || (n in pending)) && ((forall n: Ref :: { (n in pending) } (n in g) ==> !((n in marked) && (n in pending))) && ((forall n: Ref :: { exists_spath($$(g), roots, n) } (n in pending) || (n in marked) ==> exists_spath($$(g), roots, n)) && (forall n1: Ref, n2: Ref :: { (n1 in marked), (n2 in marked) } (n1 in marked) && ((n2 in g) && (!((n2 in marked)) && !((n2 in pending)))) ==> !((create_edge(n1, n2) in $$(g)))))) + if (*) { + assume false; + } + if ((forall n_15: Ref :: + { pending[n_15] } { roots[n_15] } + roots[n_15] == pending[n_15] + )) { + if (*) { + assume false; + } + } + if (!((forall n_17: Ref :: + { pending[n_17] } { roots[n_17] } + roots[n_17] == pending[n_17] + ) && (forall n_18: Ref :: + { marked[n_18] } + g[n_18] ==> !marked[n_18] + ))) { + if (*) { + assume false; + } + if ((forall n_20: Ref :: + { pending[n_20] } { marked[n_20] } + roots[n_20] ==> marked[n_20] || pending[n_20] + )) { + if (*) { + assume false; + } + if ((forall n_22: Ref :: + { pending[n_22] } + g[n_22] ==> !(marked[n_22] && pending[n_22]) + )) { + if (*) { + if (pending[n_14] || marked[n_14]) { + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.car might not be injective. (graph_mark.vpr@222.102--222.107) [621]"} + (forall n$0_11: Ref, n$0_11_1: Ref :: + { neverTriggered31(n$0_11), neverTriggered31(n$0_11_1) } + (((n$0_11 != n$0_11_1 && g[n$0_11]) && g[n$0_11_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_11 != n$0_11_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.car (graph_mark.vpr@222.102--222.107) [622]"} + (forall n$0_11: Ref :: + { Heap[n$0_11, car] } { QPMask[n$0_11, car] } { Heap[n$0_11, car] } + g[n$0_11] ==> Mask[n$0_11, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_11: Ref :: + { Heap[n$0_11, car] } { QPMask[n$0_11, car] } { Heap[n$0_11, car] } + g[n$0_11] && NoPerm < FullPerm ==> qpRange31(n$0_11) && invRecv31(n$0_11) == n$0_11 + ); + assume (forall o_3: Ref :: + { invRecv31(o_3) } + g[invRecv31(o_3)] && (NoPerm < FullPerm && qpRange31(o_3)) ==> invRecv31(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv31(o_3)] && (NoPerm < FullPerm && qpRange31(o_3)) ==> invRecv31(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv31(o_3)] && (NoPerm < FullPerm && qpRange31(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@222.102--222.107) [623]"} + (forall n$0_12: Ref, n$0_12_1: Ref :: + { neverTriggered32(n$0_12), neverTriggered32(n$0_12_1) } + (((n$0_12 != n$0_12_1 && g[n$0_12]) && g[n$0_12_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_12 != n$0_12_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@222.102--222.107) [624]"} + (forall n$0_12: Ref :: + { Heap[n$0_12, cdr] } { QPMask[n$0_12, cdr] } { Heap[n$0_12, cdr] } + g[n$0_12] ==> Mask[n$0_12, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_12: Ref :: + { Heap[n$0_12, cdr] } { QPMask[n$0_12, cdr] } { Heap[n$0_12, cdr] } + g[n$0_12] && NoPerm < FullPerm ==> qpRange32(n$0_12) && invRecv32(n$0_12) == n$0_12 + ); + assume (forall o_3: Ref :: + { invRecv32(o_3) } + g[invRecv32(o_3)] && (NoPerm < FullPerm && qpRange32(o_3)) ==> invRecv32(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv32(o_3)] && (NoPerm < FullPerm && qpRange32(o_3)) ==> invRecv32(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv32(o_3)] && (NoPerm < FullPerm && qpRange32(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + } + assume false; + } + if ((forall n_24: Ref :: + { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, g)), FrameFragment($$#condqp2(Heap, g))), g), roots, n_24): bool) } + pending[n_24] || marked[n_24] ==> (exists_spath($$(Heap, g), roots, n_24): bool) + )) { + if (*) { + if (marked[n1_1] && (g[n2_1] && (!marked[n2_1] && !pending[n2_1]))) { + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@223.133--223.150) [625]"} + (forall n_25: Ref, n_25_1: Ref :: + { neverTriggered33(n_25), neverTriggered33(n_25_1) } + (((n_25 != n_25_1 && g[n_25]) && g[n_25_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_25 != n_25_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@223.133--223.150) [626]"} + (forall n_25: Ref :: + { Heap[n_25, car] } { QPMask[n_25, car] } { Heap[n_25, car] } + g[n_25] ==> Mask[n_25, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_25: Ref :: + { Heap[n_25, car] } { QPMask[n_25, car] } { Heap[n_25, car] } + g[n_25] && NoPerm < FullPerm ==> qpRange33(n_25) && invRecv33(n_25) == n_25 + ); + assume (forall o_3: Ref :: + { invRecv33(o_3) } + g[invRecv33(o_3)] && (NoPerm < FullPerm && qpRange33(o_3)) ==> invRecv33(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv33(o_3)] && (NoPerm < FullPerm && qpRange33(o_3)) ==> invRecv33(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv33(o_3)] && (NoPerm < FullPerm && qpRange33(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@223.133--223.150) [627]"} + (forall n$0_13: Ref, n$0_13_1: Ref :: + { neverTriggered34(n$0_13), neverTriggered34(n$0_13_1) } + (((n$0_13 != n$0_13_1 && g[n$0_13]) && g[n$0_13_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_13 != n$0_13_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@223.133--223.150) [628]"} + (forall n$0_13: Ref :: + { Heap[n$0_13, cdr] } { QPMask[n$0_13, cdr] } { Heap[n$0_13, cdr] } + g[n$0_13] ==> Mask[n$0_13, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_13: Ref :: + { Heap[n$0_13, cdr] } { QPMask[n$0_13, cdr] } { Heap[n$0_13, cdr] } + g[n$0_13] && NoPerm < FullPerm ==> qpRange34(n$0_13) && invRecv34(n$0_13) == n$0_13 + ); + assume (forall o_3: Ref :: + { invRecv34(o_3) } + g[invRecv34(o_3)] && (NoPerm < FullPerm && qpRange34(o_3)) ==> invRecv34(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv34(o_3)] && (NoPerm < FullPerm && qpRange34(o_3)) ==> invRecv34(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv34(o_3)] && (NoPerm < FullPerm && qpRange34(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + } + assume false; + } + } + } + } + } + assume ((forall n_26: Ref :: + { pending[n_26] } { roots[n_26] } + roots[n_26] == pending[n_26] + ) && (forall n_27: Ref :: + { marked[n_27] } + g[n_27] ==> !marked[n_27] + )) || ((forall n_28: Ref :: + { pending[n_28] } { marked[n_28] } + roots[n_28] ==> marked[n_28] || pending[n_28] + ) && ((forall n_29: Ref :: + { pending[n_29] } + g[n_29] ==> !(marked[n_29] && pending[n_29]) + ) && ((forall n_30: Ref :: + { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, g)), FrameFragment($$#condqp2(Heap, g))), g), roots, n_30): bool) } + pending[n_30] || marked[n_30] ==> (exists_spath($$(Heap, g), roots, n_30): bool) + ) && (forall n1_2: Ref, n2_2: Ref :: + { marked[n1_2], marked[n2_2] } + marked[n1_2] && (g[n2_2] && (!marked[n2_2] && !pending[n2_2])) ==> !$$(Heap, g)[(create_edge(n1_2, n2_2): EdgeDomainType)] + )))); + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + assume !g[null]; + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource n$10.car might not be injective. (graph_mark.vpr@205.19--205.27) [629]"} + (forall n$10_3: Ref, n$10_3_1: Ref :: + + (((n$10_3 != n$10_3_1 && g[n$10_3]) && g[n$10_3_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$10_3 != n$10_3_1 + ); + + // -- Define Inverse Function + assume (forall n$10_3: Ref :: + { Heap[n$10_3, car] } { QPMask[n$10_3, car] } { Heap[n$10_3, car] } + g[n$10_3] && NoPerm < FullPerm ==> qpRange35(n$10_3) && invRecv35(n$10_3) == n$10_3 + ); + assume (forall o_3: Ref :: + { invRecv35(o_3) } + (g[invRecv35(o_3)] && NoPerm < FullPerm) && qpRange35(o_3) ==> invRecv35(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$10_3: Ref :: + { Heap[n$10_3, car] } { QPMask[n$10_3, car] } { Heap[n$10_3, car] } + g[n$10_3] ==> n$10_3 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + ((g[invRecv35(o_3)] && NoPerm < FullPerm) && qpRange35(o_3) ==> (NoPerm < FullPerm ==> invRecv35(o_3) == o_3) && QPMask[o_3, car] == Mask[o_3, car] + FullPerm) && (!((g[invRecv35(o_3)] && NoPerm < FullPerm) && qpRange35(o_3)) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource n$11.cdr might not be injective. (graph_mark.vpr@205.19--205.27) [630]"} + (forall n$11_3: Ref, n$11_3_1: Ref :: + + (((n$11_3 != n$11_3_1 && g[n$11_3]) && g[n$11_3_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$11_3 != n$11_3_1 + ); + + // -- Define Inverse Function + assume (forall n$11_3: Ref :: + { Heap[n$11_3, cdr] } { QPMask[n$11_3, cdr] } { Heap[n$11_3, cdr] } + g[n$11_3] && NoPerm < FullPerm ==> qpRange36(n$11_3) && invRecv36(n$11_3) == n$11_3 + ); + assume (forall o_3: Ref :: + { invRecv36(o_3) } + (g[invRecv36(o_3)] && NoPerm < FullPerm) && qpRange36(o_3) ==> invRecv36(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$11_3: Ref :: + { Heap[n$11_3, cdr] } { QPMask[n$11_3, cdr] } { Heap[n$11_3, cdr] } + g[n$11_3] ==> n$11_3 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + ((g[invRecv36(o_3)] && NoPerm < FullPerm) && qpRange36(o_3) ==> (NoPerm < FullPerm ==> invRecv36(o_3) == o_3) && QPMask[o_3, cdr] == Mask[o_3, cdr] + FullPerm) && (!((g[invRecv36(o_3)] && NoPerm < FullPerm) && qpRange36(o_3)) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall n$8_4: Ref :: + { g[Heap[n$8_4, car]] } { g[n$8_4], Heap[n$8_4, car] } + g[n$8_4] ==> g[Heap[n$8_4, car]] + ); + assume (forall n$9_4: Ref :: + { g[Heap[n$9_4, cdr]] } { g[n$9_4], Heap[n$9_4, cdr] } + g[n$9_4] ==> g[Heap[n$9_4, cdr]] + ); + assume g[x_1]; + assume Set#Subset(pending, g); + assume Set#Subset(marked, g); + assume state(Heap, Mask); + assume (exists_spath($$(Heap, g), roots, x_1): bool); + if (Heap[x_1, cdr] != null) { + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, cdr]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, cdr], Heap[x_1, cdr]): bool)) { + assume state(Heap, Mask); + assume (exists_path($$(Heap, g), x_1, Heap[x_1, cdr]): bool); + } + } + if (Heap[x_1, car] != null) { + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, car]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, car], Heap[x_1, car]): bool)) { + assume state(Heap, Mask); + assume (exists_path($$(Heap, g), x_1, Heap[x_1, car]): bool); + } + } + assume state(Heap, Mask); + assume ((forall n_31: Ref :: + { pending[n_31] } { roots[n_31] } + roots[n_31] == pending[n_31] + ) && (forall n_32: Ref :: + { marked[n_32] } + g[n_32] ==> !marked[n_32] + )) || ((forall n_33: Ref :: + { pending[n_33] } { marked[n_33] } + roots[n_33] ==> marked[n_33] || pending[n_33] + ) && ((forall n_34: Ref :: + { pending[n_34] } + g[n_34] ==> !(marked[n_34] && pending[n_34]) + ) && ((forall n_35: Ref :: + { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, g)), FrameFragment($$#condqp2(Heap, g))), g), roots, n_35): bool) } + pending[n_35] || marked[n_35] ==> (exists_spath($$(Heap, g), roots, n_35): bool) + ) && (forall n1_3: Ref, n2_3: Ref :: + { marked[n1_3], marked[n2_3] } + marked[n1_3] && (g[n2_3] && (!marked[n2_3] && !pending[n2_3])) ==> !$$(Heap, g)[(create_edge(n1_3, n2_3): EdgeDomainType)] + )))); + assume state(Heap, Mask); + // Check and assume guard + assume Set#Card(pending) > 0; + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Translating statement: x := get(pending) -- graph_mark.vpr@226.9--226.26 + + // -- Check definedness of get(pending) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function get might not hold. Assertion |pending| > 0 might not hold. (graph_mark.vpr@226.14--226.26) [631]"} + Set#Card(pending) > 0; + // Stop execution + assume false; + } + x_1 := get(Heap, pending); + assume state(Heap, Mask); + + // -- Translating statement: pending := (pending setminus Set(x)) -- graph_mark.vpr@227.9--227.43 + pending := Set#Difference(pending, Set#Singleton(x_1)); + assume state(Heap, Mask); + + // -- Translating statement: marked := (marked union Set(x)) -- graph_mark.vpr@230.9--230.38 + marked := Set#Union(marked, Set#Singleton(x_1)); + assume state(Heap, Mask); + + // -- Translating statement: if (x.car != null && !((x.car in marked))) -- graph_mark.vpr@232.9--234.10 + + // -- Check definedness of x.car != null && !((x.car in marked)) + assert {:msg " Conditional statement might fail. There might be insufficient permission to access x.car (graph_mark.vpr@232.14--232.49) [632]"} + HasDirectPerm(Mask, x_1, car); + if (Heap[x_1, car] != null) { + assert {:msg " Conditional statement might fail. There might be insufficient permission to access x.car (graph_mark.vpr@232.14--232.49) [633]"} + HasDirectPerm(Mask, x_1, car); + } + if (Heap[x_1, car] != null && !marked[Heap[x_1, car]]) { + + // -- Translating statement: pending := (pending union Set(x.car)) -- graph_mark.vpr@233.13--233.48 + + // -- Check definedness of (pending union Set(x.car)) + assert {:msg " Assignment might fail. There might be insufficient permission to access x.car (graph_mark.vpr@233.13--233.48) [634]"} + HasDirectPerm(Mask, x_1, car); + pending := Set#Union(pending, Set#Singleton(Heap[x_1, car])); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: if (x.cdr != null && !((x.cdr in marked))) -- graph_mark.vpr@235.9--237.10 + + // -- Check definedness of x.cdr != null && !((x.cdr in marked)) + assert {:msg " Conditional statement might fail. There might be insufficient permission to access x.cdr (graph_mark.vpr@235.14--235.49) [635]"} + HasDirectPerm(Mask, x_1, cdr); + if (Heap[x_1, cdr] != null) { + assert {:msg " Conditional statement might fail. There might be insufficient permission to access x.cdr (graph_mark.vpr@235.14--235.49) [636]"} + HasDirectPerm(Mask, x_1, cdr); + } + if (Heap[x_1, cdr] != null && !marked[Heap[x_1, cdr]]) { + + // -- Translating statement: pending := (pending union Set(x.cdr)) -- graph_mark.vpr@236.13--236.48 + + // -- Check definedness of (pending union Set(x.cdr)) + assert {:msg " Assignment might fail. There might be insufficient permission to access x.cdr (graph_mark.vpr@236.13--236.48) [637]"} + HasDirectPerm(Mask, x_1, cdr); + pending := Set#Union(pending, Set#Singleton(Heap[x_1, cdr])); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + // Exhale invariant + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not be preserved. Assertion !((null in g)) might not hold. (graph_mark.vpr@205.19--205.27) [638]"} + !g[null]; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$10 is injective + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not be preserved. Quantified resource n$10.car might not be injective. (graph_mark.vpr@205.19--205.27) [639]"} + (forall n$10_4: Ref, n$10_4_1: Ref :: + { neverTriggered37(n$10_4), neverTriggered37(n$10_4_1) } + (((n$10_4 != n$10_4_1 && g[n$10_4]) && g[n$10_4_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$10_4 != n$10_4_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not be preserved. There might be insufficient permission to access n$10.car (graph_mark.vpr@205.19--205.27) [640]"} + (forall n$10_4: Ref :: + { Heap[n$10_4, car] } { QPMask[n$10_4, car] } { Heap[n$10_4, car] } + g[n$10_4] ==> Mask[n$10_4, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$10 + assume (forall n$10_4: Ref :: + { Heap[n$10_4, car] } { QPMask[n$10_4, car] } { Heap[n$10_4, car] } + g[n$10_4] && NoPerm < FullPerm ==> qpRange37(n$10_4) && invRecv37(n$10_4) == n$10_4 + ); + assume (forall o_3: Ref :: + { invRecv37(o_3) } + g[invRecv37(o_3)] && (NoPerm < FullPerm && qpRange37(o_3)) ==> invRecv37(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv37(o_3)] && (NoPerm < FullPerm && qpRange37(o_3)) ==> invRecv37(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv37(o_3)] && (NoPerm < FullPerm && qpRange37(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$11 is injective + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not be preserved. Quantified resource n$11.cdr might not be injective. (graph_mark.vpr@205.19--205.27) [641]"} + (forall n$11_4: Ref, n$11_4_1: Ref :: + { neverTriggered38(n$11_4), neverTriggered38(n$11_4_1) } + (((n$11_4 != n$11_4_1 && g[n$11_4]) && g[n$11_4_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$11_4 != n$11_4_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not be preserved. There might be insufficient permission to access n$11.cdr (graph_mark.vpr@205.19--205.27) [642]"} + (forall n$11_4: Ref :: + { Heap[n$11_4, cdr] } { QPMask[n$11_4, cdr] } { Heap[n$11_4, cdr] } + g[n$11_4] ==> Mask[n$11_4, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$11 + assume (forall n$11_4: Ref :: + { Heap[n$11_4, cdr] } { QPMask[n$11_4, cdr] } { Heap[n$11_4, cdr] } + g[n$11_4] && NoPerm < FullPerm ==> qpRange38(n$11_4) && invRecv38(n$11_4) == n$11_4 + ); + assume (forall o_3: Ref :: + { invRecv38(o_3) } + g[invRecv38(o_3)] && (NoPerm < FullPerm && qpRange38(o_3)) ==> invRecv38(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv38(o_3)] && (NoPerm < FullPerm && qpRange38(o_3)) ==> invRecv38(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv38(o_3)] && (NoPerm < FullPerm && qpRange38(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (g[n$8_5]) { + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not be preserved. Assertion (n$8.car in g) might not hold. (graph_mark.vpr@205.19--205.27) [643]"} + g[Heap[n$8_5, car]]; + } + assume false; + } + assume (forall n$8_6_1: Ref :: + { g[Heap[n$8_6_1, car]] } { g[n$8_6_1], Heap[n$8_6_1, car] } + g[n$8_6_1] ==> g[Heap[n$8_6_1, car]] + ); + if (*) { + if (g[n$9_5]) { + assert {:msg " Loop invariant !((null in g)) && (true && ((forall n$10: Ref :: { n$10.car } (n$10 in g) ==> acc(n$10.car, write)) && (forall n$11: Ref :: { n$11.cdr } (n$11 in g) ==> acc(n$11.cdr, write))) && ((forall n$8: Ref :: { (n$8.car in g) } { (n$8 in g), n$8.car } (n$8 in g) ==> (n$8.car in g)) && (forall n$9: Ref :: { (n$9.cdr in g) } { (n$9 in g), n$9.cdr } (n$9 in g) ==> (n$9.cdr in g)))) might not be preserved. Assertion (n$9.cdr in g) might not hold. (graph_mark.vpr@205.19--205.27) [644]"} + g[Heap[n$9_5, cdr]]; + } + assume false; + } + assume (forall n$9_6_1: Ref :: + { g[Heap[n$9_6_1, cdr]] } { g[n$9_6_1], Heap[n$9_6_1, cdr] } + g[n$9_6_1] ==> g[Heap[n$9_6_1, cdr]] + ); + assert {:msg " Loop invariant (x in g) might not be preserved. Assertion (x in g) might not hold. (graph_mark.vpr@208.19--208.25) [645]"} + g[x_1]; + assert {:msg " Loop invariant (pending subset g) might not be preserved. Assertion (pending subset g) might not hold. (graph_mark.vpr@209.27--209.35) [646]"} + Set#Subset(pending, g); + assert {:msg " Loop invariant (marked subset g) might not be preserved. Assertion (marked subset g) might not hold. (graph_mark.vpr@210.26--210.34) [647]"} + Set#Subset(marked, g); + assert {:msg " Loop invariant exists_spath($$(g), roots, x) && ((x.cdr != null ==> (create_edge(x, x.cdr) in $$(g)) && exists_path($$(g), x.cdr, x.cdr) ==> exists_path($$(g), x, x.cdr)) && (x.car != null ==> (create_edge(x, x.car) in $$(g)) && exists_path($$(g), x.car, x.car) ==> exists_path($$(g), x, x.car))) might not be preserved. Assertion exists_spath($$(g), roots, x) might not hold. (graph_mark.vpr@212.19--214.118) [648]"} + (exists_spath($$(Heap, g), roots, x_1): bool); + if (Heap[x_1, cdr] != null) { + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, cdr]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, cdr], Heap[x_1, cdr]): bool)) { + assert {:msg " Loop invariant exists_spath($$(g), roots, x) && ((x.cdr != null ==> (create_edge(x, x.cdr) in $$(g)) && exists_path($$(g), x.cdr, x.cdr) ==> exists_path($$(g), x, x.cdr)) && (x.car != null ==> (create_edge(x, x.car) in $$(g)) && exists_path($$(g), x.car, x.car) ==> exists_path($$(g), x, x.car))) might not be preserved. Assertion exists_path($$(g), x, x.cdr) might not hold. (graph_mark.vpr@212.19--214.118) [649]"} + (exists_path($$(Heap, g), x_1, Heap[x_1, cdr]): bool); + } + } + if (Heap[x_1, car] != null) { + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, car]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, car], Heap[x_1, car]): bool)) { + assert {:msg " Loop invariant exists_spath($$(g), roots, x) && ((x.cdr != null ==> (create_edge(x, x.cdr) in $$(g)) && exists_path($$(g), x.cdr, x.cdr) ==> exists_path($$(g), x, x.cdr)) && (x.car != null ==> (create_edge(x, x.car) in $$(g)) && exists_path($$(g), x.car, x.car) ==> exists_path($$(g), x, x.car))) might not be preserved. Assertion exists_path($$(g), x, x.car) might not hold. (graph_mark.vpr@212.19--214.118) [650]"} + (exists_path($$(Heap, g), x_1, Heap[x_1, car]): bool); + } + } + assert {:msg " Loop invariant (forall n: Ref :: { (n in pending) } { (n in roots) } (n in roots) == (n in pending)) && (forall n: Ref :: { (n in marked) } (n in g) ==> !((n in marked))) || (forall n: Ref :: { (n in pending) } { (n in marked) } (n in roots) ==> (n in marked) || (n in pending)) && ((forall n: Ref :: { (n in pending) } (n in g) ==> !((n in marked) && (n in pending))) && ((forall n: Ref :: { exists_spath($$(g), roots, n) } (n in pending) || (n in marked) ==> exists_spath($$(g), roots, n)) && (forall n1: Ref, n2: Ref :: { (n1 in marked), (n2 in marked) } (n1 in marked) && ((n2 in g) && (!((n2 in marked)) && !((n2 in pending)))) ==> !((create_edge(n1, n2) in $$(g)))))) might not be preserved. Assertion (forall n: Ref :: { (n in pending) } { (n in roots) } (n in roots) == (n in pending)) && (forall n: Ref :: { (n in marked) } (n in g) ==> !((n in marked))) || (forall n: Ref :: { (n in pending) } { (n in marked) } (n in roots) ==> (n in marked) || (n in pending)) && ((forall n: Ref :: { (n in pending) } (n in g) ==> !((n in marked) && (n in pending))) && ((forall n: Ref :: { exists_spath($$(g), roots, n) } (n in pending) || (n in marked) ==> exists_spath($$(g), roots, n)) && (forall n1: Ref, n2: Ref :: { (n1 in marked), (n2 in marked) } (n1 in marked) && ((n2 in g) && (!((n2 in marked)) && !((n2 in pending)))) ==> !((create_edge(n1, n2) in $$(g)))))) might not hold. (graph_mark.vpr@217.9--223.152) [651]"} + ((forall n_36: Ref :: + { pending[n_36] } { roots[n_36] } + roots[n_36] == pending[n_36] + ) && (forall n_37: Ref :: + { marked[n_37] } + g[n_37] ==> !marked[n_37] + )) || ((forall n_38: Ref :: + { pending[n_38] } { marked[n_38] } + roots[n_38] ==> marked[n_38] || pending[n_38] + ) && ((forall n_39: Ref :: + { pending[n_39] } + g[n_39] ==> !(marked[n_39] && pending[n_39]) + ) && ((forall n_40: Ref :: + { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, g)), FrameFragment($$#condqp2(Heap, g))), g), roots, n_40): bool) } + pending[n_40] || marked[n_40] ==> (exists_spath($$(Heap, g), roots, n_40): bool) + ) && (forall n1_4: Ref, n2_4: Ref :: + { marked[n1_4], marked[n2_4] } + marked[n1_4] && (g[n2_4] && (!marked[n2_4] && !pending[n2_4])) ==> !$$(Heap, g)[(create_edge(n1_4, n2_4): EdgeDomainType)] + )))); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(Set#Card(pending) > 0); + assume state(Heap, Mask); + assume !g[null]; + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource n$10.car might not be injective. (graph_mark.vpr@205.19--205.27) [652]"} + (forall n$10_5: Ref, n$10_5_1: Ref :: + + (((n$10_5 != n$10_5_1 && g[n$10_5]) && g[n$10_5_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$10_5 != n$10_5_1 + ); + + // -- Define Inverse Function + assume (forall n$10_5: Ref :: + { Heap[n$10_5, car] } { QPMask[n$10_5, car] } { Heap[n$10_5, car] } + g[n$10_5] && NoPerm < FullPerm ==> qpRange39(n$10_5) && invRecv39(n$10_5) == n$10_5 + ); + assume (forall o_3: Ref :: + { invRecv39(o_3) } + (g[invRecv39(o_3)] && NoPerm < FullPerm) && qpRange39(o_3) ==> invRecv39(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$10_5: Ref :: + { Heap[n$10_5, car] } { QPMask[n$10_5, car] } { Heap[n$10_5, car] } + g[n$10_5] ==> n$10_5 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + ((g[invRecv39(o_3)] && NoPerm < FullPerm) && qpRange39(o_3) ==> (NoPerm < FullPerm ==> invRecv39(o_3) == o_3) && QPMask[o_3, car] == Mask[o_3, car] + FullPerm) && (!((g[invRecv39(o_3)] && NoPerm < FullPerm) && qpRange39(o_3)) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource n$11.cdr might not be injective. (graph_mark.vpr@205.19--205.27) [653]"} + (forall n$11_5: Ref, n$11_5_1: Ref :: + + (((n$11_5 != n$11_5_1 && g[n$11_5]) && g[n$11_5_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$11_5 != n$11_5_1 + ); + + // -- Define Inverse Function + assume (forall n$11_5: Ref :: + { Heap[n$11_5, cdr] } { QPMask[n$11_5, cdr] } { Heap[n$11_5, cdr] } + g[n$11_5] && NoPerm < FullPerm ==> qpRange40(n$11_5) && invRecv40(n$11_5) == n$11_5 + ); + assume (forall o_3: Ref :: + { invRecv40(o_3) } + (g[invRecv40(o_3)] && NoPerm < FullPerm) && qpRange40(o_3) ==> invRecv40(o_3) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall n$11_5: Ref :: + { Heap[n$11_5, cdr] } { QPMask[n$11_5, cdr] } { Heap[n$11_5, cdr] } + g[n$11_5] ==> n$11_5 != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + ((g[invRecv40(o_3)] && NoPerm < FullPerm) && qpRange40(o_3) ==> (NoPerm < FullPerm ==> invRecv40(o_3) == o_3) && QPMask[o_3, cdr] == Mask[o_3, cdr] + FullPerm) && (!((g[invRecv40(o_3)] && NoPerm < FullPerm) && qpRange40(o_3)) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall n$8_7: Ref :: + { g[Heap[n$8_7, car]] } { g[n$8_7], Heap[n$8_7, car] } + g[n$8_7] ==> g[Heap[n$8_7, car]] + ); + assume (forall n$9_7: Ref :: + { g[Heap[n$9_7, cdr]] } { g[n$9_7], Heap[n$9_7, cdr] } + g[n$9_7] ==> g[Heap[n$9_7, cdr]] + ); + assume g[x_1]; + assume Set#Subset(pending, g); + assume Set#Subset(marked, g); + assume state(Heap, Mask); + assume (exists_spath($$(Heap, g), roots, x_1): bool); + if (Heap[x_1, cdr] != null) { + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, cdr]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, cdr], Heap[x_1, cdr]): bool)) { + assume state(Heap, Mask); + assume (exists_path($$(Heap, g), x_1, Heap[x_1, cdr]): bool); + } + } + if (Heap[x_1, car] != null) { + if ($$(Heap, g)[(create_edge(x_1, Heap[x_1, car]): EdgeDomainType)] && (exists_path($$(Heap, g), Heap[x_1, car], Heap[x_1, car]): bool)) { + assume state(Heap, Mask); + assume (exists_path($$(Heap, g), x_1, Heap[x_1, car]): bool); + } + } + assume state(Heap, Mask); + assume ((forall n_41: Ref :: + { pending[n_41] } { roots[n_41] } + roots[n_41] == pending[n_41] + ) && (forall n_42: Ref :: + { marked[n_42] } + g[n_42] ==> !marked[n_42] + )) || ((forall n_43: Ref :: + { pending[n_43] } { marked[n_43] } + roots[n_43] ==> marked[n_43] || pending[n_43] + ) && ((forall n_44: Ref :: + { pending[n_44] } + g[n_44] ==> !(marked[n_44] && pending[n_44]) + ) && ((forall n_45: Ref :: + { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, g)), FrameFragment($$#condqp2(Heap, g))), g), roots, n_45): bool) } + pending[n_45] || marked[n_45] ==> (exists_spath($$(Heap, g), roots, n_45): bool) + ) && (forall n1_5: Ref, n2_5: Ref :: + { marked[n1_5], marked[n2_5] } + marked[n1_5] && (g[n2_5] && (!marked[n2_5] && !pending[n2_5])) ==> !$$(Heap, g)[(create_edge(n1_5, n2_5): EdgeDomainType)] + )))); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale apply_noExit($$(g), g, marked) -- graph_mark.vpr@243.12--243.42 + assume state(Heap, Mask); + + // -- Check definedness of apply_noExit($$(g), g, marked) + if (*) { + // Exhale precondition of function application + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n.car might not be injective. (graph_mark.vpr@243.25--243.30) [654]"} + (forall n_46: Ref, n_46_1: Ref :: + { neverTriggered41(n_46), neverTriggered41(n_46_1) } + (((n_46 != n_46_1 && g[n_46]) && g[n_46_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n_46 != n_46_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n.car (graph_mark.vpr@243.25--243.30) [655]"} + (forall n_46: Ref :: + { Heap[n_46, car] } { QPMask[n_46, car] } { Heap[n_46, car] } + g[n_46] ==> Mask[n_46, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n + assume (forall n_46: Ref :: + { Heap[n_46, car] } { QPMask[n_46, car] } { Heap[n_46, car] } + g[n_46] && NoPerm < FullPerm ==> qpRange41(n_46) && invRecv41(n_46) == n_46 + ); + assume (forall o_3: Ref :: + { invRecv41(o_3) } + g[invRecv41(o_3)] && (NoPerm < FullPerm && qpRange41(o_3)) ==> invRecv41(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv41(o_3)] && (NoPerm < FullPerm && qpRange41(o_3)) ==> invRecv41(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv41(o_3)] && (NoPerm < FullPerm && qpRange41(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$0 is injective + assert {:msg " Precondition of function $$ might not hold. Quantified resource n$0.cdr might not be injective. (graph_mark.vpr@243.25--243.30) [656]"} + (forall n$0_14: Ref, n$0_14_1: Ref :: + { neverTriggered42(n$0_14), neverTriggered42(n$0_14_1) } + (((n$0_14 != n$0_14_1 && g[n$0_14]) && g[n$0_14_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$0_14 != n$0_14_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function $$ might not hold. There might be insufficient permission to access n$0.cdr (graph_mark.vpr@243.25--243.30) [657]"} + (forall n$0_14: Ref :: + { Heap[n$0_14, cdr] } { QPMask[n$0_14, cdr] } { Heap[n$0_14, cdr] } + g[n$0_14] ==> Mask[n$0_14, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$0 + assume (forall n$0_14: Ref :: + { Heap[n$0_14, cdr] } { QPMask[n$0_14, cdr] } { Heap[n$0_14, cdr] } + g[n$0_14] && NoPerm < FullPerm ==> qpRange42(n$0_14) && invRecv42(n$0_14) == n$0_14 + ); + assume (forall o_3: Ref :: + { invRecv42(o_3) } + g[invRecv42(o_3)] && (NoPerm < FullPerm && qpRange42(o_3)) ==> invRecv42(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv42(o_3)] && (NoPerm < FullPerm && qpRange42(o_3)) ==> invRecv42(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv42(o_3)] && (NoPerm < FullPerm && qpRange42(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assume (apply_noExit($$(Heap, g), g, marked): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of mark might not hold. Assertion (roots subset marked) might not hold. (graph_mark.vpr@193.19--193.32) [658]"} + Set#Subset(roots, marked); + assert {:msg " Postcondition of mark might not hold. Assertion (marked subset g) might not hold. (graph_mark.vpr@194.20--194.28) [659]"} + Set#Subset(marked, g); + assert {:msg " Postcondition of mark might not hold. Assertion !((null in g)) might not hold. (graph_mark.vpr@195.13--195.21) [660]"} + !g[null]; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$6 is injective + assert {:msg " Contract might not be well-formed. Quantified resource n$6.car might not be injective. (graph_mark.vpr@195.13--195.21) [661]"} + (forall n$6_2: Ref, n$6_2_1: Ref :: + { neverTriggered11(n$6_2), neverTriggered11(n$6_2_1) } + (((n$6_2 != n$6_2_1 && g[n$6_2]) && g[n$6_2_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$6_2 != n$6_2_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of mark might not hold. There might be insufficient permission to access n$6.car (graph_mark.vpr@195.13--195.21) [662]"} + (forall n$6_2: Ref :: + { Heap[n$6_2, car] } { QPMask[n$6_2, car] } { Heap[n$6_2, car] } + g[n$6_2] ==> Mask[n$6_2, car] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$6 + assume (forall n$6_2: Ref :: + { Heap[n$6_2, car] } { QPMask[n$6_2, car] } { Heap[n$6_2, car] } + g[n$6_2] && NoPerm < FullPerm ==> qpRange11(n$6_2) && invRecv11(n$6_2) == n$6_2 + ); + assume (forall o_3: Ref :: + { invRecv11(o_3) } + g[invRecv11(o_3)] && (NoPerm < FullPerm && qpRange11(o_3)) ==> invRecv11(o_3) == o_3 + ); + + // -- assume permission updates for field car + assume (forall o_3: Ref :: + { QPMask[o_3, car] } + (g[invRecv11(o_3)] && (NoPerm < FullPerm && qpRange11(o_3)) ==> invRecv11(o_3) == o_3 && QPMask[o_3, car] == Mask[o_3, car] - FullPerm) && (!(g[invRecv11(o_3)] && (NoPerm < FullPerm && qpRange11(o_3))) ==> QPMask[o_3, car] == Mask[o_3, car]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != car ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver n$7 is injective + assert {:msg " Contract might not be well-formed. Quantified resource n$7.cdr might not be injective. (graph_mark.vpr@195.13--195.21) [663]"} + (forall n$7_2: Ref, n$7_2_1: Ref :: + { neverTriggered12(n$7_2), neverTriggered12(n$7_2_1) } + (((n$7_2 != n$7_2_1 && g[n$7_2]) && g[n$7_2_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> n$7_2 != n$7_2_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of mark might not hold. There might be insufficient permission to access n$7.cdr (graph_mark.vpr@195.13--195.21) [664]"} + (forall n$7_2: Ref :: + { Heap[n$7_2, cdr] } { QPMask[n$7_2, cdr] } { Heap[n$7_2, cdr] } + g[n$7_2] ==> Mask[n$7_2, cdr] >= FullPerm + ); + + // -- assumptions for inverse of receiver n$7 + assume (forall n$7_2: Ref :: + { Heap[n$7_2, cdr] } { QPMask[n$7_2, cdr] } { Heap[n$7_2, cdr] } + g[n$7_2] && NoPerm < FullPerm ==> qpRange12(n$7_2) && invRecv12(n$7_2) == n$7_2 + ); + assume (forall o_3: Ref :: + { invRecv12(o_3) } + g[invRecv12(o_3)] && (NoPerm < FullPerm && qpRange12(o_3)) ==> invRecv12(o_3) == o_3 + ); + + // -- assume permission updates for field cdr + assume (forall o_3: Ref :: + { QPMask[o_3, cdr] } + (g[invRecv12(o_3)] && (NoPerm < FullPerm && qpRange12(o_3)) ==> invRecv12(o_3) == o_3 && QPMask[o_3, cdr] == Mask[o_3, cdr] - FullPerm) && (!(g[invRecv12(o_3)] && (NoPerm < FullPerm && qpRange12(o_3))) ==> QPMask[o_3, cdr] == Mask[o_3, cdr]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != cdr ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (g[n$4_2]) { + assert {:msg " Postcondition of mark might not hold. Assertion (n$4.car in g) might not hold. (graph_mark.vpr@195.13--195.21) [665]"} + g[Heap[n$4_2, car]]; + } + assume false; + } + assume (forall n$4_3_1: Ref :: + { g[Heap[n$4_3_1, car]] } { g[n$4_3_1], Heap[n$4_3_1, car] } + g[n$4_3_1] ==> g[Heap[n$4_3_1, car]] + ); + if (*) { + if (g[n$5_2]) { + assert {:msg " Postcondition of mark might not hold. Assertion (n$5.cdr in g) might not hold. (graph_mark.vpr@195.13--195.21) [666]"} + g[Heap[n$5_2, cdr]]; + } + assume false; + } + assume (forall n$5_3_1: Ref :: + { g[Heap[n$5_3_1, cdr]] } { g[n$5_3_1], Heap[n$5_3_1, cdr] } + g[n$5_3_1] ==> g[Heap[n$5_3_1, cdr]] + ); + if (*) { + if (g[v_4_1]) { + if (marked[v_4_1]) { + assert {:msg " Postcondition of mark might not hold. Assertion exists_spath($$(g), roots, v) might not hold. (graph_mark.vpr@196.13--196.130) [667]"} + (exists_spath($$(Heap, g), roots, v_4_1): bool); + } + } + assume false; + } + assume (forall v_5_1: Ref :: + { marked[v_5_1] } { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, g)), FrameFragment($$#condqp2(Heap, g))), g), roots, v_5_1): bool) } + g[v_5_1] ==> marked[v_5_1] ==> (exists_spath($$(Heap, g), roots, v_5_1): bool) + ); + if (*) { + if (g[v_6]) { + if ((exists_spath($$(Heap, g), roots, v_6): bool)) { + assert {:msg " Postcondition of mark might not hold. Assertion (v in marked) might not hold. (graph_mark.vpr@197.13--197.130) [668]"} + marked[v_6]; + } + } + assume false; + } + assume (forall v_7_1: Ref :: + { marked[v_7_1] } { (exists_spath($$#frame(CombineFrames(FrameFragment($$#condqp1(Heap, g)), FrameFragment($$#condqp2(Heap, g))), g), roots, v_7_1): bool) } + g[v_7_1] ==> (exists_spath($$(Heap, g), roots, v_7_1): bool) ==> marked[v_7_1] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} diff --git a/Test/monomorphize/viper/linked-list-predicates.bpl b/Test/monomorphize/viper/linked-list-predicates.bpl new file mode 100644 index 000000000..c5b2f7fa9 --- /dev/null +++ b/Test/monomorphize/viper/linked-list-predicates.bpl @@ -0,0 +1,5199 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Function heights (higher height means its body is available earlier): +// - height 4: contentNodes +// - height 3: lengthNodes +// - height 2: content +// - height 1: length +// - height 0: peek +const AssumeFunctionsAbove: int; +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Sequence module. +// ================================================== + + // diff 0 implemented (no difference) + // diff 1 implemented (fixes test5 in sequences.sil) + // diff 2 implemented (fixes m01 and m03 in quantifiedpermissions/issues/issue_0064) + // diff 3 implemented (no difference) + // diff 4 implemented (no difference) + // diff 5 implemented (fixes colourings0 in sequence-incompletenesses test case) + // diff 6 implemented (no difference) + // diff 7 implemented + // diff 8 implemented (allows for contains triggering, without destroying performance of e.g. functions/linkedlists test case) + // diff 11 implemented + // diff 13 implemented, for now (may reduce completeness, but there's a known matching loop when the first drop amount is 0); another option would be to add !=0 as an explicit condition + // diff 14 implemented: eliminate index over take/drop for trivial cases (to avoid matching loops when e.g. s[i..] == s is known) + // diff 16 implemented: remove general cases of equality-learning between take/drop/append subsequences; only allow when take/drop are at top level (this affects linkedlists test case) +// START BASICS +type Seq T; + +function Seq#Length(Seq T): int; +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty(): Seq T; +axiom (forall :: Seq#Length(Seq#Empty(): Seq T) == 0); +axiom (forall s: Seq T :: { Seq#Length(s) } Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T): Seq T; +//axiom (forall t: T :: { Seq#Length(Seq#Singleton(t)) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2: changed trigger) + +function Seq#Append(Seq T, Seq T): Seq T; +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Length(Seq#Append(s0,s1)) } +s0 != Seq#Empty() && s1 != Seq#Empty() ==> //diff 11: consider removing constraints + Seq#Length(Seq#Append(s0,s1)) == Seq#Length(s0) + Seq#Length(s1)); + +//axiom (forall s: Seq T :: { Seq#Append(Seq#Empty(),s) } Seq#Append(Seq#Empty(),s) == s); // (diff 11: switched to double-quantified version) +//axiom (forall s: Seq T :: { Seq#Append(s,Seq#Empty()) } Seq#Append(s,Seq#Empty()) == s); // (diff 11: switched to double-quantified version) +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Append(s0,s1) } (s0 == Seq#Empty() ==> Seq#Append(s0,s1) == s1) && (s1 == Seq#Empty() ==> Seq#Append(s0,s1) == s0)); // diff 11: switched to double-quantified version + +function Seq#Index(Seq T, int): T; +//axiom (forall t: T :: { Seq#Index(Seq#Singleton(t), 0) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2: changed trigger) + +// END BASICS + +// START INDEX-APPEND-UPDATE + +// extra addition function used to force equalities into the e-graph +function Seq#Add(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Add(i,j)} Seq#Add(i,j) == i + j); +function Seq#Sub(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Sub(i,j)} Seq#Sub(i,j) == i - j); + +// (diff 3 (old)) +//axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // {:weight 25} // AS: dropped weight +// s0 != Seq#Empty() && s1 != Seq#Empty() ==> +// ((n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n)) && +// (Seq#Length(s0) <= n ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, n - Seq#Length(s0))))); + +// (diff 3: split axiom, added constraints, replace arithmetic) // diff 11: consider removing constraints +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } { Seq#Index(s0, n), Seq#Append(s0,s1) } // AS: added alternative trigger + (s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= n && n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n))); +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // term below breaks loops + s0 != Seq#Empty() && s1 != Seq#Empty() && Seq#Length(s0) <= n && n < Seq#Length(Seq#Append(s0,s1)) ==> Seq#Add(Seq#Sub(n,Seq#Length(s0)),Seq#Length(s0)) == n && Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, Seq#Sub(n,Seq#Length(s0)))); +// AS: added "reverse triggering" versions of the axioms +axiom (forall s0: Seq T, s1: Seq T, m: int :: { Seq#Index(s1, m), Seq#Append(s0,s1)} // m == n-|s0|, n == m + |s0| + s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= m && m < Seq#Length(s1) ==> Seq#Sub(Seq#Add(m,Seq#Length(s0)),Seq#Length(s0)) == m && Seq#Index(Seq#Append(s0,s1), Seq#Add(m,Seq#Length(s0))) == Seq#Index(s1, m)); + +function Seq#Update(Seq T, int, T): Seq T; +axiom (forall s: Seq T, i: int, v: T :: { Seq#Length(Seq#Update(s,i,v)) } {Seq#Length(s),Seq#Update(s,i,v)} // (diff 4: added trigger) + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s,i,v)) == Seq#Length(s)); +axiom (forall s: Seq T, i: int, v: T, n: int :: { Seq#Index(Seq#Update(s,i,v),n) } { Seq#Index(s,n), Seq#Update(s,i,v) } // (diff 4: added trigger) + 0 <= n && n < Seq#Length(s) ==> + (i == n ==> Seq#Index(Seq#Update(s,i,v),n) == v) && + (i != n ==> Seq#Index(Seq#Update(s,i,v),n) == Seq#Index(s,n))); + +// END INDEX-APPEND-UPDATE + +// START TAKE/DROP + +function Seq#Take(s: Seq T, howMany: int): Seq T; +// AS: added triggers +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Take(s,n)) } { Seq#Take(s,n), Seq#Length(s)} // (diff 7: add trigger) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s,n)) == n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Take(s,n)) == Seq#Length(s))) + && + (n < 0 ==> Seq#Length(Seq#Take(s,n)) == 0)); // (diff 7: added case for n < 0) + +// ** AS: 2nd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Take(s,n), j) } {Seq#Index(s,j), Seq#Take(s,n)} // (diff 0: (was already done)) : add trigger // {:weight 25} // AS: dropped weight + 0 <= j && j < n && j < Seq#Length(s) ==> + Seq#Index(Seq#Take(s,n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int): Seq T; +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Drop(s,n)) } {Seq#Length(s), Seq#Drop(s,n)} // (diff 5: added trigger, exchange arithmetic) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s) - n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Drop(s,n)) == 0)) + && + (n < 0 ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s)) // (diff 7: added cases for n < 0) + ); + +// ** AS: 3rd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +// diff 5 (old) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// 0 <= n && 0 <= j && j < Seq#Length(s)-n ==> +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j+n)); +// +// diff already added // diff -1: try removing this axiom and checking effect +//axiom (forall s: Seq T, n: int, k: int :: { Seq#Drop(s,n), Seq#Index(s,k) } // AS: alternative triggering for above axiom +// 0 <= n && n <= k && k < Seq#Length(s) ==> +// Seq#Index(Seq#Drop(s,n), k-n) == Seq#Index(s, k)); + +// diff 5: split axiom, added triggering case, exhanged arithmetic + +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight + 0 < n && 0 <= j && j < Seq#Length(s)-n ==> // diff 14: change 0 <= n to 0 < n + Seq#Sub(Seq#Add(j,n),n) == j && Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, Seq#Add(j,n))); + +axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } + 0 < n && n <= i && i < Seq#Length(s) ==> // diff 14: change 0 <= n to 0 < n + Seq#Add(Seq#Sub(i,n),n) == i && Seq#Index(Seq#Drop(s,n), Seq#Sub(i,n)) == Seq#Index(s, i)); // i = j + n, j = i - n + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// n <= 0 && 0 <= j && j < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j)); + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } +// n <= 0 && 0 <= i && i < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), i) == Seq#Index(s, i)); // i = j + n, j = i - n + +// ** AS: We dropped the weak trigger on this axiom. One option is to strengthen the triggers: +//axiom (forall s, t: Seq T :: +// // { Seq#Append(s, t) } +// {Seq#Take(Seq#Append(s, t), Seq#Length(s))}{Seq#Drop(Seq#Append(s, t), Seq#Length(s))} +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s && +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// ** AS: another option is to split the axiom (for some reason, this seems in some cases to perform slightly less well (but this could be random): +//axiom (forall s, t: Seq T :: +// { Seq#Take(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s); + +//axiom (forall s, t: Seq T :: +// { Seq#Drop(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// (diff 6b: remove these?) +/* Removed: at present, Carbon doesn't generate Seq#Update (but desugars via take/drop/append) +// Commutability of Take and Drop with Update. +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= n && n <= i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); + 0 <= i && n <=i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); +*/ + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Take(s,n)} // diff 16: temporarily dropped general case of these + 0 < n && n <= Seq#Length(s) ==> Seq#Take(Seq#Append(s,t),n) == Seq#Take(s,n)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Take(Seq#Append(s,t),n) == Seq#Append(s,Seq#Take(t,Seq#Sub(n,Seq#Length(s))))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,Seq#Take(t,m)) } //{Seq#Append(s,t), Seq#Take(t,m)} // diff 16: temporarily dropped general case of these // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Take(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Append(s,Seq#Take(t,m))); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Drop(s,n)} // diff 16: temporarily dropped general case of these + 0 Seq#Drop(Seq#Append(s,t),n) == Seq#Append(Seq#Drop(s,n),t)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Drop(Seq#Append(s,t),n) == Seq#Drop(t,Seq#Sub(n,Seq#Length(s)))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,t),Seq#Drop(t,m) } // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Drop(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Drop(t,m)); + +// Additional axioms about common things +axiom (forall s: Seq T, n: int :: { Seq#Drop(s, n) } // ** NEW + n <= 0 ==> Seq#Drop(s, n) == s); // (diff 1: try changing n==0 to n<=0 (should be ok)) +axiom (forall s: Seq T, n: int :: { Seq#Take(s, n) } // ** NEW + n <= 0 ==> Seq#Take(s, n) == Seq#Empty()); // (diff 1: try changing n==0 to n<=0 (should be ok)) +// diff 13: remove this? +//axiom (forall s: Seq T, m, n: int :: { Seq#Drop(Seq#Drop(s, m), n) } // ** NEW - AS: could have bad triggering behaviour? +// 0 <= m && 0 <= n && m+n <= Seq#Length(s) ==> +// Seq#Sub(Seq#Add(m,n),n) == m && Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, Seq#Add(m,n))); + +// END TAKE/DROP + +// START CONTAINS +// diff 8: skolemisation (old) +function Seq#Contains(Seq T, T): bool; +function Seq#ContainsTrigger(Seq T, T): bool; // usages of Contains inside quantifier triggers are replaced with this +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains // (diff 8: added) +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> + (0 <= Seq#Skolem(s,x) && Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x)); // (diff 8: skolem function) +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } // only trigger if interested in the Contains term + (0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x))); +axiom (forall s: Seq T, i:int :: { Seq#Index(s,i) } + (0 <= i && i < Seq#Length(s) ==> Seq#ContainsTrigger(s,Seq#Index(s,i)))); +// ** AS: made one change here - changed type of x from ref to T +/*axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); +*/ +// diff 8: skolemisation (new) +/* +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains +function Seq#SkolemContainsDrop(Seq T, int, T) : int; // skolem function for Seq#Contains over drop +function Seq#SkolemContainsTake(Seq T, int, T) : int; // skolem function for Seq#Contains over take + +function Seq#Contains(Seq T, T): bool; +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> s != Seq#Empty() && Seq#Length(s) > 0 && 0 <= Seq#Skolem(s,x) && + Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x); + +// AS: note: this is an unusual axiom, but is basically the original +// Consider writing a version without the (precise) first trigger? Also see later versions +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x)); + +// ** AS: made one change here - changed type of x from ref to T +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +// AS: Consider dropping this axiom? +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } { Seq#Contains(s0,x), Seq#Append(s0,s1)} { Seq#Contains(s1,x), Seq#Append(s0,s1)} // AS: added triggers + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) ==> + (Seq#Take(s, n) != Seq#Empty() && Seq#Length(Seq#Take(s, n)) > 0 && + 0 <= Seq#SkolemContainsTake(s, n, x) && Seq#SkolemContainsTake(s, n, x) < n && + Seq#SkolemContainsTake(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsTake(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Take(s, n), x), Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Take(s, n), x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) ==> + ( 0 <= Seq#SkolemContainsDrop(s, n, x) && n <= Seq#SkolemContainsDrop(s, n, x) && + Seq#SkolemContainsDrop(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsDrop(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Drop(s, n), x), Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Drop(s, n), x)); +*/ + +// END CONTAINS + +// START EQUALS + +// diff 9 : skolemise equals (old) +function Seq#Equal(Seq T, Seq T): bool; +/*axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) <==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); +*/ +// diff 9: skolemise equals (new) +// AS: split axiom +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) ==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +function Seq#SkolemDiff(Seq T, Seq T) : int; // skolem function for Seq#Equals + +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + (s0==s1 && Seq#Equal(s0,s1)) || (s0!=s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) != Seq#Length(s1)) || + (s0 != s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) == Seq#Length(s1) && Seq#SkolemDiff(s0,s1) == Seq#SkolemDiff(s1,s0) && 0 <= Seq#SkolemDiff(s0,s1) && Seq#SkolemDiff(s0,s1) < Seq#Length(s0) && + Seq#Index(s0,Seq#SkolemDiff(s0,s1)) != Seq#Index(s1,Seq#SkolemDiff(s0,s1)))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); + + +// END EQUALS + + +// START EXTRAS + +// extra stuff not in current Dafny Prelude + +// diff 10: variant of trigger (maybe drop these?) +// old: +axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) <==> x==y); +// new: +/*axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) ==> x==y); + +axiom (forall x: T :: + { Seq#Singleton(x) } + Seq#Contains(Seq#Singleton(x),x)); +*/ + +function Seq#Range(min: int, max: int) returns (Seq int); +axiom (forall min: int, max: int :: { Seq#Length(Seq#Range(min, max)) } (min < max ==> Seq#Length(Seq#Range(min, max)) == max-min) && (max <= min ==> Seq#Length(Seq#Range(min, max)) == 0)); +axiom (forall min: int, max: int, j: int :: { Seq#Index(Seq#Range(min, max), j) } 0<=j && j Seq#Index(Seq#Range(min, max), j) == min + j); + +axiom (forall min: int, max: int, v: int :: {Seq#Contains(Seq#Range(min, max),v)} + (Seq#Contains(Seq#Range(min, max),v) <==> min <= v && v < max)); + +// END EXTRAS + + +// ================================================== +// Translation of all fields +// ================================================== + +const unique data: Field NormalField int; +axiom !IsPredicateField(data); +axiom !IsWandField(data); +const unique next: Field NormalField Ref; +axiom !IsPredicateField(next); +axiom !IsWandField(next); +const unique head: Field NormalField Ref; +axiom !IsPredicateField(head); +axiom !IsWandField(head); +const unique held: Field NormalField int; +axiom !IsPredicateField(held); +axiom !IsWandField(held); +const unique changed: Field NormalField bool; +axiom !IsPredicateField(changed); +axiom !IsWandField(changed); + +// ================================================== +// Translation of function contentNodes +// ================================================== + +// Uninterpreted function definitions +function contentNodes(Heap: HeapType, this: Ref, end: Ref): Seq int; +function contentNodes'(Heap: HeapType, this: Ref, end: Ref): Seq int; +axiom (forall Heap: HeapType, this: Ref, end: Ref :: + { contentNodes(Heap, this, end) } + contentNodes(Heap, this, end) == contentNodes'(Heap, this, end) && dummyFunction(contentNodes#triggerStateless(this, end)) +); +axiom (forall Heap: HeapType, this: Ref, end: Ref :: + { contentNodes'(Heap, this, end) } + dummyFunction(contentNodes#triggerStateless(this, end)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref, end: Ref :: + { state(Heap, Mask), contentNodes(Heap, this, end) } { state(Heap, Mask), contentNodes#triggerStateless(this, end), lseg#trigger(Heap, lseg(this, end)) } + state(Heap, Mask) && AssumeFunctionsAbove < 4 ==> contentNodes(Heap, this, end) == (if this == end then (Seq#Empty(): Seq int) else Seq#Append(Seq#Singleton(Heap[this, data]), contentNodes'(Heap, Heap[this, next], end))) +); + +// Framing axioms +function contentNodes#frame(frame: FrameType, this: Ref, end: Ref): Seq int; +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref, end: Ref :: + { state(Heap, Mask), contentNodes'(Heap, this, end) } { state(Heap, Mask), contentNodes#triggerStateless(this, end), lseg#trigger(Heap, lseg(this, end)) } + state(Heap, Mask) ==> contentNodes'(Heap, this, end) == contentNodes#frame(Heap[null, lseg(this, end)], this, end) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref, end: Ref :: + { state(Heap, Mask), contentNodes'(Heap, this, end) } + state(Heap, Mask) && (AssumeFunctionsAbove < 4 || contentNodes#trigger(Heap[null, lseg(this, end)], this, end)) ==> this == end ==> Seq#Equal(contentNodes'(Heap, this, end), (Seq#Empty(): Seq int)) +); +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref, end: Ref :: + { state(Heap, Mask), contentNodes'(Heap, this, end) } + state(Heap, Mask) && (AssumeFunctionsAbove < 4 || contentNodes#trigger(Heap[null, lseg(this, end)], this, end)) ==> this != end ==> 0 < Seq#Length(contentNodes'(Heap, this, end)) && Seq#Index(contentNodes'(Heap, this, end), 0) == Heap[this, data] +); +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref, end: Ref :: + { state(Heap, Mask), contentNodes'(Heap, this, end) } + state(Heap, Mask) && (AssumeFunctionsAbove < 4 || contentNodes#trigger(Heap[null, lseg(this, end)], this, end)) ==> (forall i: int, j: int :: + { Seq#Index(contentNodes'(Heap, this, end), i), Seq#Index(contentNodes'(Heap, this, end), j) } + 0 <= i && (i < j && j < Seq#Length(contentNodes'(Heap, this, end))) ==> Seq#Index(contentNodes'(Heap, this, end), i) <= Seq#Index(contentNodes'(Heap, this, end), j) + ) +); + +// Trigger function (controlling recursive postconditions) +function contentNodes#trigger(frame: FrameType, this: Ref, end: Ref): bool; + +// State-independent trigger function +function contentNodes#triggerStateless(this: Ref, end: Ref): Seq int; + +// Check contract well-formedness and postcondition +procedure contentNodes#definedness(this: Ref, end: Ref) returns (Result: (Seq int)) + modifies Heap, Mask; +{ + var perm: Perm; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var Unfolding1Heap: HeapType; + var Unfolding1Mask: MaskType; + var newPMask: PMaskType; + var ExhaleHeap: HeapType; + var i_1: int; + var j_1: int; + var i_2: int; + var j_2: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[this, $allocated]; + assume Heap[end, $allocated]; + assume AssumeFunctionsAbove == 4; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + perm := FullPerm; + Mask[null, lseg(this, end)] := Mask[null, lseg(this, end)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (this == end ? Seq[Int]() : (unfolding acc(lseg(this, end), write) in Seq(this.data) ++ contentNodes(this.next, end))) + if (this == end) { + } else { + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(this, end)); + assume UnfoldingHeap[null, lseg(this, end)] == FrameFragment((if this != end then CombineFrames(FrameFragment(UnfoldingHeap[this, data]), CombineFrames(FrameFragment(UnfoldingHeap[this, next]), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access lseg(this, end) (linked-list-predicates.vpr@18.1--29.2) [1001]"} + perm <= UnfoldingMask[null, lseg(this, end)]; + } + UnfoldingMask[null, lseg(this, end)] := UnfoldingMask[null, lseg(this, end)] - perm; + if (this != end) { + perm := FullPerm; + assume this != null; + UnfoldingMask[this, data] := UnfoldingMask[this, data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume this != null; + UnfoldingMask[this, next] := UnfoldingMask[this, next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(this, end), UnfoldingHeap[null, lseg(this, end)], lseg(UnfoldingHeap[this, next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)]); + assume state(UnfoldingHeap, UnfoldingMask); + + // -- Execute unfolding (for extra information) + Unfolding1Heap := UnfoldingHeap; + Unfolding1Mask := UnfoldingMask; + assume lseg#trigger(Unfolding1Heap, lseg(Unfolding1Heap[this, next], end)); + assume Unfolding1Heap[null, lseg(Unfolding1Heap[this, next], end)] == FrameFragment((if Unfolding1Heap[this, next] != end then CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[this, next], data]), CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[this, next], next]), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)])) else EmptyFrame)); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[this, next], end)] := Unfolding1Mask[null, lseg(Unfolding1Heap[this, next], end)] - perm; + if (Unfolding1Heap[this, next] != end) { + perm := FullPerm; + assume Unfolding1Heap[this, next] != null; + Unfolding1Mask[Unfolding1Heap[this, next], data] := Unfolding1Mask[Unfolding1Heap[this, next], data] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + assume Unfolding1Heap[this, next] != null; + Unfolding1Mask[Unfolding1Heap[this, next], next] := Unfolding1Mask[Unfolding1Heap[this, next], next] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] := Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Unfolding1Heap[this, next], end), Unfolding1Heap[null, lseg(Unfolding1Heap[this, next], end)], lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)]); + assume state(Unfolding1Heap, Unfolding1Mask); + assume Unfolding1Heap[Unfolding1Heap[this, next], next] != end ==> Unfolding1Heap[Unfolding1Heap[this, next], data] <= Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], data]; + + // -- Free assumptions (inhale module) + if (Unfolding1Heap[Unfolding1Heap[this, next], next] != end) { + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][Unfolding1Heap[Unfolding1Heap[this, next], next], data] := true; + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][Unfolding1Heap[Unfolding1Heap[this, next], next], next] := true; + havoc newPMask; + assume (forall o_3: Ref, f_7: (Field A B) :: + { newPMask[o_3, f_7] } + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][o_3, f_7] || Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)][o_3, f_7] ==> newPMask[o_3, f_7] + ); + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] := newPMask; + } + assume state(Unfolding1Heap, Unfolding1Mask); + } + assume state(Unfolding1Heap, Unfolding1Mask); + assume UnfoldingHeap[this, next] != end ==> UnfoldingHeap[this, data] <= UnfoldingHeap[UnfoldingHeap[this, next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[this, next] != end) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][UnfoldingHeap[this, next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][UnfoldingHeap[this, next], next] := true; + havoc newPMask; + assume (forall o_4: Ref, f_8: (Field A B) :: + { newPMask[o_4, f_8] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][o_4, f_8] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][o_4, f_8] ==> newPMask[o_4, f_8] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assert {:msg " Function might not be well-formed. There might be insufficient permission to access this.data (linked-list-predicates.vpr@18.1--29.2) [1002]"} + HasDirectPerm(UnfoldingMask, this, data); + assert {:msg " Function might not be well-formed. There might be insufficient permission to access this.next (linked-list-predicates.vpr@18.1--29.2) [1003]"} + HasDirectPerm(UnfoldingMask, this, next); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this.next, end) (linked-list-predicates.vpr@27.39--27.67) [1004]"} + perm <= UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)]; + } + UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(UnfoldingHeap, ExhaleHeap, UnfoldingMask); + UnfoldingHeap := ExhaleHeap; + // Stop execution + assume false; + } else { + // Enable postcondition for recursive call + assume contentNodes#trigger(UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)], UnfoldingHeap[this, next], end); + } + + // -- Free assumptions (exp module) + if (this != end) { + Heap[null, lseg#sm(this, end)][this, data] := true; + Heap[null, lseg#sm(this, end)][this, next] := true; + havoc newPMask; + assume (forall o_5: Ref, f_9: (Field A B) :: + { newPMask[o_5, f_9] } + Heap[null, lseg#sm(this, end)][o_5, f_9] || Heap[null, lseg#sm(Heap[this, next], end)][o_5, f_9] ==> newPMask[o_5, f_9] + ); + Heap[null, lseg#sm(this, end)] := newPMask; + } + assume state(Heap, Mask); + } + + // -- Translate function body + Result := (if this == end then (Seq#Empty(): Seq int) else Seq#Append(Seq#Singleton(Heap[this, data]), contentNodes(Heap, Heap[this, next], end))); + + // -- Exhaling postcondition (with checking) + if (this == end) { + assert {:msg " Postcondition of contentNodes might not hold. Assertion result == Seq[Int]() might not hold. (linked-list-predicates.vpr@20.12--20.48) [1005]"} + Seq#Equal(Result, (Seq#Empty(): Seq int)); + } + if (this != end) { + assert {:msg " Postcondition of contentNodes might not hold. Assertion 0 < |result| might not hold. (linked-list-predicates.vpr@21.12--22.87) [1006]"} + 0 < Seq#Length(Result); + + // -- Check definedness of result[0] == (unfolding acc(lseg(this, end), write) in this.data) + assert {:msg " Contract might not be well-formed. Index result[0] into result might exceed sequence length. (linked-list-predicates.vpr@21.12--22.87) [1007]"} + 0 < Seq#Length(Result); + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(this, end)); + assume UnfoldingHeap[null, lseg(this, end)] == FrameFragment((if this != end then CombineFrames(FrameFragment(UnfoldingHeap[this, data]), CombineFrames(FrameFragment(UnfoldingHeap[this, next]), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access lseg(this, end) (linked-list-predicates.vpr@21.12--22.87) [1008]"} + perm <= UnfoldingMask[null, lseg(this, end)]; + } + UnfoldingMask[null, lseg(this, end)] := UnfoldingMask[null, lseg(this, end)] - perm; + if (this != end) { + perm := FullPerm; + assume this != null; + UnfoldingMask[this, data] := UnfoldingMask[this, data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume this != null; + UnfoldingMask[this, next] := UnfoldingMask[this, next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(this, end), UnfoldingHeap[null, lseg(this, end)], lseg(UnfoldingHeap[this, next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)]); + assume state(UnfoldingHeap, UnfoldingMask); + + // -- Execute unfolding (for extra information) + Unfolding1Heap := UnfoldingHeap; + Unfolding1Mask := UnfoldingMask; + assume lseg#trigger(Unfolding1Heap, lseg(Unfolding1Heap[this, next], end)); + assume Unfolding1Heap[null, lseg(Unfolding1Heap[this, next], end)] == FrameFragment((if Unfolding1Heap[this, next] != end then CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[this, next], data]), CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[this, next], next]), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)])) else EmptyFrame)); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[this, next], end)] := Unfolding1Mask[null, lseg(Unfolding1Heap[this, next], end)] - perm; + if (Unfolding1Heap[this, next] != end) { + perm := FullPerm; + assume Unfolding1Heap[this, next] != null; + Unfolding1Mask[Unfolding1Heap[this, next], data] := Unfolding1Mask[Unfolding1Heap[this, next], data] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + assume Unfolding1Heap[this, next] != null; + Unfolding1Mask[Unfolding1Heap[this, next], next] := Unfolding1Mask[Unfolding1Heap[this, next], next] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] := Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Unfolding1Heap[this, next], end), Unfolding1Heap[null, lseg(Unfolding1Heap[this, next], end)], lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)]); + assume state(Unfolding1Heap, Unfolding1Mask); + assume Unfolding1Heap[Unfolding1Heap[this, next], next] != end ==> Unfolding1Heap[Unfolding1Heap[this, next], data] <= Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], data]; + + // -- Free assumptions (inhale module) + if (Unfolding1Heap[Unfolding1Heap[this, next], next] != end) { + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][Unfolding1Heap[Unfolding1Heap[this, next], next], data] := true; + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][Unfolding1Heap[Unfolding1Heap[this, next], next], next] := true; + havoc newPMask; + assume (forall o_6: Ref, f_10: (Field A B) :: + { newPMask[o_6, f_10] } + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][o_6, f_10] || Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)][o_6, f_10] ==> newPMask[o_6, f_10] + ); + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] := newPMask; + } + assume state(Unfolding1Heap, Unfolding1Mask); + } + assume state(Unfolding1Heap, Unfolding1Mask); + assume UnfoldingHeap[this, next] != end ==> UnfoldingHeap[this, data] <= UnfoldingHeap[UnfoldingHeap[this, next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[this, next] != end) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][UnfoldingHeap[this, next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][UnfoldingHeap[this, next], next] := true; + havoc newPMask; + assume (forall o_7: Ref, f_11: (Field A B) :: + { newPMask[o_7, f_11] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][o_7, f_11] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][o_7, f_11] ==> newPMask[o_7, f_11] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access this.data (linked-list-predicates.vpr@21.12--22.87) [1009]"} + HasDirectPerm(UnfoldingMask, this, data); + + // -- Free assumptions (exp module) + if (this != end) { + Heap[null, lseg#sm(this, end)][this, data] := true; + Heap[null, lseg#sm(this, end)][this, next] := true; + havoc newPMask; + assume (forall o_8: Ref, f_12: (Field A B) :: + { newPMask[o_8, f_12] } + Heap[null, lseg#sm(this, end)][o_8, f_12] || Heap[null, lseg#sm(Heap[this, next], end)][o_8, f_12] ==> newPMask[o_8, f_12] + ); + Heap[null, lseg#sm(this, end)] := newPMask; + } + assume state(Heap, Mask); + + // -- Free assumptions (exp module) + if (this != end) { + Heap[null, lseg#sm(this, end)][this, data] := true; + Heap[null, lseg#sm(this, end)][this, next] := true; + havoc newPMask; + assume (forall o_9: Ref, f_13: (Field A B) :: + { newPMask[o_9, f_13] } + Heap[null, lseg#sm(this, end)][o_9, f_13] || Heap[null, lseg#sm(Heap[this, next], end)][o_9, f_13] ==> newPMask[o_9, f_13] + ); + Heap[null, lseg#sm(this, end)] := newPMask; + } + assume state(Heap, Mask); + assert {:msg " Postcondition of contentNodes might not hold. Assertion result[0] == (unfolding acc(lseg(this, end), write) in this.data) might not hold. (linked-list-predicates.vpr@21.12--22.87) [1010]"} + Seq#Index(Result, 0) == Heap[this, data]; + + // -- Free assumptions (exhale module) + if (this != end) { + Heap[null, lseg#sm(this, end)][this, data] := true; + Heap[null, lseg#sm(this, end)][this, next] := true; + havoc newPMask; + assume (forall o_10: Ref, f_14: (Field A B) :: + { newPMask[o_10, f_14] } + Heap[null, lseg#sm(this, end)][o_10, f_14] || Heap[null, lseg#sm(Heap[this, next], end)][o_10, f_14] ==> newPMask[o_10, f_14] + ); + Heap[null, lseg#sm(this, end)] := newPMask; + } + assume state(Heap, Mask); + } + + // -- Check definedness of (forall i: Int, j: Int :: { result[i], result[j] } 0 <= i && (i < j && j < |result|) ==> result[i] <= result[j]) + if (*) { + if (0 <= i_1 && (i_1 < j_1 && j_1 < Seq#Length(Result))) { + assert {:msg " Contract might not be well-formed. Index result[i] into result might be negative. (linked-list-predicates.vpr@23.12--23.95) [1011]"} + i_1 >= 0; + assert {:msg " Contract might not be well-formed. Index result[i] into result might exceed sequence length. (linked-list-predicates.vpr@23.12--23.95) [1012]"} + i_1 < Seq#Length(Result); + assert {:msg " Contract might not be well-formed. Index result[j] into result might be negative. (linked-list-predicates.vpr@23.12--23.95) [1013]"} + j_1 >= 0; + assert {:msg " Contract might not be well-formed. Index result[j] into result might exceed sequence length. (linked-list-predicates.vpr@23.12--23.95) [1014]"} + j_1 < Seq#Length(Result); + } + assume false; + } + if (*) { + if (0 <= i_2 && (i_2 < j_2 && j_2 < Seq#Length(Result))) { + assert {:msg " Postcondition of contentNodes might not hold. Assertion result[i] <= result[j] might not hold. (linked-list-predicates.vpr@23.12--23.95) [1015]"} + Seq#Index(Result, i_2) <= Seq#Index(Result, j_2); + } + assume false; + } + assume (forall i_3_1: int, j_3_1: int :: + { Seq#Index(Result, i_3_1), Seq#Index(Result, j_3_1) } + 0 <= i_3_1 && (i_3_1 < j_3_1 && j_3_1 < Seq#Length(Result)) ==> Seq#Index(Result, i_3_1) <= Seq#Index(Result, j_3_1) + ); +} + +// ================================================== +// Translation of function lengthNodes +// ================================================== + +// Uninterpreted function definitions +function lengthNodes(Heap: HeapType, this: Ref, end: Ref): int; +function lengthNodes'(Heap: HeapType, this: Ref, end: Ref): int; +axiom (forall Heap: HeapType, this: Ref, end: Ref :: + { lengthNodes(Heap, this, end) } + lengthNodes(Heap, this, end) == lengthNodes'(Heap, this, end) && dummyFunction(lengthNodes#triggerStateless(this, end)) +); +axiom (forall Heap: HeapType, this: Ref, end: Ref :: + { lengthNodes'(Heap, this, end) } + dummyFunction(lengthNodes#triggerStateless(this, end)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref, end: Ref :: + { state(Heap, Mask), lengthNodes(Heap, this, end) } { state(Heap, Mask), lengthNodes#triggerStateless(this, end), lseg#trigger(Heap, lseg(this, end)) } + state(Heap, Mask) && AssumeFunctionsAbove < 3 ==> lengthNodes(Heap, this, end) == (if this == end then 0 else 1 + lengthNodes'(Heap, Heap[this, next], end)) +); + +// Framing axioms +function lengthNodes#frame(frame: FrameType, this: Ref, end: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref, end: Ref :: + { state(Heap, Mask), lengthNodes'(Heap, this, end) } { state(Heap, Mask), lengthNodes#triggerStateless(this, end), lseg#trigger(Heap, lseg(this, end)) } + state(Heap, Mask) ==> lengthNodes'(Heap, this, end) == lengthNodes#frame(Heap[null, lseg(this, end)], this, end) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref, end: Ref :: + { state(Heap, Mask), lengthNodes'(Heap, this, end) } + state(Heap, Mask) && (AssumeFunctionsAbove < 3 || lengthNodes#trigger(Heap[null, lseg(this, end)], this, end)) ==> lengthNodes'(Heap, this, end) == Seq#Length(contentNodes(Heap, this, end)) +); + +// Trigger function (controlling recursive postconditions) +function lengthNodes#trigger(frame: FrameType, this: Ref, end: Ref): bool; + +// State-independent trigger function +function lengthNodes#triggerStateless(this: Ref, end: Ref): int; + +// Check contract well-formedness and postcondition +procedure lengthNodes#definedness(this: Ref, end: Ref) returns (Result: int) + modifies Heap, Mask; +{ + var perm: Perm; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var Unfolding1Heap: HeapType; + var Unfolding1Mask: MaskType; + var newPMask: PMaskType; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[this, $allocated]; + assume Heap[end, $allocated]; + assume AssumeFunctionsAbove == 3; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + perm := FullPerm; + Mask[null, lseg(this, end)] := Mask[null, lseg(this, end)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (unfolding acc(lseg(this, end), write) in (this == end ? 0 : 1 + lengthNodes(this.next, end))) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(this, end)); + assume UnfoldingHeap[null, lseg(this, end)] == FrameFragment((if this != end then CombineFrames(FrameFragment(UnfoldingHeap[this, data]), CombineFrames(FrameFragment(UnfoldingHeap[this, next]), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access lseg(this, end) (linked-list-predicates.vpr@32.1--39.2) [1016]"} + perm <= UnfoldingMask[null, lseg(this, end)]; + } + UnfoldingMask[null, lseg(this, end)] := UnfoldingMask[null, lseg(this, end)] - perm; + if (this != end) { + perm := FullPerm; + assume this != null; + UnfoldingMask[this, data] := UnfoldingMask[this, data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume this != null; + UnfoldingMask[this, next] := UnfoldingMask[this, next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(this, end), UnfoldingHeap[null, lseg(this, end)], lseg(UnfoldingHeap[this, next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)]); + assume state(UnfoldingHeap, UnfoldingMask); + + // -- Execute unfolding (for extra information) + Unfolding1Heap := UnfoldingHeap; + Unfolding1Mask := UnfoldingMask; + assume lseg#trigger(Unfolding1Heap, lseg(Unfolding1Heap[this, next], end)); + assume Unfolding1Heap[null, lseg(Unfolding1Heap[this, next], end)] == FrameFragment((if Unfolding1Heap[this, next] != end then CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[this, next], data]), CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[this, next], next]), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)])) else EmptyFrame)); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[this, next], end)] := Unfolding1Mask[null, lseg(Unfolding1Heap[this, next], end)] - perm; + if (Unfolding1Heap[this, next] != end) { + perm := FullPerm; + assume Unfolding1Heap[this, next] != null; + Unfolding1Mask[Unfolding1Heap[this, next], data] := Unfolding1Mask[Unfolding1Heap[this, next], data] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + assume Unfolding1Heap[this, next] != null; + Unfolding1Mask[Unfolding1Heap[this, next], next] := Unfolding1Mask[Unfolding1Heap[this, next], next] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] := Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Unfolding1Heap[this, next], end), Unfolding1Heap[null, lseg(Unfolding1Heap[this, next], end)], lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)]); + assume state(Unfolding1Heap, Unfolding1Mask); + assume Unfolding1Heap[Unfolding1Heap[this, next], next] != end ==> Unfolding1Heap[Unfolding1Heap[this, next], data] <= Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], data]; + + // -- Free assumptions (inhale module) + if (Unfolding1Heap[Unfolding1Heap[this, next], next] != end) { + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][Unfolding1Heap[Unfolding1Heap[this, next], next], data] := true; + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][Unfolding1Heap[Unfolding1Heap[this, next], next], next] := true; + havoc newPMask; + assume (forall o_11: Ref, f_15: (Field A B) :: + { newPMask[o_11, f_15] } + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)][o_11, f_15] || Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)][o_11, f_15] ==> newPMask[o_11, f_15] + ); + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] := newPMask; + } + assume state(Unfolding1Heap, Unfolding1Mask); + } + assume state(Unfolding1Heap, Unfolding1Mask); + assume UnfoldingHeap[this, next] != end ==> UnfoldingHeap[this, data] <= UnfoldingHeap[UnfoldingHeap[this, next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[this, next] != end) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][UnfoldingHeap[this, next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][UnfoldingHeap[this, next], next] := true; + havoc newPMask; + assume (forall o_12: Ref, f_16: (Field A B) :: + { newPMask[o_12, f_16] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)][o_12, f_16] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][o_12, f_16] ==> newPMask[o_12, f_16] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, next], end)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (this == end) { + } else { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access this.next (linked-list-predicates.vpr@32.1--39.2) [1017]"} + HasDirectPerm(UnfoldingMask, this, next); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function lengthNodes might not hold. There might be insufficient permission to access lseg(this.next, end) (linked-list-predicates.vpr@38.21--38.48) [1018]"} + perm <= UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)]; + } + UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(UnfoldingHeap, ExhaleHeap, UnfoldingMask); + UnfoldingHeap := ExhaleHeap; + // Stop execution + assume false; + } else { + // Enable postcondition for recursive call + assume lengthNodes#trigger(UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)], UnfoldingHeap[this, next], end); + } + } + + // -- Free assumptions (exp module) + if (this != end) { + Heap[null, lseg#sm(this, end)][this, data] := true; + Heap[null, lseg#sm(this, end)][this, next] := true; + havoc newPMask; + assume (forall o_13: Ref, f_17: (Field A B) :: + { newPMask[o_13, f_17] } + Heap[null, lseg#sm(this, end)][o_13, f_17] || Heap[null, lseg#sm(Heap[this, next], end)][o_13, f_17] ==> newPMask[o_13, f_17] + ); + Heap[null, lseg#sm(this, end)] := newPMask; + } + assume state(Heap, Mask); + + // -- Translate function body + Result := (if this == end then 0 else 1 + lengthNodes(Heap, Heap[this, next], end)); + + // -- Exhaling postcondition (with checking) + + // -- Check definedness of result == |contentNodes(this, end)| + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this, end) (linked-list-predicates.vpr@34.23--34.46) [1019]"} + perm <= Mask[null, lseg(this, end)]; + } + Mask[null, lseg(this, end)] := Mask[null, lseg(this, end)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Postcondition of lengthNodes might not hold. Assertion result == |contentNodes(this, end)| might not hold. (linked-list-predicates.vpr@34.12--34.47) [1020]"} + Result == Seq#Length(contentNodes(Heap, this, end)); +} + +// ================================================== +// Translation of function content +// ================================================== + +// Uninterpreted function definitions +function content(Heap: HeapType, this: Ref): Seq int; +function content'(Heap: HeapType, this: Ref): Seq int; +axiom (forall Heap: HeapType, this: Ref :: + { content(Heap, this) } + content(Heap, this) == content'(Heap, this) && dummyFunction(content#triggerStateless(this)) +); +axiom (forall Heap: HeapType, this: Ref :: + { content'(Heap, this) } + dummyFunction(content#triggerStateless(this)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), content(Heap, this) } { state(Heap, Mask), content#triggerStateless(this), List#trigger(Heap, List(this)) } + state(Heap, Mask) && AssumeFunctionsAbove < 2 ==> content(Heap, this) == contentNodes(Heap, Heap[this, head], null) +); + +// Framing axioms +function content#frame(frame: FrameType, this: Ref): Seq int; +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), content'(Heap, this) } { state(Heap, Mask), content#triggerStateless(this), List#trigger(Heap, List(this)) } + state(Heap, Mask) ==> content'(Heap, this) == content#frame(Heap[null, List(this)], this) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), content'(Heap, this) } + state(Heap, Mask) && (AssumeFunctionsAbove < 2 || content#trigger(Heap[null, List(this)], this)) ==> (forall i: int, j: int :: + { Seq#Index(content'(Heap, this), i), Seq#Index(content'(Heap, this), j) } + 0 <= i && (i < j && j < Seq#Length(content'(Heap, this))) ==> Seq#Index(content'(Heap, this), i) <= Seq#Index(content'(Heap, this), j) + ) +); + +// Trigger function (controlling recursive postconditions) +function content#trigger(frame: FrameType, this: Ref): bool; + +// State-independent trigger function +function content#triggerStateless(this: Ref): Seq int; + +// Check contract well-formedness and postcondition +procedure content#definedness(this: Ref) returns (Result: (Seq int)) + modifies Heap, Mask; +{ + var perm: Perm; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var ExhaleHeap: HeapType; + var newPMask: PMaskType; + var i_3: int; + var j_3: int; + var i_2: int; + var j_2: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[this, $allocated]; + assume AssumeFunctionsAbove == 2; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + perm := FullPerm; + Mask[null, List(this)] := Mask[null, List(this)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (unfolding acc(List(this), write) in contentNodes(this.head, null)) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume List#trigger(UnfoldingHeap, List(this)); + assume UnfoldingHeap[null, List(this)] == CombineFrames(FrameFragment(UnfoldingHeap[this, head]), UnfoldingHeap[null, lseg(UnfoldingHeap[this, head], null)]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@53.1--58.2) [1021]"} + perm <= UnfoldingMask[null, List(this)]; + } + UnfoldingMask[null, List(this)] := UnfoldingMask[null, List(this)] - perm; + perm := FullPerm; + assume this != null; + UnfoldingMask[this, head] := UnfoldingMask[this, head] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(List(this), UnfoldingHeap[null, List(this)], lseg(UnfoldingHeap[this, head], null), UnfoldingHeap[null, lseg(UnfoldingHeap[this, head], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume state(UnfoldingHeap, UnfoldingMask); + assert {:msg " Function might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@53.1--58.2) [1022]"} + HasDirectPerm(UnfoldingMask, this, head); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this.head, null) (linked-list-predicates.vpr@57.32--57.61) [1023]"} + perm <= UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)]; + } + UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(UnfoldingHeap, ExhaleHeap, UnfoldingMask); + UnfoldingHeap := ExhaleHeap; + // Stop execution + assume false; + } + + // -- Free assumptions (exp module) + Heap[null, List#sm(this)][this, head] := true; + havoc newPMask; + assume (forall o_14: Ref, f_18: (Field A B) :: + { newPMask[o_14, f_18] } + Heap[null, List#sm(this)][o_14, f_18] || Heap[null, lseg#sm(Heap[this, head], null)][o_14, f_18] ==> newPMask[o_14, f_18] + ); + Heap[null, List#sm(this)] := newPMask; + assume state(Heap, Mask); + + // -- Translate function body + Result := contentNodes(Heap, Heap[this, head], null); + + // -- Exhaling postcondition (with checking) + + // -- Check definedness of (forall i: Int, j: Int :: { result[i], result[j] } 0 <= i && (i < j && j < |result|) ==> result[i] <= result[j]) + if (*) { + if (0 <= i_3 && (i_3 < j_3 && j_3 < Seq#Length(Result))) { + assert {:msg " Contract might not be well-formed. Index result[i] into result might be negative. (linked-list-predicates.vpr@55.12--55.95) [1024]"} + i_3 >= 0; + assert {:msg " Contract might not be well-formed. Index result[i] into result might exceed sequence length. (linked-list-predicates.vpr@55.12--55.95) [1025]"} + i_3 < Seq#Length(Result); + assert {:msg " Contract might not be well-formed. Index result[j] into result might be negative. (linked-list-predicates.vpr@55.12--55.95) [1026]"} + j_3 >= 0; + assert {:msg " Contract might not be well-formed. Index result[j] into result might exceed sequence length. (linked-list-predicates.vpr@55.12--55.95) [1027]"} + j_3 < Seq#Length(Result); + } + assume false; + } + if (*) { + if (0 <= i_2 && (i_2 < j_2 && j_2 < Seq#Length(Result))) { + assert {:msg " Postcondition of content might not hold. Assertion result[i] <= result[j] might not hold. (linked-list-predicates.vpr@55.12--55.95) [1028]"} + Seq#Index(Result, i_2) <= Seq#Index(Result, j_2); + } + assume false; + } + assume (forall i_3_1: int, j_3_1: int :: + { Seq#Index(Result, i_3_1), Seq#Index(Result, j_3_1) } + 0 <= i_3_1 && (i_3_1 < j_3_1 && j_3_1 < Seq#Length(Result)) ==> Seq#Index(Result, i_3_1) <= Seq#Index(Result, j_3_1) + ); +} + +// ================================================== +// Translation of function length +// ================================================== + +// Uninterpreted function definitions +function length(Heap: HeapType, this: Ref): int; +function length'(Heap: HeapType, this: Ref): int; +axiom (forall Heap: HeapType, this: Ref :: + { length(Heap, this) } + length(Heap, this) == length'(Heap, this) && dummyFunction(length#triggerStateless(this)) +); +axiom (forall Heap: HeapType, this: Ref :: + { length'(Heap, this) } + dummyFunction(length#triggerStateless(this)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), length(Heap, this) } { state(Heap, Mask), length#triggerStateless(this), List#trigger(Heap, List(this)) } + state(Heap, Mask) && AssumeFunctionsAbove < 1 ==> length(Heap, this) == lengthNodes(Heap, Heap[this, head], null) +); + +// Framing axioms +function length#frame(frame: FrameType, this: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), length'(Heap, this) } { state(Heap, Mask), length#triggerStateless(this), List#trigger(Heap, List(this)) } + state(Heap, Mask) ==> length'(Heap, this) == length#frame(Heap[null, List(this)], this) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), length'(Heap, this) } + state(Heap, Mask) && (AssumeFunctionsAbove < 1 || length#trigger(Heap[null, List(this)], this)) ==> length'(Heap, this) == Seq#Length(content(Heap, this)) +); + +// Trigger function (controlling recursive postconditions) +function length#trigger(frame: FrameType, this: Ref): bool; + +// State-independent trigger function +function length#triggerStateless(this: Ref): int; + +// Check contract well-formedness and postcondition +procedure length#definedness(this: Ref) returns (Result: int) + modifies Heap, Mask; +{ + var perm: Perm; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var ExhaleHeap: HeapType; + var newPMask: PMaskType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[this, $allocated]; + assume AssumeFunctionsAbove == 1; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + perm := FullPerm; + Mask[null, List(this)] := Mask[null, List(this)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (unfolding acc(List(this), write) in lengthNodes(this.head, null)) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume List#trigger(UnfoldingHeap, List(this)); + assume UnfoldingHeap[null, List(this)] == CombineFrames(FrameFragment(UnfoldingHeap[this, head]), UnfoldingHeap[null, lseg(UnfoldingHeap[this, head], null)]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@60.1--65.2) [1029]"} + perm <= UnfoldingMask[null, List(this)]; + } + UnfoldingMask[null, List(this)] := UnfoldingMask[null, List(this)] - perm; + perm := FullPerm; + assume this != null; + UnfoldingMask[this, head] := UnfoldingMask[this, head] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(List(this), UnfoldingHeap[null, List(this)], lseg(UnfoldingHeap[this, head], null), UnfoldingHeap[null, lseg(UnfoldingHeap[this, head], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume state(UnfoldingHeap, UnfoldingMask); + assert {:msg " Function might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@60.1--65.2) [1030]"} + HasDirectPerm(UnfoldingMask, this, head); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function lengthNodes might not hold. There might be insufficient permission to access lseg(this.head, null) (linked-list-predicates.vpr@64.32--64.60) [1031]"} + perm <= UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)]; + } + UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(UnfoldingHeap, ExhaleHeap, UnfoldingMask); + UnfoldingHeap := ExhaleHeap; + // Stop execution + assume false; + } + + // -- Free assumptions (exp module) + Heap[null, List#sm(this)][this, head] := true; + havoc newPMask; + assume (forall o_15: Ref, f_19: (Field A B) :: + { newPMask[o_15, f_19] } + Heap[null, List#sm(this)][o_15, f_19] || Heap[null, lseg#sm(Heap[this, head], null)][o_15, f_19] ==> newPMask[o_15, f_19] + ); + Heap[null, List#sm(this)] := newPMask; + assume state(Heap, Mask); + + // -- Translate function body + Result := lengthNodes(Heap, Heap[this, head], null); + + // -- Exhaling postcondition (with checking) + + // -- Check definedness of result == |content(this)| + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@62.22--62.35) [1032]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Postcondition of length might not hold. Assertion result == |content(this)| might not hold. (linked-list-predicates.vpr@62.11--62.36) [1033]"} + Result == Seq#Length(content(Heap, this)); +} + +// ================================================== +// Translation of function peek +// ================================================== + +// Uninterpreted function definitions +function peek(Heap: HeapType, this: Ref): int; +function peek'(Heap: HeapType, this: Ref): int; +axiom (forall Heap: HeapType, this: Ref :: + { peek(Heap, this) } + peek(Heap, this) == peek'(Heap, this) && dummyFunction(peek#triggerStateless(this)) +); +axiom (forall Heap: HeapType, this: Ref :: + { peek'(Heap, this) } + dummyFunction(peek#triggerStateless(this)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), peek(Heap, this) } { state(Heap, Mask), peek#triggerStateless(this), List#trigger(Heap, List(this)) } + state(Heap, Mask) && AssumeFunctionsAbove < 0 ==> 0 < length(Heap, this) ==> peek(Heap, this) == Heap[Heap[this, head], data] +); + +// Framing axioms +function peek#frame(frame: FrameType, this: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), peek'(Heap, this) } + state(Heap, Mask) ==> peek'(Heap, this) == peek#frame(Heap[null, List(this)], this) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, this: Ref :: + { state(Heap, Mask), peek'(Heap, this) } + state(Heap, Mask) && (AssumeFunctionsAbove < 0 || peek#trigger(Heap[null, List(this)], this)) ==> 0 < length(Heap, this) ==> peek'(Heap, this) == Seq#Index(content(Heap, this), 0) +); + +// Trigger function (controlling recursive postconditions) +function peek#trigger(frame: FrameType, this: Ref): bool; + +// State-independent trigger function +function peek#triggerStateless(this: Ref): int; + +// Check contract well-formedness and postcondition +procedure peek#definedness(this: Ref) returns (Result: int) + modifies Heap, Mask; +{ + var perm: Perm; + var ExhaleHeap: HeapType; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var Unfolding1Heap: HeapType; + var Unfolding1Mask: MaskType; + var Unfolding2Heap: HeapType; + var Unfolding2Mask: MaskType; + var newPMask: PMaskType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[this, $allocated]; + assume AssumeFunctionsAbove == 0; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + perm := FullPerm; + Mask[null, List(this)] := Mask[null, List(this)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of 0 < length(this) + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function length might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@69.16--69.28) [1034]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assume 0 < length(Heap, this); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (unfolding acc(List(this), write) in (unfolding acc(lseg(this.head, null), write) in this.head.data)) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume List#trigger(UnfoldingHeap, List(this)); + assume UnfoldingHeap[null, List(this)] == CombineFrames(FrameFragment(UnfoldingHeap[this, head]), UnfoldingHeap[null, lseg(UnfoldingHeap[this, head], null)]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@67.1--73.2) [1035]"} + perm <= UnfoldingMask[null, List(this)]; + } + UnfoldingMask[null, List(this)] := UnfoldingMask[null, List(this)] - perm; + perm := FullPerm; + assume this != null; + UnfoldingMask[this, head] := UnfoldingMask[this, head] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, head], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(List(this), UnfoldingHeap[null, List(this)], lseg(UnfoldingHeap[this, head], null), UnfoldingHeap[null, lseg(UnfoldingHeap[this, head], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume state(UnfoldingHeap, UnfoldingMask); + Unfolding1Heap := UnfoldingHeap; + Unfolding1Mask := UnfoldingMask; + assume lseg#trigger(Unfolding1Heap, lseg(Unfolding1Heap[this, head], null)); + assume Unfolding1Heap[null, lseg(Unfolding1Heap[this, head], null)] == FrameFragment((if Unfolding1Heap[this, head] != null then CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[this, head], data]), CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[this, head], next]), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, head], next], null)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access lseg(this.head, null) (linked-list-predicates.vpr@67.1--73.2) [1036]"} + perm <= Unfolding1Mask[null, lseg(Unfolding1Heap[this, head], null)]; + } + Unfolding1Mask[null, lseg(Unfolding1Heap[this, head], null)] := Unfolding1Mask[null, lseg(Unfolding1Heap[this, head], null)] - perm; + if (Unfolding1Heap[this, head] != null) { + perm := FullPerm; + assume Unfolding1Heap[this, head] != null; + Unfolding1Mask[Unfolding1Heap[this, head], data] := Unfolding1Mask[Unfolding1Heap[this, head], data] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + assume Unfolding1Heap[this, head] != null; + Unfolding1Mask[Unfolding1Heap[this, head], next] := Unfolding1Mask[Unfolding1Heap[this, head], next] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, head], next], null)] := Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, head], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Unfolding1Heap[this, head], null), Unfolding1Heap[null, lseg(Unfolding1Heap[this, head], null)], lseg(Unfolding1Heap[Unfolding1Heap[this, head], next], null), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, head], next], null)]); + assume state(Unfolding1Heap, Unfolding1Mask); + + // -- Execute unfolding (for extra information) + Unfolding2Heap := Unfolding1Heap; + Unfolding2Mask := Unfolding1Mask; + assume lseg#trigger(Unfolding2Heap, lseg(Unfolding2Heap[Unfolding2Heap[this, head], next], null)); + assume Unfolding2Heap[null, lseg(Unfolding2Heap[Unfolding2Heap[this, head], next], null)] == FrameFragment((if Unfolding2Heap[Unfolding2Heap[this, head], next] != null then CombineFrames(FrameFragment(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], data]), CombineFrames(FrameFragment(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next]), Unfolding2Heap[null, lseg(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null)])) else EmptyFrame)); + perm := FullPerm; + Unfolding2Mask[null, lseg(Unfolding2Heap[Unfolding2Heap[this, head], next], null)] := Unfolding2Mask[null, lseg(Unfolding2Heap[Unfolding2Heap[this, head], next], null)] - perm; + if (Unfolding2Heap[Unfolding2Heap[this, head], next] != null) { + perm := FullPerm; + assume Unfolding2Heap[Unfolding2Heap[this, head], next] != null; + Unfolding2Mask[Unfolding2Heap[Unfolding2Heap[this, head], next], data] := Unfolding2Mask[Unfolding2Heap[Unfolding2Heap[this, head], next], data] + perm; + assume state(Unfolding2Heap, Unfolding2Mask); + perm := FullPerm; + assume Unfolding2Heap[Unfolding2Heap[this, head], next] != null; + Unfolding2Mask[Unfolding2Heap[Unfolding2Heap[this, head], next], next] := Unfolding2Mask[Unfolding2Heap[Unfolding2Heap[this, head], next], next] + perm; + assume state(Unfolding2Heap, Unfolding2Mask); + perm := FullPerm; + Unfolding2Mask[null, lseg(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null)] := Unfolding2Mask[null, lseg(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Unfolding2Heap[Unfolding2Heap[this, head], next], null), Unfolding2Heap[null, lseg(Unfolding2Heap[Unfolding2Heap[this, head], next], null)], lseg(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null), Unfolding2Heap[null, lseg(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null)]); + assume state(Unfolding2Heap, Unfolding2Mask); + assume Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next] != null ==> Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], data] <= Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], data]; + + // -- Free assumptions (inhale module) + if (Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next] != null) { + Unfolding2Heap[null, lseg#sm(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null)][Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], data] := true; + Unfolding2Heap[null, lseg#sm(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null)][Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], next] := true; + havoc newPMask; + assume (forall o_16: Ref, f_20: (Field A B) :: + { newPMask[o_16, f_20] } + Unfolding2Heap[null, lseg#sm(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null)][o_16, f_20] || Unfolding2Heap[null, lseg#sm(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], next], null)][o_16, f_20] ==> newPMask[o_16, f_20] + ); + Unfolding2Heap[null, lseg#sm(Unfolding2Heap[Unfolding2Heap[Unfolding2Heap[this, head], next], next], null)] := newPMask; + } + assume state(Unfolding2Heap, Unfolding2Mask); + } + assume state(Unfolding2Heap, Unfolding2Mask); + assume Unfolding1Heap[Unfolding1Heap[this, head], next] != null ==> Unfolding1Heap[Unfolding1Heap[this, head], data] <= Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, head], next], data]; + + // -- Free assumptions (inhale module) + if (Unfolding1Heap[Unfolding1Heap[this, head], next] != null) { + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, head], next], null)][Unfolding1Heap[Unfolding1Heap[this, head], next], data] := true; + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, head], next], null)][Unfolding1Heap[Unfolding1Heap[this, head], next], next] := true; + havoc newPMask; + assume (forall o_17: Ref, f_21: (Field A B) :: + { newPMask[o_17, f_21] } + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, head], next], null)][o_17, f_21] || Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, head], next], next], null)][o_17, f_21] ==> newPMask[o_17, f_21] + ); + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[this, head], next], null)] := newPMask; + } + assume state(Unfolding1Heap, Unfolding1Mask); + } + assume state(Unfolding1Heap, Unfolding1Mask); + assert {:msg " Function might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@67.1--73.2) [1037]"} + HasDirectPerm(Unfolding1Mask, this, head); + assert {:msg " Function might not be well-formed. There might be insufficient permission to access this.head.data (linked-list-predicates.vpr@67.1--73.2) [1038]"} + HasDirectPerm(Unfolding1Mask, Unfolding1Heap[this, head], data); + assert {:msg " Function might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@67.1--73.2) [1039]"} + HasDirectPerm(Unfolding1Mask, this, head); + + // -- Free assumptions (exp module) + if (UnfoldingHeap[this, head] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, head], null)][UnfoldingHeap[this, head], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, head], null)][UnfoldingHeap[this, head], next] := true; + havoc newPMask; + assume (forall o_18: Ref, f_22: (Field A B) :: + { newPMask[o_18, f_22] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, head], null)][o_18, f_22] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, head], next], null)][o_18, f_22] ==> newPMask[o_18, f_22] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[this, head], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + + // -- Free assumptions (exp module) + Heap[null, List#sm(this)][this, head] := true; + havoc newPMask; + assume (forall o_19: Ref, f_23: (Field A B) :: + { newPMask[o_19, f_23] } + Heap[null, List#sm(this)][o_19, f_23] || Heap[null, lseg#sm(Heap[this, head], null)][o_19, f_23] ==> newPMask[o_19, f_23] + ); + Heap[null, List#sm(this)] := newPMask; + assume state(Heap, Mask); + if (Heap[this, head] != null) { + Heap[null, lseg#sm(Heap[this, head], null)][Heap[this, head], data] := true; + Heap[null, lseg#sm(Heap[this, head], null)][Heap[this, head], next] := true; + havoc newPMask; + assume (forall o_20: Ref, f_24: (Field A B) :: + { newPMask[o_20, f_24] } + Heap[null, lseg#sm(Heap[this, head], null)][o_20, f_24] || Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][o_20, f_24] ==> newPMask[o_20, f_24] + ); + Heap[null, lseg#sm(Heap[this, head], null)] := newPMask; + } + assume state(Heap, Mask); + + // -- Translate function body + Result := Heap[Heap[this, head], data]; + + // -- Exhaling postcondition (with checking) + + // -- Check definedness of result == content(this)[0] + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@70.21--70.34) [1040]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. Index content(this)[0] into content(this) might exceed sequence length. (linked-list-predicates.vpr@70.11--70.37) [1041]"} + 0 < Seq#Length(content(Heap, this)); + assert {:msg " Postcondition of peek might not hold. Assertion result == content(this)[0] might not hold. (linked-list-predicates.vpr@70.11--70.37) [1042]"} + Result == Seq#Index(content(Heap, this), 0); +} + +// ================================================== +// Translation of predicate lseg +// ================================================== + +type PredicateType_lseg; +function lseg(this: Ref, end: Ref): Field PredicateType_lseg FrameType; +function lseg#sm(this: Ref, end: Ref): Field PredicateType_lseg PMaskType; +axiom (forall this: Ref, end: Ref :: + { PredicateMaskField(lseg(this, end)) } + PredicateMaskField(lseg(this, end)) == lseg#sm(this, end) +); +axiom (forall this: Ref, end: Ref :: + { lseg(this, end) } + IsPredicateField(lseg(this, end)) +); +axiom (forall this: Ref, end: Ref :: + { lseg(this, end) } + getPredicateId(lseg(this, end)) == 0 +); +function lseg#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function lseg#everUsed(pred: (Field A FrameType)): bool; +axiom (forall this: Ref, end: Ref, this2: Ref, end2: Ref :: + { lseg(this, end), lseg(this2, end2) } + lseg(this, end) == lseg(this2, end2) ==> this == this2 && end == end2 +); +axiom (forall this: Ref, end: Ref, this2: Ref, end2: Ref :: + { lseg#sm(this, end), lseg#sm(this2, end2) } + lseg#sm(this, end) == lseg#sm(this2, end2) ==> this == this2 && end == end2 +); + +axiom (forall Heap: HeapType, this: Ref, end: Ref :: + { lseg#trigger(Heap, lseg(this, end)) } + lseg#everUsed(lseg(this, end)) +); + +procedure lseg#definedness(this: Ref, end: Ref) returns () + modifies Heap, Mask; +{ + var perm: Perm; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var Unfolding1Heap: HeapType; + var Unfolding1Mask: MaskType; + var newPMask: PMaskType; + + // -- Check definedness of predicate body of lseg + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + assume Heap[this, $allocated]; + assume Heap[end, $allocated]; + if (this != end) { + perm := FullPerm; + assume this != null; + Mask[this, data] := Mask[this, data] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume this != null; + Mask[this, next] := Mask[this, next] + perm; + assume state(Heap, Mask); + + // -- Check definedness of acc(lseg(this.next, end), write) + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access this.next (linked-list-predicates.vpr@11.1--16.2) [1043]"} + HasDirectPerm(Mask, this, next); + perm := FullPerm; + Mask[null, lseg(Heap[this, next], end)] := Mask[null, lseg(Heap[this, next], end)] + perm; + assume state(Heap, Mask); + + // -- Check definedness of (unfolding acc(lseg(this.next, end), write) in this.next != end ==> this.data <= this.next.data) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[this, next], end)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)] == FrameFragment((if UnfoldingHeap[this, next] != end then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[this, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[this, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access lseg(this.next, end) (linked-list-predicates.vpr@11.1--16.2) [1044]"} + perm <= UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)]; + } + UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] - perm; + if (UnfoldingHeap[this, next] != end) { + perm := FullPerm; + assume UnfoldingHeap[this, next] != null; + UnfoldingMask[UnfoldingHeap[this, next], data] := UnfoldingMask[UnfoldingHeap[this, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[this, next] != null; + UnfoldingMask[UnfoldingHeap[this, next], next] := UnfoldingMask[UnfoldingHeap[this, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[this, next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)], lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)]); + assume state(UnfoldingHeap, UnfoldingMask); + + // -- Execute unfolding (for extra information) + Unfolding1Heap := UnfoldingHeap; + Unfolding1Mask := UnfoldingMask; + assume lseg#trigger(Unfolding1Heap, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)); + assume Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] == FrameFragment((if Unfolding1Heap[Unfolding1Heap[this, next], next] != end then CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], data]), CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next]), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)])) else EmptyFrame)); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] := Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)] - perm; + if (Unfolding1Heap[Unfolding1Heap[this, next], next] != end) { + perm := FullPerm; + assume Unfolding1Heap[Unfolding1Heap[this, next], next] != null; + Unfolding1Mask[Unfolding1Heap[Unfolding1Heap[this, next], next], data] := Unfolding1Mask[Unfolding1Heap[Unfolding1Heap[this, next], next], data] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + assume Unfolding1Heap[Unfolding1Heap[this, next], next] != null; + Unfolding1Mask[Unfolding1Heap[Unfolding1Heap[this, next], next], next] := Unfolding1Mask[Unfolding1Heap[Unfolding1Heap[this, next], next], next] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)] := Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[this, next], next], end)], lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)]); + assume state(Unfolding1Heap, Unfolding1Mask); + assume Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next] != end ==> Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], data] <= Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], data]; + + // -- Free assumptions (inhale module) + if (Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next] != end) { + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)][Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], data] := true; + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)][Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], next] := true; + havoc newPMask; + assume (forall o_21: Ref, f_25: (Field A B) :: + { newPMask[o_21, f_25] } + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)][o_21, f_25] || Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], next], end)][o_21, f_25] ==> newPMask[o_21, f_25] + ); + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[this, next], next], next], end)] := newPMask; + } + assume state(Unfolding1Heap, Unfolding1Mask); + } + assume state(Unfolding1Heap, Unfolding1Mask); + assume UnfoldingHeap[UnfoldingHeap[this, next], next] != end ==> UnfoldingHeap[UnfoldingHeap[this, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[this, next], next] != end) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][UnfoldingHeap[UnfoldingHeap[this, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][UnfoldingHeap[UnfoldingHeap[this, next], next], next] := true; + havoc newPMask; + assume (forall o_22: Ref, f_26: (Field A B) :: + { newPMask[o_22, f_26] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][o_22, f_26] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, next], next], next], end)][o_22, f_26] ==> newPMask[o_22, f_26] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access this.next (linked-list-predicates.vpr@11.1--16.2) [1045]"} + HasDirectPerm(UnfoldingMask, this, next); + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access this.next (linked-list-predicates.vpr@11.1--16.2) [1046]"} + HasDirectPerm(UnfoldingMask, this, next); + if (UnfoldingHeap[this, next] != end) { + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access this.data (linked-list-predicates.vpr@11.1--16.2) [1047]"} + HasDirectPerm(UnfoldingMask, this, data); + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access this.next.data (linked-list-predicates.vpr@11.1--16.2) [1048]"} + HasDirectPerm(UnfoldingMask, UnfoldingHeap[this, next], data); + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access this.next (linked-list-predicates.vpr@11.1--16.2) [1049]"} + HasDirectPerm(UnfoldingMask, this, next); + } + + // -- Free assumptions (exp module) + if (Heap[this, next] != end) { + Heap[null, lseg#sm(Heap[this, next], end)][Heap[this, next], data] := true; + Heap[null, lseg#sm(Heap[this, next], end)][Heap[this, next], next] := true; + havoc newPMask; + assume (forall o_23: Ref, f_27: (Field A B) :: + { newPMask[o_23, f_27] } + Heap[null, lseg#sm(Heap[this, next], end)][o_23, f_27] || Heap[null, lseg#sm(Heap[Heap[this, next], next], end)][o_23, f_27] ==> newPMask[o_23, f_27] + ); + Heap[null, lseg#sm(Heap[this, next], end)] := newPMask; + } + assume state(Heap, Mask); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[this, next], end)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)] == FrameFragment((if UnfoldingHeap[this, next] != end then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[this, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[this, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)])) else EmptyFrame)); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, next], end)] - perm; + if (UnfoldingHeap[this, next] != end) { + perm := FullPerm; + assume UnfoldingHeap[this, next] != null; + UnfoldingMask[UnfoldingHeap[this, next], data] := UnfoldingMask[UnfoldingHeap[this, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[this, next] != null; + UnfoldingMask[UnfoldingHeap[this, next], next] := UnfoldingMask[UnfoldingHeap[this, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[this, next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)], lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[this, next], next] != end ==> UnfoldingHeap[UnfoldingHeap[this, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[this, next], next] != end) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][UnfoldingHeap[UnfoldingHeap[this, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][UnfoldingHeap[UnfoldingHeap[this, next], next], next] := true; + havoc newPMask; + assume (forall o_24: Ref, f_28: (Field A B) :: + { newPMask[o_24, f_28] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][o_24, f_28] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, next], next], next], end)][o_24, f_28] ==> newPMask[o_24, f_28] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assume Heap[this, next] != end ==> Heap[this, data] <= Heap[Heap[this, next], data]; + } + assume state(Heap, Mask); +} + +// ================================================== +// Translation of predicate List +// ================================================== + +type PredicateType_List; +function List(this: Ref): Field PredicateType_List FrameType; +function List#sm(this: Ref): Field PredicateType_List PMaskType; +axiom (forall this: Ref :: + { PredicateMaskField(List(this)) } + PredicateMaskField(List(this)) == List#sm(this) +); +axiom (forall this: Ref :: + { List(this) } + IsPredicateField(List(this)) +); +axiom (forall this: Ref :: + { List(this) } + getPredicateId(List(this)) == 1 +); +function List#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function List#everUsed(pred: (Field A FrameType)): bool; +axiom (forall this: Ref, this2: Ref :: + { List(this), List(this2) } + List(this) == List(this2) ==> this == this2 +); +axiom (forall this: Ref, this2: Ref :: + { List#sm(this), List#sm(this2) } + List#sm(this) == List#sm(this2) ==> this == this2 +); + +axiom (forall Heap: HeapType, this: Ref :: + { List#trigger(Heap, List(this)) } + List#everUsed(List(this)) +); + +procedure List#definedness(this: Ref) returns () + modifies Heap, Mask; +{ + var perm: Perm; + + // -- Check definedness of predicate body of List + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + assume Heap[this, $allocated]; + perm := FullPerm; + assume this != null; + Mask[this, head] := Mask[this, head] + perm; + assume state(Heap, Mask); + + // -- Check definedness of acc(lseg(this.head, null), write) + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@48.1--51.2) [1050]"} + HasDirectPerm(Mask, this, head); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method create +// ================================================== + +procedure create() returns (this: Ref) + modifies Heap, Mask; +{ + var PostHeap: HeapType; + var PostMask: MaskType; + var perm: Perm; + var ExhaleHeap: HeapType; + var freshObj: Ref; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var newPMask: PMaskType; + var freshVersion: FrameType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + perm := FullPerm; + PostMask[null, List(this)] := PostMask[null, List(this)] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of content(this) == Seq[Int]() + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@77.11--77.24) [1051]"} + perm <= PostMask[null, List(this)]; + } + PostMask[null, List(this)] := PostMask[null, List(this)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(PostHeap, ExhaleHeap, PostMask); + PostHeap := ExhaleHeap; + // Stop execution + assume false; + } + assume Seq#Equal(content(PostHeap, this), (Seq#Empty(): Seq int)); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: this := new(data, next, head, held, changed) -- linked-list-predicates.vpr@79.3--79.17 + havoc freshObj; + assume freshObj != null && !Heap[freshObj, $allocated]; + Heap[freshObj, $allocated] := true; + this := freshObj; + Mask[this, data] := Mask[this, data] + FullPerm; + Mask[this, next] := Mask[this, next] + FullPerm; + Mask[this, head] := Mask[this, head] + FullPerm; + Mask[this, held] := Mask[this, held] + FullPerm; + Mask[this, changed] := Mask[this, changed] + FullPerm; + assume state(Heap, Mask); + + // -- Translating statement: this.head := null -- linked-list-predicates.vpr@80.3--80.20 + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@80.3--80.20) [1052]"} + FullPerm == Mask[this, head]; + Heap[this, head] := null; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(this.head, null), write) -- linked-list-predicates.vpr@81.3--81.34 + + // -- Check definedness of acc(lseg(this.head, null), write) + assert {:msg " Folding lseg(this.head, null) might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@81.3--81.34) [1053]"} + HasDirectPerm(Mask, this, head); + if (Heap[this, head] != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, null) might fail. There might be insufficient permission to access this.head.data (linked-list-predicates.vpr@81.3--81.34) [1055]"} + perm <= Mask[Heap[this, head], data]; + } + Mask[Heap[this, head], data] := Mask[Heap[this, head], data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, null) might fail. There might be insufficient permission to access this.head.next (linked-list-predicates.vpr@81.3--81.34) [1057]"} + perm <= Mask[Heap[this, head], next]; + } + Mask[Heap[this, head], next] := Mask[Heap[this, head], next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, null) might fail. There might be insufficient permission to access lseg(this.head.next, null) (linked-list-predicates.vpr@81.3--81.34) [1059]"} + perm <= Mask[null, lseg(Heap[Heap[this, head], next], null)]; + } + Mask[null, lseg(Heap[Heap[this, head], next], null)] := Mask[null, lseg(Heap[Heap[this, head], next], null)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)], lseg(Heap[Heap[this, head], next], null), Heap[null, lseg(Heap[Heap[this, head], next], null)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)] == FrameFragment((if UnfoldingHeap[UnfoldingHeap[this, head], next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)])) else EmptyFrame)); + if (UnfoldingHeap[UnfoldingHeap[this, head], next] != null) { + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)], lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != null ==> UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next] := true; + havoc newPMask; + assume (forall o_25: Ref, f_29: (Field A B) :: + { newPMask[o_25, f_29] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][o_25, f_29] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next], null)][o_25, f_29] ==> newPMask[o_25, f_29] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[UnfoldingHeap[this, head], next] != null) { + assert {:msg " Folding lseg(this.head, null) might fail. Assertion this.head.data <= this.head.next.data might not hold. (linked-list-predicates.vpr@81.3--81.34) [1060]"} + UnfoldingHeap[UnfoldingHeap[this, head], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[Heap[this, head], next] != null) { + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][Heap[Heap[this, head], next], data] := true; + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][Heap[Heap[this, head], next], next] := true; + havoc newPMask; + assume (forall o_26: Ref, f_30: (Field A B) :: + { newPMask[o_26, f_30] } + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][o_26, f_30] || Heap[null, lseg#sm(Heap[Heap[Heap[this, head], next], next], null)][o_26, f_30] ==> newPMask[o_26, f_30] + ); + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(Heap[this, head], null)); + assume Heap[null, lseg(Heap[this, head], null)] == FrameFragment((if Heap[this, head] != null then CombineFrames(FrameFragment(Heap[Heap[this, head], data]), CombineFrames(FrameFragment(Heap[Heap[this, head], next]), Heap[null, lseg(Heap[Heap[this, head], next], null)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(Heap[this, head], null))) { + Heap[null, lseg#sm(Heap[this, head], null)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(Heap[this, head], null)] := freshVersion; + } + if (Heap[this, head] != null) { + Heap[null, lseg#sm(Heap[this, head], null)][Heap[this, head], data] := true; + Heap[null, lseg#sm(Heap[this, head], null)][Heap[this, head], next] := true; + havoc newPMask; + assume (forall o_27: Ref, f_31: (Field A B) :: + { newPMask[o_27, f_31] } + Heap[null, lseg#sm(Heap[this, head], null)][o_27, f_31] || Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][o_27, f_31] ==> newPMask[o_27, f_31] + ); + Heap[null, lseg#sm(Heap[this, head], null)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: fold acc(List(this), write) -- linked-list-predicates.vpr@82.3--82.23 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(this) might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@82.3--82.23) [1063]"} + perm <= Mask[this, head]; + } + Mask[this, head] := Mask[this, head] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(this) might fail. There might be insufficient permission to access lseg(this.head, null) (linked-list-predicates.vpr@82.3--82.23) [1065]"} + perm <= Mask[null, lseg(Heap[this, head], null)]; + } + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(List(this), Heap[null, List(this)], lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)]); + perm := FullPerm; + Mask[null, List(this)] := Mask[null, List(this)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume List#trigger(Heap, List(this)); + assume Heap[null, List(this)] == CombineFrames(FrameFragment(Heap[this, head]), Heap[null, lseg(Heap[this, head], null)]); + if (!HasDirectPerm(Mask, null, List(this))) { + Heap[null, List#sm(this)] := ZeroPMask; + havoc freshVersion; + Heap[null, List(this)] := freshVersion; + } + Heap[null, List#sm(this)][this, head] := true; + havoc newPMask; + assume (forall o_28: Ref, f_32: (Field A B) :: + { newPMask[o_28, f_32] } + Heap[null, List#sm(this)][o_28, f_32] || Heap[null, lseg#sm(Heap[this, head], null)][o_28, f_32] ==> newPMask[o_28, f_32] + ); + Heap[null, List#sm(this)] := newPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of create might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@76.11--76.26) [1067]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + assert {:msg " Postcondition of create might not hold. Assertion content(this) == Seq[Int]() might not hold. (linked-list-predicates.vpr@77.11--77.38) [1068]"} + Seq#Equal(content(Heap, this), (Seq#Empty(): Seq int)); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method concat +// ================================================== + +procedure vconcat(this: Ref, ptr: Ref, end: Ref) returns () + modifies Heap, Mask; +{ + var perm: Perm; + var ExhaleHeap: HeapType; + var PostHeap: HeapType; + var PostMask: MaskType; + var newVersion: FrameType; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var newPMask: PMaskType; + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var arg_this: Ref; + var freshVersion: FrameType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[this, $allocated]; + assume Heap[ptr, $allocated]; + assume Heap[end, $allocated]; + + // -- Checked inhaling of precondition + perm := FullPerm; + Mask[null, lseg(this, ptr)] := Mask[null, lseg(this, ptr)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(ptr, end)] := Mask[null, lseg(ptr, end)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + if (end != null) { + perm := 1 / 2; + assert {:msg " Contract might not be well-formed. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@88.12--88.46) [1069]"} + perm >= NoPerm; + assume perm > NoPerm ==> end != null; + Mask[end, next] := Mask[end, next] + perm; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Check definedness of 0 < |contentNodes(this, ptr)| && 0 < |contentNodes(ptr, end)| + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this, ptr) (linked-list-predicates.vpr@89.17--89.40) [1070]"} + perm <= Mask[null, lseg(this, ptr)]; + } + Mask[null, lseg(this, ptr)] := Mask[null, lseg(this, ptr)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (0 < Seq#Length(contentNodes(Heap, this, ptr))) { + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(ptr, end) (linked-list-predicates.vpr@89.50--89.72) [1071]"} + perm <= Mask[null, lseg(ptr, end)]; + } + Mask[null, lseg(ptr, end)] := Mask[null, lseg(ptr, end)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + } + if (0 < Seq#Length(contentNodes(Heap, this, ptr)) && 0 < Seq#Length(contentNodes(Heap, ptr, end))) { + assume state(Heap, Mask); + + // -- Check definedness of contentNodes(this, ptr)[|contentNodes(this, ptr)| - 1] <= contentNodes(ptr, end)[0] + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this, ptr) (linked-list-predicates.vpr@90.14--90.37) [1072]"} + perm <= Mask[null, lseg(this, ptr)]; + } + Mask[null, lseg(this, ptr)] := Mask[null, lseg(this, ptr)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this, ptr) (linked-list-predicates.vpr@90.39--90.62) [1073]"} + perm <= Mask[null, lseg(this, ptr)]; + } + Mask[null, lseg(this, ptr)] := Mask[null, lseg(this, ptr)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. Index contentNodes(this, ptr)[|contentNodes(this, ptr)| - 1] into contentNodes(this, ptr) might be negative. (linked-list-predicates.vpr@89.12--90.95) [1074]"} + Seq#Length(contentNodes(Heap, this, ptr)) - 1 >= 0; + assert {:msg " Contract might not be well-formed. Index contentNodes(this, ptr)[|contentNodes(this, ptr)| - 1] into contentNodes(this, ptr) might exceed sequence length. (linked-list-predicates.vpr@89.12--90.95) [1075]"} + Seq#Length(contentNodes(Heap, this, ptr)) - 1 < Seq#Length(contentNodes(Heap, this, ptr)); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(ptr, end) (linked-list-predicates.vpr@90.70--90.92) [1076]"} + perm <= Mask[null, lseg(ptr, end)]; + } + Mask[null, lseg(ptr, end)] := Mask[null, lseg(ptr, end)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. Index contentNodes(ptr, end)[0] into contentNodes(ptr, end) might exceed sequence length. (linked-list-predicates.vpr@89.12--90.95) [1077]"} + 0 < Seq#Length(contentNodes(Heap, ptr, end)); + assume Seq#Index(contentNodes(Heap, this, ptr), Seq#Length(contentNodes(Heap, this, ptr)) - 1) <= Seq#Index(contentNodes(Heap, ptr, end), 0); + } + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + perm := FullPerm; + PostMask[null, lseg(this, end)] := PostMask[null, lseg(this, end)] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of contentNodes(this, end) == old(contentNodes(this, ptr) ++ contentNodes(ptr, end)) + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this, end) (linked-list-predicates.vpr@92.11--92.34) [1078]"} + perm <= PostMask[null, lseg(this, end)]; + } + PostMask[null, lseg(this, end)] := PostMask[null, lseg(this, end)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(PostHeap, ExhaleHeap, PostMask); + PostHeap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this, ptr) (linked-list-predicates.vpr@92.42--92.65) [1079]"} + perm <= old(Mask)[null, lseg(this, ptr)]; + } + // Finish exhale + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(ptr, end) (linked-list-predicates.vpr@92.69--92.91) [1080]"} + perm <= old(Mask)[null, lseg(ptr, end)]; + } + // Finish exhale + // Stop execution + assume false; + } + assume Seq#Equal(contentNodes(PostHeap, this, end), Seq#Append(contentNodes(old(Heap), this, ptr), contentNodes(old(Heap), ptr, end))); + assume state(PostHeap, PostMask); + if (end != null) { + perm := 1 / 2; + assert {:msg " Contract might not be well-formed. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@93.11--93.45) [1081]"} + perm >= NoPerm; + assume perm > NoPerm ==> end != null; + PostMask[end, next] := PostMask[end, next] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: if (this != ptr) -- linked-list-predicates.vpr@95.3--100.4 + if (this != ptr) { + + // -- Translating statement: unfold acc(lseg(this, ptr), write) -- linked-list-predicates.vpr@97.5--97.32 + assume lseg#trigger(Heap, lseg(this, ptr)); + assume Heap[null, lseg(this, ptr)] == FrameFragment((if this != ptr then CombineFrames(FrameFragment(Heap[this, data]), CombineFrames(FrameFragment(Heap[this, next]), Heap[null, lseg(Heap[this, next], ptr)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding lseg(this, ptr) might fail. There might be insufficient permission to access lseg(this, ptr) (linked-list-predicates.vpr@97.5--97.32) [1083]"} + perm <= Mask[null, lseg(this, ptr)]; + } + Mask[null, lseg(this, ptr)] := Mask[null, lseg(this, ptr)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, lseg(this, ptr))) { + havoc newVersion; + Heap[null, lseg(this, ptr)] := newVersion; + } + if (this != ptr) { + perm := FullPerm; + assume this != null; + Mask[this, data] := Mask[this, data] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume this != null; + Mask[this, next] := Mask[this, next] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[this, next], ptr)] := Mask[null, lseg(Heap[this, next], ptr)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(this, ptr), Heap[null, lseg(this, ptr)], lseg(Heap[this, next], ptr), Heap[null, lseg(Heap[this, next], ptr)]); + assume state(Heap, Mask); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[this, next], ptr)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], ptr)] == FrameFragment((if UnfoldingHeap[this, next] != ptr then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[this, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[this, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr)])) else EmptyFrame)); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[this, next], ptr)] := UnfoldingMask[null, lseg(UnfoldingHeap[this, next], ptr)] - perm; + if (UnfoldingHeap[this, next] != ptr) { + perm := FullPerm; + assume UnfoldingHeap[this, next] != null; + UnfoldingMask[UnfoldingHeap[this, next], data] := UnfoldingMask[UnfoldingHeap[this, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[this, next] != null; + UnfoldingMask[UnfoldingHeap[this, next], next] := UnfoldingMask[UnfoldingHeap[this, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[this, next], ptr), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], ptr)], lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[this, next], next] != ptr ==> UnfoldingHeap[UnfoldingHeap[this, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[this, next], next] != ptr) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr)][UnfoldingHeap[UnfoldingHeap[this, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr)][UnfoldingHeap[UnfoldingHeap[this, next], next], next] := true; + havoc newPMask; + assume (forall o_29: Ref, f_33: (Field A B) :: + { newPMask[o_29, f_33] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr)][o_29, f_33] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, next], next], next], ptr)][o_29, f_33] ==> newPMask[o_29, f_33] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], ptr)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assume Heap[this, next] != ptr ==> Heap[this, data] <= Heap[Heap[this, next], data]; + + // -- Free assumptions (inhale module) + if (Heap[this, next] != ptr) { + Heap[null, lseg#sm(Heap[this, next], ptr)][Heap[this, next], data] := true; + Heap[null, lseg#sm(Heap[this, next], ptr)][Heap[this, next], next] := true; + havoc newPMask; + assume (forall o_30: Ref, f_34: (Field A B) :: + { newPMask[o_30, f_34] } + Heap[null, lseg#sm(Heap[this, next], ptr)][o_30, f_34] || Heap[null, lseg#sm(Heap[Heap[this, next], next], ptr)][o_30, f_34] ==> newPMask[o_30, f_34] + ); + Heap[null, lseg#sm(Heap[this, next], ptr)] := newPMask; + } + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: concat(this.next, ptr, end) -- linked-list-predicates.vpr@98.5--98.32 + PreCallHeap := Heap; + PreCallMask := Mask; + + // -- Check definedness of this.next + assert {:msg " Method call might fail. There might be insufficient permission to access this.next (linked-list-predicates.vpr@98.5--98.32) [1087]"} + HasDirectPerm(Mask, this, next); + arg_this := Heap[this, next]; + + // -- Exhaling precondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access lseg(this.next, ptr) (linked-list-predicates.vpr@98.5--98.32) [1088]"} + perm <= Mask[null, lseg(arg_this, ptr)]; + } + Mask[null, lseg(arg_this, ptr)] := Mask[null, lseg(arg_this, ptr)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access lseg(ptr, end) (linked-list-predicates.vpr@98.5--98.32) [1089]"} + perm <= Mask[null, lseg(ptr, end)]; + } + Mask[null, lseg(ptr, end)] := Mask[null, lseg(ptr, end)] - perm; + if (end != null) { + assert {:msg " The precondition of method concat might not hold. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@98.5--98.32) [1090]"} + 1 / 2 >= NoPerm; + perm := 1 / 2; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access end.next (linked-list-predicates.vpr@98.5--98.32) [1091]"} + perm <= Mask[end, next]; + } + Mask[end, next] := Mask[end, next] - perm; + } + if (0 < Seq#Length(contentNodes(Heap, arg_this, ptr)) && 0 < Seq#Length(contentNodes(Heap, ptr, end))) { + assert {:msg " The precondition of method concat might not hold. Assertion contentNodes(this.next, ptr)[|contentNodes(this.next, ptr)| - 1] <= contentNodes(ptr, end)[0] might not hold. (linked-list-predicates.vpr@98.5--98.32) [1092]"} + Seq#Index(contentNodes(Heap, arg_this, ptr), Seq#Length(contentNodes(Heap, arg_this, ptr)) - 1) <= Seq#Index(contentNodes(Heap, ptr, end), 0); + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + perm := FullPerm; + Mask[null, lseg(arg_this, end)] := Mask[null, lseg(arg_this, end)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume Seq#Equal(contentNodes(Heap, arg_this, end), Seq#Append(contentNodes(old(PreCallHeap), arg_this, ptr), contentNodes(old(PreCallHeap), ptr, end))); + if (end != null) { + perm := 1 / 2; + assert {:msg " Method call might fail. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@98.5--98.32) [1093]"} + perm >= NoPerm; + assume perm > NoPerm ==> end != null; + Mask[end, next] := Mask[end, next] + perm; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(this, end), write) -- linked-list-predicates.vpr@99.5--99.30 + if (this != end) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this, end) might fail. There might be insufficient permission to access this.data (linked-list-predicates.vpr@99.5--99.30) [1095]"} + perm <= Mask[this, data]; + } + Mask[this, data] := Mask[this, data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this, end) might fail. There might be insufficient permission to access this.next (linked-list-predicates.vpr@99.5--99.30) [1097]"} + perm <= Mask[this, next]; + } + Mask[this, next] := Mask[this, next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this, end) might fail. There might be insufficient permission to access lseg(this.next, end) (linked-list-predicates.vpr@99.5--99.30) [1099]"} + perm <= Mask[null, lseg(Heap[this, next], end)]; + } + Mask[null, lseg(Heap[this, next], end)] := Mask[null, lseg(Heap[this, next], end)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(this, end), Heap[null, lseg(this, end)], lseg(Heap[this, next], end), Heap[null, lseg(Heap[this, next], end)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[this, next], end)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)] == FrameFragment((if UnfoldingHeap[this, next] != end then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[this, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[this, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)])) else EmptyFrame)); + if (UnfoldingHeap[this, next] != end) { + perm := FullPerm; + assume UnfoldingHeap[this, next] != null; + UnfoldingMask[UnfoldingHeap[this, next], data] := UnfoldingMask[UnfoldingHeap[this, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[this, next] != null; + UnfoldingMask[UnfoldingHeap[this, next], next] := UnfoldingMask[UnfoldingHeap[this, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[this, next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[this, next], end)], lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, next], next], end)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[this, next], next] != end ==> UnfoldingHeap[UnfoldingHeap[this, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[this, next], next] != end) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][UnfoldingHeap[UnfoldingHeap[this, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][UnfoldingHeap[UnfoldingHeap[this, next], next], next] := true; + havoc newPMask; + assume (forall o_31: Ref, f_35: (Field A B) :: + { newPMask[o_31, f_35] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)][o_31, f_35] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, next], next], next], end)][o_31, f_35] ==> newPMask[o_31, f_35] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[this, next], next], end)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[this, next] != end) { + assert {:msg " Folding lseg(this, end) might fail. Assertion this.data <= this.next.data might not hold. (linked-list-predicates.vpr@99.5--99.30) [1100]"} + UnfoldingHeap[this, data] <= UnfoldingHeap[UnfoldingHeap[this, next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[this, next] != end) { + Heap[null, lseg#sm(Heap[this, next], end)][Heap[this, next], data] := true; + Heap[null, lseg#sm(Heap[this, next], end)][Heap[this, next], next] := true; + havoc newPMask; + assume (forall o_32: Ref, f_36: (Field A B) :: + { newPMask[o_32, f_36] } + Heap[null, lseg#sm(Heap[this, next], end)][o_32, f_36] || Heap[null, lseg#sm(Heap[Heap[this, next], next], end)][o_32, f_36] ==> newPMask[o_32, f_36] + ); + Heap[null, lseg#sm(Heap[this, next], end)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(this, end)] := Mask[null, lseg(this, end)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(this, end)); + assume Heap[null, lseg(this, end)] == FrameFragment((if this != end then CombineFrames(FrameFragment(Heap[this, data]), CombineFrames(FrameFragment(Heap[this, next]), Heap[null, lseg(Heap[this, next], end)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(this, end))) { + Heap[null, lseg#sm(this, end)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(this, end)] := freshVersion; + } + if (this != end) { + Heap[null, lseg#sm(this, end)][this, data] := true; + Heap[null, lseg#sm(this, end)][this, next] := true; + havoc newPMask; + assume (forall o_33: Ref, f_37: (Field A B) :: + { newPMask[o_33, f_37] } + Heap[null, lseg#sm(this, end)][o_33, f_37] || Heap[null, lseg#sm(Heap[this, next], end)][o_33, f_37] ==> newPMask[o_33, f_37] + ); + Heap[null, lseg#sm(this, end)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Exhaling postcondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of concat might not hold. There might be insufficient permission to access lseg(this, end) (linked-list-predicates.vpr@91.12--91.32) [1102]"} + perm <= Mask[null, lseg(this, end)]; + } + Mask[null, lseg(this, end)] := Mask[null, lseg(this, end)] - perm; + assert {:msg " Postcondition of concat might not hold. Assertion contentNodes(this, end) == old(contentNodes(this, ptr) ++ contentNodes(ptr, end)) might not hold. (linked-list-predicates.vpr@92.11--92.92) [1103]"} + Seq#Equal(contentNodes(Heap, this, end), Seq#Append(contentNodes(old(Heap), this, ptr), contentNodes(old(Heap), ptr, end))); + if (end != null) { + assert {:msg " Postcondition of concat might not hold. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@93.11--93.45) [1104]"} + 1 / 2 >= NoPerm; + perm := 1 / 2; + if (perm != NoPerm) { + assert {:msg " Postcondition of concat might not hold. There might be insufficient permission to access end.next (linked-list-predicates.vpr@93.11--93.45) [1105]"} + perm <= Mask[end, next]; + } + Mask[end, next] := Mask[end, next] - perm; + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method insert +// ================================================== + +procedure insert(this: Ref, elem: int) returns (index: int) + modifies Heap, Mask; +{ + var perm: Perm; + var PostHeap: HeapType; + var PostMask: MaskType; + var ExhaleHeap: HeapType; + var tmp: Ref; + var newVersion: FrameType; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var newPMask: PMaskType; + var freshObj: Ref; + var freshVersion: FrameType; + var ptr: Ref; + var i: int; + var i_2: int; + var i_4: int; + var i_6: int; + var loopHeap: HeapType; + var loopMask: MaskType; + var Unfolding1Heap: HeapType; + var Unfolding1Mask: MaskType; + var ptrn: Ref; + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var arg_this: Ref; + var i_10: int; + var i_12: int; + var arg_this_1: Ref; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[this, $allocated]; + + // -- Checked inhaling of precondition + perm := FullPerm; + Mask[null, List(this)] := Mask[null, List(this)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + perm := FullPerm; + PostMask[null, List(this)] := PostMask[null, List(this)] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume 0 <= index; + assume state(PostHeap, PostMask); + + // -- Check definedness of index <= |old(content(this))| + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@106.39--106.52) [1106]"} + perm <= old(Mask)[null, List(this)]; + } + // Finish exhale + // Stop execution + assume false; + } + assume index <= Seq#Length(content(old(Heap), this)); + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of content(this) == old(content(this))[0..index] ++ Seq(elem) ++ old(content(this))[index..] + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@107.11--107.24) [1107]"} + perm <= PostMask[null, List(this)]; + } + PostMask[null, List(this)] := PostMask[null, List(this)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(PostHeap, ExhaleHeap, PostMask); + PostHeap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@107.32--107.45) [1108]"} + perm <= old(Mask)[null, List(this)]; + } + // Finish exhale + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@107.77--107.90) [1109]"} + perm <= old(Mask)[null, List(this)]; + } + // Finish exhale + // Stop execution + assume false; + } + assume Seq#Equal(content(PostHeap, this), Seq#Append(Seq#Append(Seq#Drop(Seq#Take(content(old(Heap), this), index), 0), Seq#Singleton(elem)), Seq#Drop(content(old(Heap), this), index))); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Assumptions about local variables + assume Heap[tmp, $allocated]; + + // -- Translating statement: index := 0 -- linked-list-predicates.vpr@110.3--110.13 + index := 0; + assume state(Heap, Mask); + + // -- Translating statement: unfold acc(List(this), write) -- linked-list-predicates.vpr@112.3--112.25 + assume List#trigger(Heap, List(this)); + assume Heap[null, List(this)] == CombineFrames(FrameFragment(Heap[this, head]), Heap[null, lseg(Heap[this, head], null)]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding List(this) might fail. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@112.3--112.25) [1111]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, List(this))) { + havoc newVersion; + Heap[null, List(this)] := newVersion; + } + perm := FullPerm; + assume this != null; + Mask[this, head] := Mask[this, head] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(List(this), Heap[null, List(this)], lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)]); + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: if (this.head != null) -- linked-list-predicates.vpr@114.3--116.4 + + // -- Check definedness of this.head != null + assert {:msg " Conditional statement might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@114.6--114.23) [1114]"} + HasDirectPerm(Mask, this, head); + if (Heap[this, head] != null) { + + // -- Translating statement: unfold acc(lseg(this.head, null), write) -- linked-list-predicates.vpr@115.5--115.38 + + // -- Check definedness of acc(lseg(this.head, null), write) + assert {:msg " Unfolding lseg(this.head, null) might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@115.5--115.38) [1115]"} + HasDirectPerm(Mask, this, head); + assume lseg#trigger(Heap, lseg(Heap[this, head], null)); + assume Heap[null, lseg(Heap[this, head], null)] == FrameFragment((if Heap[this, head] != null then CombineFrames(FrameFragment(Heap[Heap[this, head], data]), CombineFrames(FrameFragment(Heap[Heap[this, head], next]), Heap[null, lseg(Heap[Heap[this, head], next], null)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding lseg(this.head, null) might fail. There might be insufficient permission to access lseg(this.head, null) (linked-list-predicates.vpr@115.5--115.38) [1117]"} + perm <= Mask[null, lseg(Heap[this, head], null)]; + } + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, lseg(Heap[this, head], null))) { + havoc newVersion; + Heap[null, lseg(Heap[this, head], null)] := newVersion; + } + if (Heap[this, head] != null) { + perm := FullPerm; + assume Heap[this, head] != null; + Mask[Heap[this, head], data] := Mask[Heap[this, head], data] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume Heap[this, head] != null; + Mask[Heap[this, head], next] := Mask[Heap[this, head], next] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[Heap[this, head], next], null)] := Mask[null, lseg(Heap[Heap[this, head], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)], lseg(Heap[Heap[this, head], next], null), Heap[null, lseg(Heap[Heap[this, head], next], null)]); + assume state(Heap, Mask); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)] == FrameFragment((if UnfoldingHeap[UnfoldingHeap[this, head], next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)])) else EmptyFrame)); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)] - perm; + if (UnfoldingHeap[UnfoldingHeap[this, head], next] != null) { + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)], lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != null ==> UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next] := true; + havoc newPMask; + assume (forall o_34: Ref, f_38: (Field A B) :: + { newPMask[o_34, f_38] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][o_34, f_38] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next], null)][o_34, f_38] ==> newPMask[o_34, f_38] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assume Heap[Heap[this, head], next] != null ==> Heap[Heap[this, head], data] <= Heap[Heap[Heap[this, head], next], data]; + + // -- Free assumptions (inhale module) + if (Heap[Heap[this, head], next] != null) { + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][Heap[Heap[this, head], next], data] := true; + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][Heap[Heap[this, head], next], next] := true; + havoc newPMask; + assume (forall o_35: Ref, f_39: (Field A B) :: + { newPMask[o_35, f_39] } + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][o_35, f_39] || Heap[null, lseg#sm(Heap[Heap[Heap[this, head], next], next], null)][o_35, f_39] ==> newPMask[o_35, f_39] + ); + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)] := newPMask; + } + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: if (this.head == null || elem <= this.head.data) -- linked-list-predicates.vpr@118.3--161.4 + + // -- Check definedness of this.head == null || elem <= this.head.data + assert {:msg " Conditional statement might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@118.6--118.49) [1121]"} + HasDirectPerm(Mask, this, head); + if (!(Heap[this, head] == null)) { + assert {:msg " Conditional statement might fail. There might be insufficient permission to access this.head.data (linked-list-predicates.vpr@118.6--118.49) [1122]"} + HasDirectPerm(Mask, Heap[this, head], data); + assert {:msg " Conditional statement might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@118.6--118.49) [1123]"} + HasDirectPerm(Mask, this, head); + } + if (Heap[this, head] == null || elem <= Heap[Heap[this, head], data]) { + + // -- Translating statement: tmp := new(data, next, head, held, changed) -- linked-list-predicates.vpr@119.5--119.18 + havoc freshObj; + assume freshObj != null && !Heap[freshObj, $allocated]; + Heap[freshObj, $allocated] := true; + tmp := freshObj; + Mask[tmp, data] := Mask[tmp, data] + FullPerm; + Mask[tmp, next] := Mask[tmp, next] + FullPerm; + Mask[tmp, head] := Mask[tmp, head] + FullPerm; + Mask[tmp, held] := Mask[tmp, held] + FullPerm; + Mask[tmp, changed] := Mask[tmp, changed] + FullPerm; + assume state(Heap, Mask); + + // -- Translating statement: tmp.data := elem -- linked-list-predicates.vpr@120.5--120.21 + assert {:msg " Assignment might fail. There might be insufficient permission to access tmp.data (linked-list-predicates.vpr@120.5--120.21) [1124]"} + FullPerm == Mask[tmp, data]; + Heap[tmp, data] := elem; + assume state(Heap, Mask); + + // -- Translating statement: tmp.next := this.head -- linked-list-predicates.vpr@121.5--121.26 + + // -- Check definedness of this.head + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@121.5--121.26) [1125]"} + HasDirectPerm(Mask, this, head); + assert {:msg " Assignment might fail. There might be insufficient permission to access tmp.next (linked-list-predicates.vpr@121.5--121.26) [1126]"} + FullPerm == Mask[tmp, next]; + Heap[tmp, next] := Heap[this, head]; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(this.head, null), write) -- linked-list-predicates.vpr@122.5--122.36 + + // -- Check definedness of acc(lseg(this.head, null), write) + assert {:msg " Folding lseg(this.head, null) might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@122.5--122.36) [1127]"} + HasDirectPerm(Mask, this, head); + if (Heap[this, head] != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, null) might fail. There might be insufficient permission to access this.head.data (linked-list-predicates.vpr@122.5--122.36) [1129]"} + perm <= Mask[Heap[this, head], data]; + } + Mask[Heap[this, head], data] := Mask[Heap[this, head], data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, null) might fail. There might be insufficient permission to access this.head.next (linked-list-predicates.vpr@122.5--122.36) [1131]"} + perm <= Mask[Heap[this, head], next]; + } + Mask[Heap[this, head], next] := Mask[Heap[this, head], next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, null) might fail. There might be insufficient permission to access lseg(this.head.next, null) (linked-list-predicates.vpr@122.5--122.36) [1133]"} + perm <= Mask[null, lseg(Heap[Heap[this, head], next], null)]; + } + Mask[null, lseg(Heap[Heap[this, head], next], null)] := Mask[null, lseg(Heap[Heap[this, head], next], null)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)], lseg(Heap[Heap[this, head], next], null), Heap[null, lseg(Heap[Heap[this, head], next], null)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)] == FrameFragment((if UnfoldingHeap[UnfoldingHeap[this, head], next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)])) else EmptyFrame)); + if (UnfoldingHeap[UnfoldingHeap[this, head], next] != null) { + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)], lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != null ==> UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next] := true; + havoc newPMask; + assume (forall o_36: Ref, f_40: (Field A B) :: + { newPMask[o_36, f_40] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][o_36, f_40] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next], null)][o_36, f_40] ==> newPMask[o_36, f_40] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[UnfoldingHeap[this, head], next] != null) { + assert {:msg " Folding lseg(this.head, null) might fail. Assertion this.head.data <= this.head.next.data might not hold. (linked-list-predicates.vpr@122.5--122.36) [1134]"} + UnfoldingHeap[UnfoldingHeap[this, head], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[Heap[this, head], next] != null) { + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][Heap[Heap[this, head], next], data] := true; + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][Heap[Heap[this, head], next], next] := true; + havoc newPMask; + assume (forall o_37: Ref, f_41: (Field A B) :: + { newPMask[o_37, f_41] } + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][o_37, f_41] || Heap[null, lseg#sm(Heap[Heap[Heap[this, head], next], next], null)][o_37, f_41] ==> newPMask[o_37, f_41] + ); + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(Heap[this, head], null)); + assume Heap[null, lseg(Heap[this, head], null)] == FrameFragment((if Heap[this, head] != null then CombineFrames(FrameFragment(Heap[Heap[this, head], data]), CombineFrames(FrameFragment(Heap[Heap[this, head], next]), Heap[null, lseg(Heap[Heap[this, head], next], null)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(Heap[this, head], null))) { + Heap[null, lseg#sm(Heap[this, head], null)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(Heap[this, head], null)] := freshVersion; + } + if (Heap[this, head] != null) { + Heap[null, lseg#sm(Heap[this, head], null)][Heap[this, head], data] := true; + Heap[null, lseg#sm(Heap[this, head], null)][Heap[this, head], next] := true; + havoc newPMask; + assume (forall o_38: Ref, f_42: (Field A B) :: + { newPMask[o_38, f_42] } + Heap[null, lseg#sm(Heap[this, head], null)][o_38, f_42] || Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][o_38, f_42] ==> newPMask[o_38, f_42] + ); + Heap[null, lseg#sm(Heap[this, head], null)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(tmp, null), write) -- linked-list-predicates.vpr@123.5--123.30 + if (tmp != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(tmp, null) might fail. There might be insufficient permission to access tmp.data (linked-list-predicates.vpr@123.5--123.30) [1137]"} + perm <= Mask[tmp, data]; + } + Mask[tmp, data] := Mask[tmp, data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(tmp, null) might fail. There might be insufficient permission to access tmp.next (linked-list-predicates.vpr@123.5--123.30) [1139]"} + perm <= Mask[tmp, next]; + } + Mask[tmp, next] := Mask[tmp, next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(tmp, null) might fail. There might be insufficient permission to access lseg(tmp.next, null) (linked-list-predicates.vpr@123.5--123.30) [1141]"} + perm <= Mask[null, lseg(Heap[tmp, next], null)]; + } + Mask[null, lseg(Heap[tmp, next], null)] := Mask[null, lseg(Heap[tmp, next], null)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(tmp, null), Heap[null, lseg(tmp, null)], lseg(Heap[tmp, next], null), Heap[null, lseg(Heap[tmp, next], null)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[tmp, next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[tmp, next], null)] == FrameFragment((if UnfoldingHeap[tmp, next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[tmp, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[tmp, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null)])) else EmptyFrame)); + if (UnfoldingHeap[tmp, next] != null) { + perm := FullPerm; + assume UnfoldingHeap[tmp, next] != null; + UnfoldingMask[UnfoldingHeap[tmp, next], data] := UnfoldingMask[UnfoldingHeap[tmp, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[tmp, next] != null; + UnfoldingMask[UnfoldingHeap[tmp, next], next] := UnfoldingMask[UnfoldingHeap[tmp, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[tmp, next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[tmp, next], null)], lseg(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[tmp, next], next] != null ==> UnfoldingHeap[UnfoldingHeap[tmp, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[tmp, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[tmp, next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null)][UnfoldingHeap[UnfoldingHeap[tmp, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null)][UnfoldingHeap[UnfoldingHeap[tmp, next], next], next] := true; + havoc newPMask; + assume (forall o_39: Ref, f_43: (Field A B) :: + { newPMask[o_39, f_43] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null)][o_39, f_43] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[tmp, next], next], next], null)][o_39, f_43] ==> newPMask[o_39, f_43] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[tmp, next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[tmp, next] != null) { + assert {:msg " Folding lseg(tmp, null) might fail. Assertion tmp.data <= tmp.next.data might not hold. (linked-list-predicates.vpr@123.5--123.30) [1142]"} + UnfoldingHeap[tmp, data] <= UnfoldingHeap[UnfoldingHeap[tmp, next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[tmp, next] != null) { + Heap[null, lseg#sm(Heap[tmp, next], null)][Heap[tmp, next], data] := true; + Heap[null, lseg#sm(Heap[tmp, next], null)][Heap[tmp, next], next] := true; + havoc newPMask; + assume (forall o_40: Ref, f_44: (Field A B) :: + { newPMask[o_40, f_44] } + Heap[null, lseg#sm(Heap[tmp, next], null)][o_40, f_44] || Heap[null, lseg#sm(Heap[Heap[tmp, next], next], null)][o_40, f_44] ==> newPMask[o_40, f_44] + ); + Heap[null, lseg#sm(Heap[tmp, next], null)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(tmp, null)] := Mask[null, lseg(tmp, null)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(tmp, null)); + assume Heap[null, lseg(tmp, null)] == FrameFragment((if tmp != null then CombineFrames(FrameFragment(Heap[tmp, data]), CombineFrames(FrameFragment(Heap[tmp, next]), Heap[null, lseg(Heap[tmp, next], null)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(tmp, null))) { + Heap[null, lseg#sm(tmp, null)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(tmp, null)] := freshVersion; + } + if (tmp != null) { + Heap[null, lseg#sm(tmp, null)][tmp, data] := true; + Heap[null, lseg#sm(tmp, null)][tmp, next] := true; + havoc newPMask; + assume (forall o_41: Ref, f_45: (Field A B) :: + { newPMask[o_41, f_45] } + Heap[null, lseg#sm(tmp, null)][o_41, f_45] || Heap[null, lseg#sm(Heap[tmp, next], null)][o_41, f_45] ==> newPMask[o_41, f_45] + ); + Heap[null, lseg#sm(tmp, null)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: this.head := tmp -- linked-list-predicates.vpr@124.5--124.21 + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@124.5--124.21) [1144]"} + FullPerm == Mask[this, head]; + Heap[this, head] := tmp; + assume state(Heap, Mask); + } else { + + // -- Assumptions about local variables + assume Heap[ptr, $allocated]; + + // -- Translating statement: ptr := this.head -- linked-list-predicates.vpr@126.5--126.30 + + // -- Check definedness of this.head + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@126.5--126.30) [1145]"} + HasDirectPerm(Mask, this, head); + ptr := Heap[this, head]; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(this.head, ptr), write) -- linked-list-predicates.vpr@127.5--127.35 + + // -- Check definedness of acc(lseg(this.head, ptr), write) + assert {:msg " Folding lseg(this.head, ptr) might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@127.5--127.35) [1146]"} + HasDirectPerm(Mask, this, head); + if (Heap[this, head] != ptr) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, ptr) might fail. There might be insufficient permission to access this.head.data (linked-list-predicates.vpr@127.5--127.35) [1148]"} + perm <= Mask[Heap[this, head], data]; + } + Mask[Heap[this, head], data] := Mask[Heap[this, head], data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, ptr) might fail. There might be insufficient permission to access this.head.next (linked-list-predicates.vpr@127.5--127.35) [1150]"} + perm <= Mask[Heap[this, head], next]; + } + Mask[Heap[this, head], next] := Mask[Heap[this, head], next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(this.head, ptr) might fail. There might be insufficient permission to access lseg(this.head.next, ptr) (linked-list-predicates.vpr@127.5--127.35) [1152]"} + perm <= Mask[null, lseg(Heap[Heap[this, head], next], ptr)]; + } + Mask[null, lseg(Heap[Heap[this, head], next], ptr)] := Mask[null, lseg(Heap[Heap[this, head], next], ptr)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(Heap[this, head], ptr), Heap[null, lseg(Heap[this, head], ptr)], lseg(Heap[Heap[this, head], next], ptr), Heap[null, lseg(Heap[Heap[this, head], next], ptr)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], ptr)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], ptr)] == FrameFragment((if UnfoldingHeap[UnfoldingHeap[this, head], next] != ptr then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr)])) else EmptyFrame)); + if (UnfoldingHeap[UnfoldingHeap[this, head], next] != ptr) { + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], ptr), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], ptr)], lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != ptr ==> UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != ptr) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next] := true; + havoc newPMask; + assume (forall o_42: Ref, f_46: (Field A B) :: + { newPMask[o_42, f_46] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr)][o_42, f_46] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next], ptr)][o_42, f_46] ==> newPMask[o_42, f_46] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], ptr)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[UnfoldingHeap[this, head], next] != ptr) { + assert {:msg " Folding lseg(this.head, ptr) might fail. Assertion this.head.data <= this.head.next.data might not hold. (linked-list-predicates.vpr@127.5--127.35) [1153]"} + UnfoldingHeap[UnfoldingHeap[this, head], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[Heap[this, head], next] != ptr) { + Heap[null, lseg#sm(Heap[Heap[this, head], next], ptr)][Heap[Heap[this, head], next], data] := true; + Heap[null, lseg#sm(Heap[Heap[this, head], next], ptr)][Heap[Heap[this, head], next], next] := true; + havoc newPMask; + assume (forall o_43: Ref, f_47: (Field A B) :: + { newPMask[o_43, f_47] } + Heap[null, lseg#sm(Heap[Heap[this, head], next], ptr)][o_43, f_47] || Heap[null, lseg#sm(Heap[Heap[Heap[this, head], next], next], ptr)][o_43, f_47] ==> newPMask[o_43, f_47] + ); + Heap[null, lseg#sm(Heap[Heap[this, head], next], ptr)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(Heap[this, head], ptr)); + assume Heap[null, lseg(Heap[this, head], ptr)] == FrameFragment((if Heap[this, head] != ptr then CombineFrames(FrameFragment(Heap[Heap[this, head], data]), CombineFrames(FrameFragment(Heap[Heap[this, head], next]), Heap[null, lseg(Heap[Heap[this, head], next], ptr)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(Heap[this, head], ptr))) { + Heap[null, lseg#sm(Heap[this, head], ptr)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(Heap[this, head], ptr)] := freshVersion; + } + if (Heap[this, head] != ptr) { + Heap[null, lseg#sm(Heap[this, head], ptr)][Heap[this, head], data] := true; + Heap[null, lseg#sm(Heap[this, head], ptr)][Heap[this, head], next] := true; + havoc newPMask; + assume (forall o_44: Ref, f_48: (Field A B) :: + { newPMask[o_44, f_48] } + Heap[null, lseg#sm(Heap[this, head], ptr)][o_44, f_48] || Heap[null, lseg#sm(Heap[Heap[this, head], next], ptr)][o_44, f_48] ==> newPMask[o_44, f_48] + ); + Heap[null, lseg#sm(Heap[this, head], ptr)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: index := index + 1 -- linked-list-predicates.vpr@128.5--128.23 + index := index + 1; + assume state(Heap, Mask); + + // -- Translating statement: while (ptr.next != null && (unfolding acc(lseg(ptr.next, null), write) in ptr.next.data < elem)) -- linked-list-predicates.vpr@130.5--150.6 + + // -- Before loop head + + // -- Exhale loop invariant before loop + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(this.head, write) might not hold on entry. There might be insufficient permission to access this.head (linked-list-predicates.vpr@131.17--131.31) [1155]"} + perm <= Mask[this, head]; + } + Mask[this, head] := Mask[this, head] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(ptr.next, write) && (acc(ptr.data, write) && ptr.data <= elem) might not hold on entry. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@132.17--132.67) [1156]"} + perm <= Mask[ptr, next]; + } + Mask[ptr, next] := Mask[ptr, next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(ptr.next, write) && (acc(ptr.data, write) && ptr.data <= elem) might not hold on entry. There might be insufficient permission to access ptr.data (linked-list-predicates.vpr@132.17--132.67) [1157]"} + perm <= Mask[ptr, data]; + } + Mask[ptr, data] := Mask[ptr, data] - perm; + assert {:msg " Loop invariant acc(ptr.next, write) && (acc(ptr.data, write) && ptr.data <= elem) might not hold on entry. Assertion ptr.data <= elem might not hold. (linked-list-predicates.vpr@132.17--132.67) [1158]"} + Heap[ptr, data] <= elem; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(lseg(ptr.next, null), write) might not hold on entry. There might be insufficient permission to access lseg(ptr.next, null) (linked-list-predicates.vpr@133.17--133.42) [1159]"} + perm <= Mask[null, lseg(Heap[ptr, next], null)]; + } + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(lseg(this.head, ptr), write) might not hold on entry. There might be insufficient permission to access lseg(this.head, ptr) (linked-list-predicates.vpr@134.17--134.42) [1160]"} + perm <= Mask[null, lseg(Heap[this, head], ptr)]; + } + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] - perm; + if (*) { + if (0 <= i && i < Seq#Length(contentNodes(Heap, Heap[this, head], ptr))) { + assert {:msg " Loop invariant (forall i: Int :: { contentNodes(this.head, ptr)[i] } 0 <= i && i < |contentNodes(this.head, ptr)| ==> contentNodes(this.head, ptr)[i] <= ptr.data) might not hold on entry. Assertion contentNodes(this.head, ptr)[i] <= ptr.data might not hold. (linked-list-predicates.vpr@135.17--136.62) [1161]"} + Seq#Index(contentNodes(Heap, Heap[this, head], ptr), i) <= Heap[ptr, data]; + } + assume false; + } + assume (forall i_1_1: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[this, head], ptr)], Heap[this, head], ptr), i_1_1) } + 0 <= i_1_1 && i_1_1 < Seq#Length(contentNodes(Heap, Heap[this, head], ptr)) ==> Seq#Index(contentNodes(Heap, Heap[this, head], ptr), i_1_1) <= Heap[ptr, data] + ); + if (*) { + if (0 <= i_2 && i_2 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null))) { + assert {:msg " Loop invariant (forall i: Int :: { contentNodes(ptr.next, null)[i] } 0 <= i && i < |contentNodes(ptr.next, null)| ==> ptr.data <= contentNodes(ptr.next, null)[i]) might not hold on entry. Assertion ptr.data <= contentNodes(ptr.next, null)[i] might not hold. (linked-list-predicates.vpr@137.17--138.62) [1162]"} + Heap[ptr, data] <= Seq#Index(contentNodes(Heap, Heap[ptr, next], null), i_2); + } + assume false; + } + assume (forall i_3_1: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[ptr, next], null)], Heap[ptr, next], null), i_3_1) } + 0 <= i_3_1 && i_3_1 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null)) ==> Heap[ptr, data] <= Seq#Index(contentNodes(Heap, Heap[ptr, next], null), i_3_1) + ); + assert {:msg " Loop invariant index - 1 == |contentNodes(this.head, ptr)| might not hold on entry. Assertion index - 1 == |contentNodes(this.head, ptr)| might not hold. (linked-list-predicates.vpr@139.17--139.58) [1163]"} + index - 1 == Seq#Length(contentNodes(Heap, Heap[this, head], ptr)); + assert {:msg " Loop invariant old(content(this)) == contentNodes(this.head, ptr) ++ Seq(ptr.data) ++ contentNodes(ptr.next, null) might not hold on entry. Assertion old(content(this)) == contentNodes(this.head, ptr) ++ Seq(ptr.data) ++ contentNodes(ptr.next, null) might not hold. (linked-list-predicates.vpr@141.9--141.108) [1164]"} + Seq#Equal(content(old(Heap), this), Seq#Append(Seq#Append(contentNodes(Heap, Heap[this, head], ptr), Seq#Singleton(Heap[ptr, data])), contentNodes(Heap, Heap[ptr, next], null))); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Havoc loop written variables (except locals) + havoc ptr, index; + assume Heap[ptr, $allocated]; + + // -- Check definedness of invariant + if (*) { + perm := FullPerm; + assume this != null; + Mask[this, head] := Mask[this, head] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + assume ptr != null; + Mask[ptr, next] := Mask[ptr, next] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume ptr != null; + Mask[ptr, data] := Mask[ptr, data] + perm; + assume state(Heap, Mask); + + // -- Check definedness of ptr.data <= elem + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ptr.data (linked-list-predicates.vpr@132.17--132.67) [1165]"} + HasDirectPerm(Mask, ptr, data); + assume Heap[ptr, data] <= elem; + assume state(Heap, Mask); + + // -- Check definedness of acc(lseg(ptr.next, null), write) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@133.17--133.42) [1166]"} + HasDirectPerm(Mask, ptr, next); + perm := FullPerm; + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of acc(lseg(this.head, ptr), write) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@134.17--134.42) [1167]"} + HasDirectPerm(Mask, this, head); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int :: { contentNodes(this.head, ptr)[i] } 0 <= i && i < |contentNodes(this.head, ptr)| ==> contentNodes(this.head, ptr)[i] <= ptr.data) + if (*) { + if (0 <= i_4) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@135.17--136.62) [1168]"} + HasDirectPerm(Mask, this, head); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this.head, ptr) (linked-list-predicates.vpr@135.49--135.77) [1169]"} + perm <= Mask[null, lseg(Heap[this, head], ptr)]; + } + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + } + if (0 <= i_4 && i_4 < Seq#Length(contentNodes(Heap, Heap[this, head], ptr))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@135.17--136.62) [1170]"} + HasDirectPerm(Mask, this, head); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this.head, ptr) (linked-list-predicates.vpr@136.19--136.47) [1171]"} + perm <= Mask[null, lseg(Heap[this, head], ptr)]; + } + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. Index contentNodes(this.head, ptr)[i] into contentNodes(this.head, ptr) might be negative. (linked-list-predicates.vpr@135.17--136.62) [1172]"} + i_4 >= 0; + assert {:msg " Contract might not be well-formed. Index contentNodes(this.head, ptr)[i] into contentNodes(this.head, ptr) might exceed sequence length. (linked-list-predicates.vpr@135.17--136.62) [1173]"} + i_4 < Seq#Length(contentNodes(Heap, Heap[this, head], ptr)); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ptr.data (linked-list-predicates.vpr@135.17--136.62) [1174]"} + HasDirectPerm(Mask, ptr, data); + } + assume false; + } + assume (forall i_5: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[this, head], ptr)], Heap[this, head], ptr), i_5) } + 0 <= i_5 && i_5 < Seq#Length(contentNodes(Heap, Heap[this, head], ptr)) ==> Seq#Index(contentNodes(Heap, Heap[this, head], ptr), i_5) <= Heap[ptr, data] + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int :: { contentNodes(ptr.next, null)[i] } 0 <= i && i < |contentNodes(ptr.next, null)| ==> ptr.data <= contentNodes(ptr.next, null)[i]) + if (*) { + if (0 <= i_6) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@137.17--138.62) [1175]"} + HasDirectPerm(Mask, ptr, next); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(ptr.next, null) (linked-list-predicates.vpr@137.49--137.77) [1176]"} + perm <= Mask[null, lseg(Heap[ptr, next], null)]; + } + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + } + if (0 <= i_6 && i_6 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ptr.data (linked-list-predicates.vpr@137.17--138.62) [1177]"} + HasDirectPerm(Mask, ptr, data); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@137.17--138.62) [1178]"} + HasDirectPerm(Mask, ptr, next); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(ptr.next, null) (linked-list-predicates.vpr@138.31--138.59) [1179]"} + perm <= Mask[null, lseg(Heap[ptr, next], null)]; + } + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. Index contentNodes(ptr.next, null)[i] into contentNodes(ptr.next, null) might be negative. (linked-list-predicates.vpr@137.17--138.62) [1180]"} + i_6 >= 0; + assert {:msg " Contract might not be well-formed. Index contentNodes(ptr.next, null)[i] into contentNodes(ptr.next, null) might exceed sequence length. (linked-list-predicates.vpr@137.17--138.62) [1181]"} + i_6 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null)); + } + assume false; + } + assume (forall i_7: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[ptr, next], null)], Heap[ptr, next], null), i_7) } + 0 <= i_7 && i_7 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null)) ==> Heap[ptr, data] <= Seq#Index(contentNodes(Heap, Heap[ptr, next], null), i_7) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of index - 1 == |contentNodes(this.head, ptr)| + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@139.17--139.58) [1182]"} + HasDirectPerm(Mask, this, head); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this.head, ptr) (linked-list-predicates.vpr@139.29--139.57) [1183]"} + perm <= Mask[null, lseg(Heap[this, head], ptr)]; + } + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assume index - 1 == Seq#Length(contentNodes(Heap, Heap[this, head], ptr)); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of old(content(this)) == contentNodes(this.head, ptr) ++ Seq(ptr.data) ++ contentNodes(ptr.next, null) + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@141.13--141.26) [1184]"} + perm <= old(Mask)[null, List(this)]; + } + // Finish exhale + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access this.head (linked-list-predicates.vpr@141.9--141.108) [1185]"} + HasDirectPerm(Mask, this, head); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(this.head, ptr) (linked-list-predicates.vpr@141.31--141.59) [1186]"} + perm <= Mask[null, lseg(Heap[this, head], ptr)]; + } + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ptr.data (linked-list-predicates.vpr@141.9--141.108) [1187]"} + HasDirectPerm(Mask, ptr, data); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@141.9--141.108) [1188]"} + HasDirectPerm(Mask, ptr, next); + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function contentNodes might not hold. There might be insufficient permission to access lseg(ptr.next, null) (linked-list-predicates.vpr@141.80--141.108) [1189]"} + perm <= Mask[null, lseg(Heap[ptr, next], null)]; + } + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assume Seq#Equal(content(old(Heap), this), Seq#Append(Seq#Append(contentNodes(Heap, Heap[this, head], ptr), Seq#Singleton(Heap[ptr, data])), contentNodes(Heap, Heap[ptr, next], null))); + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + perm := FullPerm; + assume this != null; + Mask[this, head] := Mask[this, head] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume ptr != null; + Mask[ptr, next] := Mask[ptr, next] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume ptr != null; + Mask[ptr, data] := Mask[ptr, data] + perm; + assume state(Heap, Mask); + assume Heap[ptr, data] <= elem; + perm := FullPerm; + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (forall i_8: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[this, head], ptr)], Heap[this, head], ptr), i_8) } + 0 <= i_8 && i_8 < Seq#Length(contentNodes(Heap, Heap[this, head], ptr)) ==> Seq#Index(contentNodes(Heap, Heap[this, head], ptr), i_8) <= Heap[ptr, data] + ); + assume state(Heap, Mask); + assume (forall i_9: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[ptr, next], null)], Heap[ptr, next], null), i_9) } + 0 <= i_9 && i_9 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null)) ==> Heap[ptr, data] <= Seq#Index(contentNodes(Heap, Heap[ptr, next], null), i_9) + ); + assume state(Heap, Mask); + assume index - 1 == Seq#Length(contentNodes(Heap, Heap[this, head], ptr)); + assume state(Heap, Mask); + assume Seq#Equal(content(old(Heap), this), Seq#Append(Seq#Append(contentNodes(Heap, Heap[this, head], ptr), Seq#Singleton(Heap[ptr, data])), contentNodes(Heap, Heap[ptr, next], null))); + assume state(Heap, Mask); + // Check and assume guard + + // -- Check definedness of ptr.next != null && (unfolding acc(lseg(ptr.next, null), write) in ptr.next.data < elem) + assert {:msg " While statement might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@130.11--130.90) [1190]"} + HasDirectPerm(Mask, ptr, next); + if (Heap[ptr, next] != null) { + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[ptr, next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[ptr, next], null)] == FrameFragment((if UnfoldingHeap[ptr, next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[ptr, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[ptr, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " While statement might fail. There might be insufficient permission to access lseg(ptr.next, null) (linked-list-predicates.vpr@130.11--130.90) [1191]"} + perm <= UnfoldingMask[null, lseg(UnfoldingHeap[ptr, next], null)]; + } + UnfoldingMask[null, lseg(UnfoldingHeap[ptr, next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[ptr, next], null)] - perm; + if (UnfoldingHeap[ptr, next] != null) { + perm := FullPerm; + assume UnfoldingHeap[ptr, next] != null; + UnfoldingMask[UnfoldingHeap[ptr, next], data] := UnfoldingMask[UnfoldingHeap[ptr, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[ptr, next] != null; + UnfoldingMask[UnfoldingHeap[ptr, next], next] := UnfoldingMask[UnfoldingHeap[ptr, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[ptr, next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[ptr, next], null)], lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + + // -- Execute unfolding (for extra information) + Unfolding1Heap := UnfoldingHeap; + Unfolding1Mask := UnfoldingMask; + assume lseg#trigger(Unfolding1Heap, lseg(Unfolding1Heap[Unfolding1Heap[ptr, next], next], null)); + assume Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[ptr, next], next], null)] == FrameFragment((if Unfolding1Heap[Unfolding1Heap[ptr, next], next] != null then CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], data]), CombineFrames(FrameFragment(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next]), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null)])) else EmptyFrame)); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[ptr, next], next], null)] := Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[ptr, next], next], null)] - perm; + if (Unfolding1Heap[Unfolding1Heap[ptr, next], next] != null) { + perm := FullPerm; + assume Unfolding1Heap[Unfolding1Heap[ptr, next], next] != null; + Unfolding1Mask[Unfolding1Heap[Unfolding1Heap[ptr, next], next], data] := Unfolding1Mask[Unfolding1Heap[Unfolding1Heap[ptr, next], next], data] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + assume Unfolding1Heap[Unfolding1Heap[ptr, next], next] != null; + Unfolding1Mask[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next] := Unfolding1Mask[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next] + perm; + assume state(Unfolding1Heap, Unfolding1Mask); + perm := FullPerm; + Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null)] := Unfolding1Mask[null, lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Unfolding1Heap[Unfolding1Heap[ptr, next], next], null), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[ptr, next], next], null)], lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null), Unfolding1Heap[null, lseg(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null)]); + assume state(Unfolding1Heap, Unfolding1Mask); + assume Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next] != null ==> Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], data] <= Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], data]; + + // -- Free assumptions (inhale module) + if (Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next] != null) { + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null)][Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], data] := true; + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null)][Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], next] := true; + havoc newPMask; + assume (forall o_45: Ref, f_49: (Field A B) :: + { newPMask[o_45, f_49] } + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null)][o_45, f_49] || Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], next], null)][o_45, f_49] ==> newPMask[o_45, f_49] + ); + Unfolding1Heap[null, lseg#sm(Unfolding1Heap[Unfolding1Heap[Unfolding1Heap[ptr, next], next], next], null)] := newPMask; + } + assume state(Unfolding1Heap, Unfolding1Mask); + } + assume state(Unfolding1Heap, Unfolding1Mask); + assume UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null ==> UnfoldingHeap[UnfoldingHeap[ptr, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)][UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)][UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] := true; + havoc newPMask; + assume (forall o_46: Ref, f_50: (Field A B) :: + { newPMask[o_46, f_50] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)][o_46, f_50] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)][o_46, f_50] ==> newPMask[o_46, f_50] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assert {:msg " While statement might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@130.11--130.90) [1192]"} + HasDirectPerm(UnfoldingMask, ptr, next); + assert {:msg " While statement might fail. There might be insufficient permission to access ptr.next.data (linked-list-predicates.vpr@130.11--130.90) [1193]"} + HasDirectPerm(UnfoldingMask, UnfoldingHeap[ptr, next], data); + assert {:msg " While statement might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@130.11--130.90) [1194]"} + HasDirectPerm(UnfoldingMask, ptr, next); + + // -- Free assumptions (exp module) + if (Heap[ptr, next] != null) { + Heap[null, lseg#sm(Heap[ptr, next], null)][Heap[ptr, next], data] := true; + Heap[null, lseg#sm(Heap[ptr, next], null)][Heap[ptr, next], next] := true; + havoc newPMask; + assume (forall o_47: Ref, f_51: (Field A B) :: + { newPMask[o_47, f_51] } + Heap[null, lseg#sm(Heap[ptr, next], null)][o_47, f_51] || Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][o_47, f_51] ==> newPMask[o_47, f_51] + ); + Heap[null, lseg#sm(Heap[ptr, next], null)] := newPMask; + } + assume state(Heap, Mask); + } + assume Heap[ptr, next] != null && Heap[Heap[ptr, next], data] < elem; + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Assumptions about local variables + assume Heap[ptrn, $allocated]; + + // -- Translating statement: unfold acc(lseg(ptr.next, null), write) -- linked-list-predicates.vpr@143.7--143.39 + + // -- Check definedness of acc(lseg(ptr.next, null), write) + assert {:msg " Unfolding lseg(ptr.next, null) might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@143.7--143.39) [1195]"} + HasDirectPerm(Mask, ptr, next); + assume lseg#trigger(Heap, lseg(Heap[ptr, next], null)); + assume Heap[null, lseg(Heap[ptr, next], null)] == FrameFragment((if Heap[ptr, next] != null then CombineFrames(FrameFragment(Heap[Heap[ptr, next], data]), CombineFrames(FrameFragment(Heap[Heap[ptr, next], next]), Heap[null, lseg(Heap[Heap[ptr, next], next], null)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding lseg(ptr.next, null) might fail. There might be insufficient permission to access lseg(ptr.next, null) (linked-list-predicates.vpr@143.7--143.39) [1196]"} + perm <= Mask[null, lseg(Heap[ptr, next], null)]; + } + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, lseg(Heap[ptr, next], null))) { + havoc newVersion; + Heap[null, lseg(Heap[ptr, next], null)] := newVersion; + } + if (Heap[ptr, next] != null) { + perm := FullPerm; + assume Heap[ptr, next] != null; + Mask[Heap[ptr, next], data] := Mask[Heap[ptr, next], data] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume Heap[ptr, next] != null; + Mask[Heap[ptr, next], next] := Mask[Heap[ptr, next], next] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[Heap[ptr, next], next], null)] := Mask[null, lseg(Heap[Heap[ptr, next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Heap[ptr, next], null), Heap[null, lseg(Heap[ptr, next], null)], lseg(Heap[Heap[ptr, next], next], null), Heap[null, lseg(Heap[Heap[ptr, next], next], null)]); + assume state(Heap, Mask); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] == FrameFragment((if UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)])) else EmptyFrame)); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] - perm; + if (UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null) { + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)], lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] != null ==> UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], next] := true; + havoc newPMask; + assume (forall o_48: Ref, f_52: (Field A B) :: + { newPMask[o_48, f_52] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)][o_48, f_52] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], next], null)][o_48, f_52] ==> newPMask[o_48, f_52] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assume Heap[Heap[ptr, next], next] != null ==> Heap[Heap[ptr, next], data] <= Heap[Heap[Heap[ptr, next], next], data]; + + // -- Free assumptions (inhale module) + if (Heap[Heap[ptr, next], next] != null) { + Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][Heap[Heap[ptr, next], next], data] := true; + Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][Heap[Heap[ptr, next], next], next] := true; + havoc newPMask; + assume (forall o_49: Ref, f_53: (Field A B) :: + { newPMask[o_49, f_53] } + Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][o_49, f_53] || Heap[null, lseg#sm(Heap[Heap[Heap[ptr, next], next], next], null)][o_49, f_53] ==> newPMask[o_49, f_53] + ); + Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)] := newPMask; + } + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: index := index + 1 -- linked-list-predicates.vpr@144.7--144.25 + index := index + 1; + assume state(Heap, Mask); + + // -- Translating statement: ptrn := ptr.next -- linked-list-predicates.vpr@145.7--145.32 + + // -- Check definedness of ptr.next + assert {:msg " Assignment might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@145.7--145.32) [1197]"} + HasDirectPerm(Mask, ptr, next); + ptrn := Heap[ptr, next]; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(ptrn, ptrn), write) -- linked-list-predicates.vpr@146.7--146.33 + if (ptrn != ptrn) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptrn, ptrn) might fail. There might be insufficient permission to access ptrn.data (linked-list-predicates.vpr@146.7--146.33) [1198]"} + perm <= Mask[ptrn, data]; + } + Mask[ptrn, data] := Mask[ptrn, data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptrn, ptrn) might fail. There might be insufficient permission to access ptrn.next (linked-list-predicates.vpr@146.7--146.33) [1199]"} + perm <= Mask[ptrn, next]; + } + Mask[ptrn, next] := Mask[ptrn, next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptrn, ptrn) might fail. There might be insufficient permission to access lseg(ptrn.next, ptrn) (linked-list-predicates.vpr@146.7--146.33) [1200]"} + perm <= Mask[null, lseg(Heap[ptrn, next], ptrn)]; + } + Mask[null, lseg(Heap[ptrn, next], ptrn)] := Mask[null, lseg(Heap[ptrn, next], ptrn)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(ptrn, ptrn), Heap[null, lseg(ptrn, ptrn)], lseg(Heap[ptrn, next], ptrn), Heap[null, lseg(Heap[ptrn, next], ptrn)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[ptrn, next], ptrn)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[ptrn, next], ptrn)] == FrameFragment((if UnfoldingHeap[ptrn, next] != ptrn then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[ptrn, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[ptrn, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn)])) else EmptyFrame)); + if (UnfoldingHeap[ptrn, next] != ptrn) { + perm := FullPerm; + assume UnfoldingHeap[ptrn, next] != null; + UnfoldingMask[UnfoldingHeap[ptrn, next], data] := UnfoldingMask[UnfoldingHeap[ptrn, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[ptrn, next] != null; + UnfoldingMask[UnfoldingHeap[ptrn, next], next] := UnfoldingMask[UnfoldingHeap[ptrn, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[ptrn, next], ptrn), UnfoldingHeap[null, lseg(UnfoldingHeap[ptrn, next], ptrn)], lseg(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[ptrn, next], next] != ptrn ==> UnfoldingHeap[UnfoldingHeap[ptrn, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptrn, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[ptrn, next], next] != ptrn) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn)][UnfoldingHeap[UnfoldingHeap[ptrn, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn)][UnfoldingHeap[UnfoldingHeap[ptrn, next], next], next] := true; + havoc newPMask; + assume (forall o_50: Ref, f_54: (Field A B) :: + { newPMask[o_50, f_54] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn)][o_50, f_54] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptrn, next], next], next], ptrn)][o_50, f_54] ==> newPMask[o_50, f_54] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptrn, next], next], ptrn)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[ptrn, next] != ptrn) { + assert {:msg " Folding lseg(ptrn, ptrn) might fail. Assertion ptrn.data <= ptrn.next.data might not hold. (linked-list-predicates.vpr@146.7--146.33) [1201]"} + UnfoldingHeap[ptrn, data] <= UnfoldingHeap[UnfoldingHeap[ptrn, next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[ptrn, next] != ptrn) { + Heap[null, lseg#sm(Heap[ptrn, next], ptrn)][Heap[ptrn, next], data] := true; + Heap[null, lseg#sm(Heap[ptrn, next], ptrn)][Heap[ptrn, next], next] := true; + havoc newPMask; + assume (forall o_51: Ref, f_55: (Field A B) :: + { newPMask[o_51, f_55] } + Heap[null, lseg#sm(Heap[ptrn, next], ptrn)][o_51, f_55] || Heap[null, lseg#sm(Heap[Heap[ptrn, next], next], ptrn)][o_51, f_55] ==> newPMask[o_51, f_55] + ); + Heap[null, lseg#sm(Heap[ptrn, next], ptrn)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(ptrn, ptrn)] := Mask[null, lseg(ptrn, ptrn)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(ptrn, ptrn)); + assume Heap[null, lseg(ptrn, ptrn)] == FrameFragment((if ptrn != ptrn then CombineFrames(FrameFragment(Heap[ptrn, data]), CombineFrames(FrameFragment(Heap[ptrn, next]), Heap[null, lseg(Heap[ptrn, next], ptrn)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(ptrn, ptrn))) { + Heap[null, lseg#sm(ptrn, ptrn)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(ptrn, ptrn)] := freshVersion; + } + if (ptrn != ptrn) { + Heap[null, lseg#sm(ptrn, ptrn)][ptrn, data] := true; + Heap[null, lseg#sm(ptrn, ptrn)][ptrn, next] := true; + havoc newPMask; + assume (forall o_52: Ref, f_56: (Field A B) :: + { newPMask[o_52, f_56] } + Heap[null, lseg#sm(ptrn, ptrn)][o_52, f_56] || Heap[null, lseg#sm(Heap[ptrn, next], ptrn)][o_52, f_56] ==> newPMask[o_52, f_56] + ); + Heap[null, lseg#sm(ptrn, ptrn)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(ptr, ptrn), write) -- linked-list-predicates.vpr@147.7--147.32 + if (ptr != ptrn) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr, ptrn) might fail. There might be insufficient permission to access ptr.data (linked-list-predicates.vpr@147.7--147.32) [1202]"} + perm <= Mask[ptr, data]; + } + Mask[ptr, data] := Mask[ptr, data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr, ptrn) might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@147.7--147.32) [1203]"} + perm <= Mask[ptr, next]; + } + Mask[ptr, next] := Mask[ptr, next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr, ptrn) might fail. There might be insufficient permission to access lseg(ptr.next, ptrn) (linked-list-predicates.vpr@147.7--147.32) [1204]"} + perm <= Mask[null, lseg(Heap[ptr, next], ptrn)]; + } + Mask[null, lseg(Heap[ptr, next], ptrn)] := Mask[null, lseg(Heap[ptr, next], ptrn)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(ptr, ptrn), Heap[null, lseg(ptr, ptrn)], lseg(Heap[ptr, next], ptrn), Heap[null, lseg(Heap[ptr, next], ptrn)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[ptr, next], ptrn)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[ptr, next], ptrn)] == FrameFragment((if UnfoldingHeap[ptr, next] != ptrn then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[ptr, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[ptr, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn)])) else EmptyFrame)); + if (UnfoldingHeap[ptr, next] != ptrn) { + perm := FullPerm; + assume UnfoldingHeap[ptr, next] != null; + UnfoldingMask[UnfoldingHeap[ptr, next], data] := UnfoldingMask[UnfoldingHeap[ptr, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[ptr, next] != null; + UnfoldingMask[UnfoldingHeap[ptr, next], next] := UnfoldingMask[UnfoldingHeap[ptr, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[ptr, next], ptrn), UnfoldingHeap[null, lseg(UnfoldingHeap[ptr, next], ptrn)], lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[ptr, next], next] != ptrn ==> UnfoldingHeap[UnfoldingHeap[ptr, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[ptr, next], next] != ptrn) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn)][UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn)][UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] := true; + havoc newPMask; + assume (forall o_53: Ref, f_57: (Field A B) :: + { newPMask[o_53, f_57] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn)][o_53, f_57] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], ptrn)][o_53, f_57] ==> newPMask[o_53, f_57] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], ptrn)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[ptr, next] != ptrn) { + assert {:msg " Folding lseg(ptr, ptrn) might fail. Assertion ptr.data <= ptr.next.data might not hold. (linked-list-predicates.vpr@147.7--147.32) [1205]"} + UnfoldingHeap[ptr, data] <= UnfoldingHeap[UnfoldingHeap[ptr, next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[ptr, next] != ptrn) { + Heap[null, lseg#sm(Heap[ptr, next], ptrn)][Heap[ptr, next], data] := true; + Heap[null, lseg#sm(Heap[ptr, next], ptrn)][Heap[ptr, next], next] := true; + havoc newPMask; + assume (forall o_54: Ref, f_58: (Field A B) :: + { newPMask[o_54, f_58] } + Heap[null, lseg#sm(Heap[ptr, next], ptrn)][o_54, f_58] || Heap[null, lseg#sm(Heap[Heap[ptr, next], next], ptrn)][o_54, f_58] ==> newPMask[o_54, f_58] + ); + Heap[null, lseg#sm(Heap[ptr, next], ptrn)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(ptr, ptrn)] := Mask[null, lseg(ptr, ptrn)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(ptr, ptrn)); + assume Heap[null, lseg(ptr, ptrn)] == FrameFragment((if ptr != ptrn then CombineFrames(FrameFragment(Heap[ptr, data]), CombineFrames(FrameFragment(Heap[ptr, next]), Heap[null, lseg(Heap[ptr, next], ptrn)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(ptr, ptrn))) { + Heap[null, lseg#sm(ptr, ptrn)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(ptr, ptrn)] := freshVersion; + } + if (ptr != ptrn) { + Heap[null, lseg#sm(ptr, ptrn)][ptr, data] := true; + Heap[null, lseg#sm(ptr, ptrn)][ptr, next] := true; + havoc newPMask; + assume (forall o_55: Ref, f_59: (Field A B) :: + { newPMask[o_55, f_59] } + Heap[null, lseg#sm(ptr, ptrn)][o_55, f_59] || Heap[null, lseg#sm(Heap[ptr, next], ptrn)][o_55, f_59] ==> newPMask[o_55, f_59] + ); + Heap[null, lseg#sm(ptr, ptrn)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: concat(this.head, ptr, ptrn) -- linked-list-predicates.vpr@148.7--148.35 + PreCallHeap := Heap; + PreCallMask := Mask; + + // -- Check definedness of this.head + assert {:msg " Method call might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@148.7--148.35) [1206]"} + HasDirectPerm(Mask, this, head); + arg_this := Heap[this, head]; + + // -- Exhaling precondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access lseg(this.head, ptr) (linked-list-predicates.vpr@148.7--148.35) [1207]"} + perm <= Mask[null, lseg(arg_this, ptr)]; + } + Mask[null, lseg(arg_this, ptr)] := Mask[null, lseg(arg_this, ptr)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access lseg(ptr, ptrn) (linked-list-predicates.vpr@148.7--148.35) [1208]"} + perm <= Mask[null, lseg(ptr, ptrn)]; + } + Mask[null, lseg(ptr, ptrn)] := Mask[null, lseg(ptr, ptrn)] - perm; + if (ptrn != null) { + assert {:msg " The precondition of method concat might not hold. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@148.7--148.35) [1209]"} + 1 / 2 >= NoPerm; + perm := 1 / 2; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access ptrn.next (linked-list-predicates.vpr@148.7--148.35) [1210]"} + perm <= Mask[ptrn, next]; + } + Mask[ptrn, next] := Mask[ptrn, next] - perm; + } + if (0 < Seq#Length(contentNodes(Heap, arg_this, ptr)) && 0 < Seq#Length(contentNodes(Heap, ptr, ptrn))) { + assert {:msg " The precondition of method concat might not hold. Assertion contentNodes(this.head, ptr)[|contentNodes(this.head, ptr)| - 1] <= contentNodes(ptr, ptrn)[0] might not hold. (linked-list-predicates.vpr@148.7--148.35) [1211]"} + Seq#Index(contentNodes(Heap, arg_this, ptr), Seq#Length(contentNodes(Heap, arg_this, ptr)) - 1) <= Seq#Index(contentNodes(Heap, ptr, ptrn), 0); + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + perm := FullPerm; + Mask[null, lseg(arg_this, ptrn)] := Mask[null, lseg(arg_this, ptrn)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume Seq#Equal(contentNodes(Heap, arg_this, ptrn), Seq#Append(contentNodes(old(PreCallHeap), arg_this, ptr), contentNodes(old(PreCallHeap), ptr, ptrn))); + if (ptrn != null) { + perm := 1 / 2; + assert {:msg " Method call might fail. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@148.7--148.35) [1212]"} + perm >= NoPerm; + assume perm > NoPerm ==> ptrn != null; + Mask[ptrn, next] := Mask[ptrn, next] + perm; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: ptr := ptrn -- linked-list-predicates.vpr@149.7--149.18 + ptr := ptrn; + assume state(Heap, Mask); + // Exhale invariant + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(this.head, write) might not be preserved. There might be insufficient permission to access this.head (linked-list-predicates.vpr@131.17--131.31) [1213]"} + perm <= Mask[this, head]; + } + Mask[this, head] := Mask[this, head] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(ptr.next, write) && (acc(ptr.data, write) && ptr.data <= elem) might not be preserved. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@132.17--132.67) [1214]"} + perm <= Mask[ptr, next]; + } + Mask[ptr, next] := Mask[ptr, next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(ptr.next, write) && (acc(ptr.data, write) && ptr.data <= elem) might not be preserved. There might be insufficient permission to access ptr.data (linked-list-predicates.vpr@132.17--132.67) [1215]"} + perm <= Mask[ptr, data]; + } + Mask[ptr, data] := Mask[ptr, data] - perm; + assert {:msg " Loop invariant acc(ptr.next, write) && (acc(ptr.data, write) && ptr.data <= elem) might not be preserved. Assertion ptr.data <= elem might not hold. (linked-list-predicates.vpr@132.17--132.67) [1216]"} + Heap[ptr, data] <= elem; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(lseg(ptr.next, null), write) might not be preserved. There might be insufficient permission to access lseg(ptr.next, null) (linked-list-predicates.vpr@133.17--133.42) [1217]"} + perm <= Mask[null, lseg(Heap[ptr, next], null)]; + } + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(lseg(this.head, ptr), write) might not be preserved. There might be insufficient permission to access lseg(this.head, ptr) (linked-list-predicates.vpr@134.17--134.42) [1218]"} + perm <= Mask[null, lseg(Heap[this, head], ptr)]; + } + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] - perm; + if (*) { + if (0 <= i_10 && i_10 < Seq#Length(contentNodes(Heap, Heap[this, head], ptr))) { + assert {:msg " Loop invariant (forall i: Int :: { contentNodes(this.head, ptr)[i] } 0 <= i && i < |contentNodes(this.head, ptr)| ==> contentNodes(this.head, ptr)[i] <= ptr.data) might not be preserved. Assertion contentNodes(this.head, ptr)[i] <= ptr.data might not hold. (linked-list-predicates.vpr@135.17--136.62) [1219]"} + Seq#Index(contentNodes(Heap, Heap[this, head], ptr), i_10) <= Heap[ptr, data]; + } + assume false; + } + assume (forall i_11_1: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[this, head], ptr)], Heap[this, head], ptr), i_11_1) } + 0 <= i_11_1 && i_11_1 < Seq#Length(contentNodes(Heap, Heap[this, head], ptr)) ==> Seq#Index(contentNodes(Heap, Heap[this, head], ptr), i_11_1) <= Heap[ptr, data] + ); + if (*) { + if (0 <= i_12 && i_12 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null))) { + assert {:msg " Loop invariant (forall i: Int :: { contentNodes(ptr.next, null)[i] } 0 <= i && i < |contentNodes(ptr.next, null)| ==> ptr.data <= contentNodes(ptr.next, null)[i]) might not be preserved. Assertion ptr.data <= contentNodes(ptr.next, null)[i] might not hold. (linked-list-predicates.vpr@137.17--138.62) [1220]"} + Heap[ptr, data] <= Seq#Index(contentNodes(Heap, Heap[ptr, next], null), i_12); + } + assume false; + } + assume (forall i_13_1: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[ptr, next], null)], Heap[ptr, next], null), i_13_1) } + 0 <= i_13_1 && i_13_1 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null)) ==> Heap[ptr, data] <= Seq#Index(contentNodes(Heap, Heap[ptr, next], null), i_13_1) + ); + assert {:msg " Loop invariant index - 1 == |contentNodes(this.head, ptr)| might not be preserved. Assertion index - 1 == |contentNodes(this.head, ptr)| might not hold. (linked-list-predicates.vpr@139.17--139.58) [1221]"} + index - 1 == Seq#Length(contentNodes(Heap, Heap[this, head], ptr)); + assert {:msg " Loop invariant old(content(this)) == contentNodes(this.head, ptr) ++ Seq(ptr.data) ++ contentNodes(ptr.next, null) might not be preserved. Assertion old(content(this)) == contentNodes(this.head, ptr) ++ Seq(ptr.data) ++ contentNodes(ptr.next, null) might not hold. (linked-list-predicates.vpr@141.9--141.108) [1222]"} + Seq#Equal(content(old(Heap), this), Seq#Append(Seq#Append(contentNodes(Heap, Heap[this, head], ptr), Seq#Singleton(Heap[ptr, data])), contentNodes(Heap, Heap[ptr, next], null))); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(Heap[ptr, next] != null && Heap[Heap[ptr, next], data] < elem); + assume state(Heap, Mask); + perm := FullPerm; + assume this != null; + Mask[this, head] := Mask[this, head] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume ptr != null; + Mask[ptr, next] := Mask[ptr, next] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume ptr != null; + Mask[ptr, data] := Mask[ptr, data] + perm; + assume state(Heap, Mask); + assume Heap[ptr, data] <= elem; + perm := FullPerm; + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], ptr)] := Mask[null, lseg(Heap[this, head], ptr)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (forall i_14: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[this, head], ptr)], Heap[this, head], ptr), i_14) } + 0 <= i_14 && i_14 < Seq#Length(contentNodes(Heap, Heap[this, head], ptr)) ==> Seq#Index(contentNodes(Heap, Heap[this, head], ptr), i_14) <= Heap[ptr, data] + ); + assume state(Heap, Mask); + assume (forall i_15: int :: + { Seq#Index(contentNodes#frame(Heap[null, lseg(Heap[ptr, next], null)], Heap[ptr, next], null), i_15) } + 0 <= i_15 && i_15 < Seq#Length(contentNodes(Heap, Heap[ptr, next], null)) ==> Heap[ptr, data] <= Seq#Index(contentNodes(Heap, Heap[ptr, next], null), i_15) + ); + assume state(Heap, Mask); + assume index - 1 == Seq#Length(contentNodes(Heap, Heap[this, head], ptr)); + assume state(Heap, Mask); + assume Seq#Equal(content(old(Heap), this), Seq#Append(Seq#Append(contentNodes(Heap, Heap[this, head], ptr), Seq#Singleton(Heap[ptr, data])), contentNodes(Heap, Heap[ptr, next], null))); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: tmp := new(data, next, head, held, changed) -- linked-list-predicates.vpr@152.5--152.18 + havoc freshObj; + assume freshObj != null && !Heap[freshObj, $allocated]; + Heap[freshObj, $allocated] := true; + tmp := freshObj; + Mask[tmp, data] := Mask[tmp, data] + FullPerm; + Mask[tmp, next] := Mask[tmp, next] + FullPerm; + Mask[tmp, head] := Mask[tmp, head] + FullPerm; + Mask[tmp, held] := Mask[tmp, held] + FullPerm; + Mask[tmp, changed] := Mask[tmp, changed] + FullPerm; + assume state(Heap, Mask); + + // -- Translating statement: tmp.data := elem -- linked-list-predicates.vpr@153.5--153.21 + assert {:msg " Assignment might fail. There might be insufficient permission to access tmp.data (linked-list-predicates.vpr@153.5--153.21) [1223]"} + FullPerm == Mask[tmp, data]; + Heap[tmp, data] := elem; + assume state(Heap, Mask); + + // -- Translating statement: tmp.next := ptr.next -- linked-list-predicates.vpr@154.5--154.25 + + // -- Check definedness of ptr.next + assert {:msg " Assignment might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@154.5--154.25) [1224]"} + HasDirectPerm(Mask, ptr, next); + assert {:msg " Assignment might fail. There might be insufficient permission to access tmp.next (linked-list-predicates.vpr@154.5--154.25) [1225]"} + FullPerm == Mask[tmp, next]; + Heap[tmp, next] := Heap[ptr, next]; + assume state(Heap, Mask); + + // -- Translating statement: ptr.next := tmp -- linked-list-predicates.vpr@155.5--155.20 + assert {:msg " Assignment might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@155.5--155.20) [1226]"} + FullPerm == Mask[ptr, next]; + Heap[ptr, next] := tmp; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(ptr.next, null), write) -- linked-list-predicates.vpr@156.5--156.35 + + // -- Check definedness of acc(lseg(ptr.next, null), write) + assert {:msg " Folding lseg(ptr.next, null) might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@156.5--156.35) [1227]"} + HasDirectPerm(Mask, ptr, next); + if (Heap[ptr, next] != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr.next, null) might fail. There might be insufficient permission to access ptr.next.data (linked-list-predicates.vpr@156.5--156.35) [1229]"} + perm <= Mask[Heap[ptr, next], data]; + } + Mask[Heap[ptr, next], data] := Mask[Heap[ptr, next], data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr.next, null) might fail. There might be insufficient permission to access ptr.next.next (linked-list-predicates.vpr@156.5--156.35) [1231]"} + perm <= Mask[Heap[ptr, next], next]; + } + Mask[Heap[ptr, next], next] := Mask[Heap[ptr, next], next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr.next, null) might fail. There might be insufficient permission to access lseg(ptr.next.next, null) (linked-list-predicates.vpr@156.5--156.35) [1233]"} + perm <= Mask[null, lseg(Heap[Heap[ptr, next], next], null)]; + } + Mask[null, lseg(Heap[Heap[ptr, next], next], null)] := Mask[null, lseg(Heap[Heap[ptr, next], next], null)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(Heap[ptr, next], null), Heap[null, lseg(Heap[ptr, next], null)], lseg(Heap[Heap[ptr, next], next], null), Heap[null, lseg(Heap[Heap[ptr, next], next], null)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] == FrameFragment((if UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)])) else EmptyFrame)); + if (UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null) { + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)], lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] != null ==> UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], next] := true; + havoc newPMask; + assume (forall o_56: Ref, f_60: (Field A B) :: + { newPMask[o_56, f_60] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)][o_56, f_60] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], next], null)][o_56, f_60] ==> newPMask[o_56, f_60] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null) { + assert {:msg " Folding lseg(ptr.next, null) might fail. Assertion ptr.next.data <= ptr.next.next.data might not hold. (linked-list-predicates.vpr@156.5--156.35) [1234]"} + UnfoldingHeap[UnfoldingHeap[ptr, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[Heap[ptr, next], next] != null) { + Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][Heap[Heap[ptr, next], next], data] := true; + Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][Heap[Heap[ptr, next], next], next] := true; + havoc newPMask; + assume (forall o_57: Ref, f_61: (Field A B) :: + { newPMask[o_57, f_61] } + Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][o_57, f_61] || Heap[null, lseg#sm(Heap[Heap[Heap[ptr, next], next], next], null)][o_57, f_61] ==> newPMask[o_57, f_61] + ); + Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(Heap[ptr, next], null)); + assume Heap[null, lseg(Heap[ptr, next], null)] == FrameFragment((if Heap[ptr, next] != null then CombineFrames(FrameFragment(Heap[Heap[ptr, next], data]), CombineFrames(FrameFragment(Heap[Heap[ptr, next], next]), Heap[null, lseg(Heap[Heap[ptr, next], next], null)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(Heap[ptr, next], null))) { + Heap[null, lseg#sm(Heap[ptr, next], null)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(Heap[ptr, next], null)] := freshVersion; + } + if (Heap[ptr, next] != null) { + Heap[null, lseg#sm(Heap[ptr, next], null)][Heap[ptr, next], data] := true; + Heap[null, lseg#sm(Heap[ptr, next], null)][Heap[ptr, next], next] := true; + havoc newPMask; + assume (forall o_58: Ref, f_62: (Field A B) :: + { newPMask[o_58, f_62] } + Heap[null, lseg#sm(Heap[ptr, next], null)][o_58, f_62] || Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][o_58, f_62] ==> newPMask[o_58, f_62] + ); + Heap[null, lseg#sm(Heap[ptr, next], null)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: fold acc(lseg(ptr, null), write) -- linked-list-predicates.vpr@159.5--159.30 + if (ptr != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr, null) might fail. There might be insufficient permission to access ptr.data (linked-list-predicates.vpr@159.5--159.30) [1237]"} + perm <= Mask[ptr, data]; + } + Mask[ptr, data] := Mask[ptr, data] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr, null) might fail. There might be insufficient permission to access ptr.next (linked-list-predicates.vpr@159.5--159.30) [1239]"} + perm <= Mask[ptr, next]; + } + Mask[ptr, next] := Mask[ptr, next] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding lseg(ptr, null) might fail. There might be insufficient permission to access lseg(ptr.next, null) (linked-list-predicates.vpr@159.5--159.30) [1241]"} + perm <= Mask[null, lseg(Heap[ptr, next], null)]; + } + Mask[null, lseg(Heap[ptr, next], null)] := Mask[null, lseg(Heap[ptr, next], null)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(lseg(ptr, null), Heap[null, lseg(ptr, null)], lseg(Heap[ptr, next], null), Heap[null, lseg(Heap[ptr, next], null)]); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[ptr, next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[ptr, next], null)] == FrameFragment((if UnfoldingHeap[ptr, next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[ptr, next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[ptr, next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)])) else EmptyFrame)); + if (UnfoldingHeap[ptr, next] != null) { + perm := FullPerm; + assume UnfoldingHeap[ptr, next] != null; + UnfoldingMask[UnfoldingHeap[ptr, next], data] := UnfoldingMask[UnfoldingHeap[ptr, next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[ptr, next] != null; + UnfoldingMask[UnfoldingHeap[ptr, next], next] := UnfoldingMask[UnfoldingHeap[ptr, next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[ptr, next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[ptr, next], null)], lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null ==> UnfoldingHeap[UnfoldingHeap[ptr, next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[ptr, next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)][UnfoldingHeap[UnfoldingHeap[ptr, next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)][UnfoldingHeap[UnfoldingHeap[ptr, next], next], next] := true; + havoc newPMask; + assume (forall o_59: Ref, f_63: (Field A B) :: + { newPMask[o_59, f_63] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)][o_59, f_63] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[ptr, next], next], next], null)][o_59, f_63] ==> newPMask[o_59, f_63] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[ptr, next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[ptr, next] != null) { + assert {:msg " Folding lseg(ptr, null) might fail. Assertion ptr.data <= ptr.next.data might not hold. (linked-list-predicates.vpr@159.5--159.30) [1242]"} + UnfoldingHeap[ptr, data] <= UnfoldingHeap[UnfoldingHeap[ptr, next], data]; + } + } + + // -- Free assumptions (exhale module) + if (Heap[ptr, next] != null) { + Heap[null, lseg#sm(Heap[ptr, next], null)][Heap[ptr, next], data] := true; + Heap[null, lseg#sm(Heap[ptr, next], null)][Heap[ptr, next], next] := true; + havoc newPMask; + assume (forall o_60: Ref, f_64: (Field A B) :: + { newPMask[o_60, f_64] } + Heap[null, lseg#sm(Heap[ptr, next], null)][o_60, f_64] || Heap[null, lseg#sm(Heap[Heap[ptr, next], next], null)][o_60, f_64] ==> newPMask[o_60, f_64] + ); + Heap[null, lseg#sm(Heap[ptr, next], null)] := newPMask; + } + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(ptr, null)] := Mask[null, lseg(ptr, null)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume lseg#trigger(Heap, lseg(ptr, null)); + assume Heap[null, lseg(ptr, null)] == FrameFragment((if ptr != null then CombineFrames(FrameFragment(Heap[ptr, data]), CombineFrames(FrameFragment(Heap[ptr, next]), Heap[null, lseg(Heap[ptr, next], null)])) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, lseg(ptr, null))) { + Heap[null, lseg#sm(ptr, null)] := ZeroPMask; + havoc freshVersion; + Heap[null, lseg(ptr, null)] := freshVersion; + } + if (ptr != null) { + Heap[null, lseg#sm(ptr, null)][ptr, data] := true; + Heap[null, lseg#sm(ptr, null)][ptr, next] := true; + havoc newPMask; + assume (forall o_61: Ref, f_65: (Field A B) :: + { newPMask[o_61, f_65] } + Heap[null, lseg#sm(ptr, null)][o_61, f_65] || Heap[null, lseg#sm(Heap[ptr, next], null)][o_61, f_65] ==> newPMask[o_61, f_65] + ); + Heap[null, lseg#sm(ptr, null)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: concat(this.head, ptr, null) -- linked-list-predicates.vpr@160.5--160.33 + PreCallHeap := Heap; + PreCallMask := Mask; + + // -- Check definedness of this.head + assert {:msg " Method call might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@160.5--160.33) [1244]"} + HasDirectPerm(Mask, this, head); + arg_this_1 := Heap[this, head]; + + // -- Exhaling precondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access lseg(this.head, ptr) (linked-list-predicates.vpr@160.5--160.33) [1245]"} + perm <= Mask[null, lseg(arg_this_1, ptr)]; + } + Mask[null, lseg(arg_this_1, ptr)] := Mask[null, lseg(arg_this_1, ptr)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access lseg(ptr, null) (linked-list-predicates.vpr@160.5--160.33) [1246]"} + perm <= Mask[null, lseg(ptr, null)]; + } + Mask[null, lseg(ptr, null)] := Mask[null, lseg(ptr, null)] - perm; + if (null != null) { + assert {:msg " The precondition of method concat might not hold. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@160.5--160.33) [1247]"} + 1 / 2 >= NoPerm; + perm := 1 / 2; + if (perm != NoPerm) { + assert {:msg " The precondition of method concat might not hold. There might be insufficient permission to access null.next (linked-list-predicates.vpr@160.5--160.33) [1248]"} + perm <= Mask[null, next]; + } + Mask[null, next] := Mask[null, next] - perm; + } + if (0 < Seq#Length(contentNodes(Heap, arg_this_1, ptr)) && 0 < Seq#Length(contentNodes(Heap, ptr, null))) { + assert {:msg " The precondition of method concat might not hold. Assertion contentNodes(this.head, ptr)[|contentNodes(this.head, ptr)| - 1] <= contentNodes(ptr, null)[0] might not hold. (linked-list-predicates.vpr@160.5--160.33) [1249]"} + Seq#Index(contentNodes(Heap, arg_this_1, ptr), Seq#Length(contentNodes(Heap, arg_this_1, ptr)) - 1) <= Seq#Index(contentNodes(Heap, ptr, null), 0); + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + perm := FullPerm; + Mask[null, lseg(arg_this_1, null)] := Mask[null, lseg(arg_this_1, null)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume Seq#Equal(contentNodes(Heap, arg_this_1, null), Seq#Append(contentNodes(old(PreCallHeap), arg_this_1, ptr), contentNodes(old(PreCallHeap), ptr, null))); + if (null != null) { + perm := 1 / 2; + assert {:msg " Method call might fail. Fraction 1 / 2 might be negative. (linked-list-predicates.vpr@160.5--160.33) [1250]"} + perm >= NoPerm; + assume perm > NoPerm ==> null != null; + Mask[null, next] := Mask[null, next] + perm; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: fold acc(List(this), write) -- linked-list-predicates.vpr@163.3--163.23 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(this) might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@163.3--163.23) [1252]"} + perm <= Mask[this, head]; + } + Mask[this, head] := Mask[this, head] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(this) might fail. There might be insufficient permission to access lseg(this.head, null) (linked-list-predicates.vpr@163.3--163.23) [1254]"} + perm <= Mask[null, lseg(Heap[this, head], null)]; + } + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(List(this), Heap[null, List(this)], lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)]); + perm := FullPerm; + Mask[null, List(this)] := Mask[null, List(this)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume List#trigger(Heap, List(this)); + assume Heap[null, List(this)] == CombineFrames(FrameFragment(Heap[this, head]), Heap[null, lseg(Heap[this, head], null)]); + if (!HasDirectPerm(Mask, null, List(this))) { + Heap[null, List#sm(this)] := ZeroPMask; + havoc freshVersion; + Heap[null, List(this)] := freshVersion; + } + Heap[null, List#sm(this)][this, head] := true; + havoc newPMask; + assume (forall o_62: Ref, f_66: (Field A B) :: + { newPMask[o_62, f_66] } + Heap[null, List#sm(this)][o_62, f_66] || Heap[null, lseg#sm(Heap[this, head], null)][o_62, f_66] ==> newPMask[o_62, f_66] + ); + Heap[null, List#sm(this)] := newPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of insert might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@105.11--105.26) [1256]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + assert {:msg " Postcondition of insert might not hold. Assertion 0 <= index might not hold. (linked-list-predicates.vpr@106.11--106.54) [1257]"} + 0 <= index; + assert {:msg " Postcondition of insert might not hold. Assertion index <= |old(content(this))| might not hold. (linked-list-predicates.vpr@106.11--106.54) [1258]"} + index <= Seq#Length(content(old(Heap), this)); + assert {:msg " Postcondition of insert might not hold. Assertion content(this) == old(content(this))[0..index] ++ Seq(elem) ++ old(content(this))[index..] might not hold. (linked-list-predicates.vpr@107.11--107.100) [1259]"} + Seq#Equal(content(Heap, this), Seq#Append(Seq#Append(Seq#Drop(Seq#Take(content(old(Heap), this), index), 0), Seq#Singleton(elem)), Seq#Drop(content(old(Heap), this), index))); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method dequeue +// ================================================== + +procedure dequeue(this: Ref) returns (res: int) + modifies Heap, Mask; +{ + var perm: Perm; + var ExhaleHeap: HeapType; + var PostHeap: HeapType; + var PostMask: MaskType; + var newVersion: FrameType; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var newPMask: PMaskType; + var freshVersion: FrameType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[this, $allocated]; + + // -- Checked inhaling of precondition + perm := FullPerm; + Mask[null, List(this)] := Mask[null, List(this)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of 0 < length(this) + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function length might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@168.16--168.28) [1260]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assume 0 < length(Heap, this); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + perm := FullPerm; + PostMask[null, List(this)] := PostMask[null, List(this)] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of res == old(content(this)[0]) + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@170.22--170.35) [1261]"} + perm <= old(Mask)[null, List(this)]; + } + // Finish exhale + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. Index content(this)[0] into content(this) might exceed sequence length. (linked-list-predicates.vpr@170.11--170.39) [1262]"} + 0 < Seq#Length(content(old(Heap), this)); + assume res == Seq#Index(content(old(Heap), this), 0); + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of content(this) == old(content(this)[1..]) + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@171.11--171.24) [1263]"} + perm <= PostMask[null, List(this)]; + } + PostMask[null, List(this)] := PostMask[null, List(this)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(PostHeap, ExhaleHeap, PostMask); + PostHeap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@171.32--171.45) [1264]"} + perm <= old(Mask)[null, List(this)]; + } + // Finish exhale + // Stop execution + assume false; + } + assume Seq#Equal(content(PostHeap, this), Seq#Drop(content(old(Heap), this), 1)); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: unfold acc(List(this), write) -- linked-list-predicates.vpr@173.3--173.25 + assume List#trigger(Heap, List(this)); + assume Heap[null, List(this)] == CombineFrames(FrameFragment(Heap[this, head]), Heap[null, lseg(Heap[this, head], null)]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding List(this) might fail. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@173.3--173.25) [1266]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, List(this))) { + havoc newVersion; + Heap[null, List(this)] := newVersion; + } + perm := FullPerm; + assume this != null; + Mask[this, head] := Mask[this, head] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(List(this), Heap[null, List(this)], lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)]); + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: unfold acc(lseg(this.head, null), write) -- linked-list-predicates.vpr@174.3--174.36 + + // -- Check definedness of acc(lseg(this.head, null), write) + assert {:msg " Unfolding lseg(this.head, null) might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@174.3--174.36) [1269]"} + HasDirectPerm(Mask, this, head); + assume lseg#trigger(Heap, lseg(Heap[this, head], null)); + assume Heap[null, lseg(Heap[this, head], null)] == FrameFragment((if Heap[this, head] != null then CombineFrames(FrameFragment(Heap[Heap[this, head], data]), CombineFrames(FrameFragment(Heap[Heap[this, head], next]), Heap[null, lseg(Heap[Heap[this, head], next], null)])) else EmptyFrame)); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding lseg(this.head, null) might fail. There might be insufficient permission to access lseg(this.head, null) (linked-list-predicates.vpr@174.3--174.36) [1271]"} + perm <= Mask[null, lseg(Heap[this, head], null)]; + } + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, lseg(Heap[this, head], null))) { + havoc newVersion; + Heap[null, lseg(Heap[this, head], null)] := newVersion; + } + if (Heap[this, head] != null) { + perm := FullPerm; + assume Heap[this, head] != null; + Mask[Heap[this, head], data] := Mask[Heap[this, head], data] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume Heap[this, head] != null; + Mask[Heap[this, head], next] := Mask[Heap[this, head], next] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, lseg(Heap[Heap[this, head], next], null)] := Mask[null, lseg(Heap[Heap[this, head], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)], lseg(Heap[Heap[this, head], next], null), Heap[null, lseg(Heap[Heap[this, head], next], null)]); + assume state(Heap, Mask); + + // -- Execute unfolding (for extra information) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume lseg#trigger(UnfoldingHeap, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)); + assume UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)] == FrameFragment((if UnfoldingHeap[UnfoldingHeap[this, head], next] != null then CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data]), CombineFrames(FrameFragment(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next]), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)])) else EmptyFrame)); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)] - perm; + if (UnfoldingHeap[UnfoldingHeap[this, head], next] != null) { + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], data] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume UnfoldingHeap[UnfoldingHeap[this, head], next] != null; + UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] := UnfoldingMask[UnfoldingHeap[UnfoldingHeap[this, head], next], next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] := UnfoldingMask[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[this, head], next], null)], lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null), UnfoldingHeap[null, lseg(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)]); + assume state(UnfoldingHeap, UnfoldingMask); + assume UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != null ==> UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], data] <= UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data]; + + // -- Free assumptions (inhale module) + if (UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next] != null) { + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], data] := true; + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next] := true; + havoc newPMask; + assume (forall o_63: Ref, f_67: (Field A B) :: + { newPMask[o_63, f_67] } + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)][o_63, f_67] || UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], next], null)][o_63, f_67] ==> newPMask[o_63, f_67] + ); + UnfoldingHeap[null, lseg#sm(UnfoldingHeap[UnfoldingHeap[UnfoldingHeap[this, head], next], next], null)] := newPMask; + } + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assume Heap[Heap[this, head], next] != null ==> Heap[Heap[this, head], data] <= Heap[Heap[Heap[this, head], next], data]; + + // -- Free assumptions (inhale module) + if (Heap[Heap[this, head], next] != null) { + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][Heap[Heap[this, head], next], data] := true; + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][Heap[Heap[this, head], next], next] := true; + havoc newPMask; + assume (forall o_64: Ref, f_68: (Field A B) :: + { newPMask[o_64, f_68] } + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)][o_64, f_68] || Heap[null, lseg#sm(Heap[Heap[Heap[this, head], next], next], null)][o_64, f_68] ==> newPMask[o_64, f_68] + ); + Heap[null, lseg#sm(Heap[Heap[this, head], next], null)] := newPMask; + } + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: res := this.head.data -- linked-list-predicates.vpr@175.3--175.24 + + // -- Check definedness of this.head.data + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head.data (linked-list-predicates.vpr@175.3--175.24) [1275]"} + HasDirectPerm(Mask, Heap[this, head], data); + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@175.3--175.24) [1276]"} + HasDirectPerm(Mask, this, head); + res := Heap[Heap[this, head], data]; + assume state(Heap, Mask); + + // -- Translating statement: this.head := this.head.next -- linked-list-predicates.vpr@176.3--176.30 + + // -- Check definedness of this.head.next + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head.next (linked-list-predicates.vpr@176.3--176.30) [1277]"} + HasDirectPerm(Mask, Heap[this, head], next); + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@176.3--176.30) [1278]"} + HasDirectPerm(Mask, this, head); + assert {:msg " Assignment might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@176.3--176.30) [1279]"} + FullPerm == Mask[this, head]; + Heap[this, head] := Heap[Heap[this, head], next]; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(List(this), write) -- linked-list-predicates.vpr@177.3--177.23 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(this) might fail. There might be insufficient permission to access this.head (linked-list-predicates.vpr@177.3--177.23) [1281]"} + perm <= Mask[this, head]; + } + Mask[this, head] := Mask[this, head] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(this) might fail. There might be insufficient permission to access lseg(this.head, null) (linked-list-predicates.vpr@177.3--177.23) [1283]"} + perm <= Mask[null, lseg(Heap[this, head], null)]; + } + Mask[null, lseg(Heap[this, head], null)] := Mask[null, lseg(Heap[this, head], null)] - perm; + + // -- Record predicate instance information + assume InsidePredicate(List(this), Heap[null, List(this)], lseg(Heap[this, head], null), Heap[null, lseg(Heap[this, head], null)]); + perm := FullPerm; + Mask[null, List(this)] := Mask[null, List(this)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume List#trigger(Heap, List(this)); + assume Heap[null, List(this)] == CombineFrames(FrameFragment(Heap[this, head]), Heap[null, lseg(Heap[this, head], null)]); + if (!HasDirectPerm(Mask, null, List(this))) { + Heap[null, List#sm(this)] := ZeroPMask; + havoc freshVersion; + Heap[null, List(this)] := freshVersion; + } + Heap[null, List#sm(this)][this, head] := true; + havoc newPMask; + assume (forall o_65: Ref, f_69: (Field A B) :: + { newPMask[o_65, f_69] } + Heap[null, List#sm(this)][o_65, f_69] || Heap[null, lseg#sm(Heap[this, head], null)][o_65, f_69] ==> newPMask[o_65, f_69] + ); + Heap[null, List#sm(this)] := newPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of dequeue might not hold. There might be insufficient permission to access List(this) (linked-list-predicates.vpr@169.11--169.26) [1285]"} + perm <= Mask[null, List(this)]; + } + Mask[null, List(this)] := Mask[null, List(this)] - perm; + assert {:msg " Postcondition of dequeue might not hold. Assertion res == old(content(this)[0]) might not hold. (linked-list-predicates.vpr@170.11--170.39) [1286]"} + res == Seq#Index(content(old(Heap), this), 0); + assert {:msg " Postcondition of dequeue might not hold. Assertion content(this) == old(content(this)[1..]) might not hold. (linked-list-predicates.vpr@171.11--171.51) [1287]"} + Seq#Equal(content(Heap, this), Seq#Drop(content(old(Heap), this), 1)); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method test +// ================================================== + +procedure test(lock: Ref) returns () + modifies Heap, Mask; +{ + var acq_lblGuard: bool; + var PostHeap: HeapType; + var PostMask: MaskType; + var r_1: Ref; + var perm: Perm; + var LabelacqMask: MaskType; + var LabelacqHeap: HeapType; + var ExhaleHeap: HeapType; + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var r1: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + acq_lblGuard := false; + + // -- Assumptions about method arguments + assume Heap[lock, $allocated]; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + + // -- Check definedness of (forperm r: Ref [r.held] :: false) + if (*) { + if (HasDirectPerm(PostMask, r_1, held)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access r.held (linked-list-predicates.vpr@195.11--195.51) [1288]"} + HasDirectPerm(PostMask, r_1, held); + } + assume false; + } + assume (forall r_1_1: Ref :: + { PostMask[r_1_1, held] } + HasDirectPerm(PostMask, r_1_1, held) ==> false + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: inhale acc(List(lock), write) && + // (acc(lock.held, write) && acc(lock.changed, write)) -- linked-list-predicates.vpr@198.3--198.64 + perm := FullPerm; + Mask[null, List(lock)] := Mask[null, List(lock)] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume lock != null; + Mask[lock, held] := Mask[lock, held] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume lock != null; + Mask[lock, changed] := Mask[lock, changed] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: label acq -- linked-list-predicates.vpr@199.1--199.10 + acq: + LabelacqMask := Mask; + LabelacqHeap := Heap; + acq_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: if (2 <= length(lock)) -- linked-list-predicates.vpr@201.3--208.4 + + // -- Check definedness of 2 <= length(lock) + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function length might not hold. There might be insufficient permission to access List(lock) (linked-list-predicates.vpr@201.11--201.23) [1292]"} + perm <= Mask[null, List(lock)]; + } + Mask[null, List(lock)] := Mask[null, List(lock)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (2 <= length(Heap, lock)) { + + // -- Translating statement: r1 := dequeue(lock) -- linked-list-predicates.vpr@203.5--203.24 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc r1; + + // -- Exhaling precondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method dequeue might not hold. There might be insufficient permission to access List(lock) (linked-list-predicates.vpr@203.5--203.24) [1293]"} + perm <= Mask[null, List(lock)]; + } + Mask[null, List(lock)] := Mask[null, List(lock)] - perm; + assert {:msg " The precondition of method dequeue might not hold. Assertion 0 < length(lock) might not hold. (linked-list-predicates.vpr@203.5--203.24) [1294]"} + 0 < length(Heap, lock); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + perm := FullPerm; + Mask[null, List(lock)] := Mask[null, List(lock)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume r1 == Seq#Index(content(old(PreCallHeap), lock), 0); + assume state(Heap, Mask); + assume Seq#Equal(content(Heap, lock), Seq#Drop(content(old(PreCallHeap), lock), 1)); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: assert r1 <= peek(lock) -- linked-list-predicates.vpr@205.5--205.28 + + // -- Check definedness of r1 <= peek(lock) + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function peek might not hold. There might be insufficient permission to access List(lock) (linked-list-predicates.vpr@205.18--205.28) [1295]"} + perm <= Mask[null, List(lock)]; + } + Mask[null, List(lock)] := Mask[null, List(lock)] - perm; + assert {:msg " Precondition of function peek might not hold. Assertion 0 < length(lock) might not hold. (linked-list-predicates.vpr@205.18--205.28) [1296]"} + 0 < length(Heap, lock); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Assert might fail. Assertion r1 <= peek(lock) might not hold. (linked-list-predicates.vpr@205.12--205.28) [1297]"} + r1 <= peek(Heap, lock); + assume state(Heap, Mask); + + // -- Translating statement: lock.changed := true -- linked-list-predicates.vpr@207.5--207.25 + assert {:msg " Assignment might fail. There might be insufficient permission to access lock.changed (linked-list-predicates.vpr@207.5--207.25) [1298]"} + FullPerm == Mask[lock, changed]; + Heap[lock, changed] := true; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: exhale acc(List(lock), write) && + // (acc(lock.held, write) && + // (acc(lock.changed, write) && + // (old[acq](content(lock)) == content(lock) || lock.changed))) -- linked-list-predicates.vpr@211.3--212.71 + + // -- Check definedness of acc(List(lock), write) && (acc(lock.held, write) && (acc(lock.changed, write) && (old[acq](content(lock)) == content(lock) || lock.changed))) + assert {:msg " Exhale might fail. Did not reach labelled state acq required to evaluate old[acq](content(lock)). (linked-list-predicates.vpr@211.13--212.71) [1299]"} + acq_lblGuard; + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(lock) (linked-list-predicates.vpr@212.23--212.36) [1300]"} + perm <= LabelacqMask[null, List(lock)]; + } + LabelacqMask[null, List(lock)] := LabelacqMask[null, List(lock)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(LabelacqHeap, ExhaleHeap, LabelacqMask); + LabelacqHeap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function content might not hold. There might be insufficient permission to access List(lock) (linked-list-predicates.vpr@212.41--212.54) [1301]"} + perm <= Mask[null, List(lock)]; + } + Mask[null, List(lock)] := Mask[null, List(lock)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (!Seq#Equal(content(LabelacqHeap, lock), content(Heap, lock))) { + assert {:msg " Exhale might fail. There might be insufficient permission to access lock.changed (linked-list-predicates.vpr@211.13--212.71) [1302]"} + HasDirectPerm(Mask, lock, changed); + } + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access List(lock) (linked-list-predicates.vpr@211.13--212.71) [1304]"} + perm <= Mask[null, List(lock)]; + } + Mask[null, List(lock)] := Mask[null, List(lock)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access lock.held (linked-list-predicates.vpr@211.13--212.71) [1306]"} + perm <= Mask[lock, held]; + } + Mask[lock, held] := Mask[lock, held] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access lock.changed (linked-list-predicates.vpr@211.13--212.71) [1308]"} + perm <= Mask[lock, changed]; + } + Mask[lock, changed] := Mask[lock, changed] - perm; + assert {:msg " Exhale might fail. Assertion old[acq](content(lock)) == content(lock) || lock.changed might not hold. (linked-list-predicates.vpr@211.13--212.71) [1309]"} + Seq#Equal(content(LabelacqHeap, lock), content(Heap, lock)) || Heap[lock, changed]; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of test might not hold. Assertion (forperm r: Ref [r.held] :: false) might not hold. (linked-list-predicates.vpr@195.11--195.51) [1310]"} + (forall r_2: Ref :: + { Mask[r_2, held] } + HasDirectPerm(Mask, r_2, held) ==> false + ); +} diff --git a/Test/monomorphize/viper/list_insert_noseq.bpl b/Test/monomorphize/viper/list_insert_noseq.bpl new file mode 100644 index 000000000..180fd0c5f --- /dev/null +++ b/Test/monomorphize/viper/list_insert_noseq.bpl @@ -0,0 +1,1643 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Function heights (higher height means its body is available earlier): +// - height 0: head +const AssumeFunctionsAbove: int; +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Wand Module. +// ================================================== + +type WandType_wand; +function wand(arg1: Ref, arg2: Perm, arg3: Ref, arg4: Perm): Field WandType_wand int; +function wand#sm(arg1: Ref, arg2: Perm, arg3: Ref, arg4: Perm): Field WandType_wand PMaskType; +function wand#ft(arg1: Ref, arg2: Perm, arg3: Ref, arg4: Perm): Field WandType_wand FrameType; +axiom (forall arg1: Ref, arg2: Perm, arg3: Ref, arg4: Perm :: + { wand(arg1, arg2, arg3, arg4) } + IsWandField(wand(arg1, arg2, arg3, arg4)) +); +axiom (forall arg1: Ref, arg2: Perm, arg3: Ref, arg4: Perm :: + { wand#ft(arg1, arg2, arg3, arg4) } + IsWandField(wand#ft(arg1, arg2, arg3, arg4)) +); +axiom (forall arg1: Ref, arg2: Perm, arg3: Ref, arg4: Perm :: + { wand(arg1, arg2, arg3, arg4) } + !IsPredicateField(wand(arg1, arg2, arg3, arg4)) +); +axiom (forall arg1: Ref, arg2: Perm, arg3: Ref, arg4: Perm :: + { wand#ft(arg1, arg2, arg3, arg4) } + !IsPredicateField(wand#ft(arg1, arg2, arg3, arg4)) +); +axiom (forall arg1: Ref, arg2: Perm, arg3: Ref, arg4: Perm :: + { WandMaskField(wand#ft(arg1, arg2, arg3, arg4)) } + wand#sm(arg1, arg2, arg3, arg4) == WandMaskField(wand#ft(arg1, arg2, arg3, arg4)) +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique val: Field NormalField int; +axiom !IsPredicateField(val); +axiom !IsWandField(val); +const unique next: Field NormalField Ref; +axiom !IsPredicateField(next); +axiom !IsWandField(next); + +// ================================================== +// Translation of function head +// ================================================== + +// Uninterpreted function definitions +function head(Heap: HeapType, xs: Ref): int; +function head'(Heap: HeapType, xs: Ref): int; +axiom (forall Heap: HeapType, xs: Ref :: + { head(Heap, xs) } + head(Heap, xs) == head'(Heap, xs) && dummyFunction(head#triggerStateless(xs)) +); +axiom (forall Heap: HeapType, xs: Ref :: + { head'(Heap, xs) } + dummyFunction(head#triggerStateless(xs)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, xs: Ref :: + { state(Heap, Mask), head(Heap, xs) } { state(Heap, Mask), head#triggerStateless(xs), List#trigger(Heap, List(xs)) } + state(Heap, Mask) && AssumeFunctionsAbove < 0 ==> head(Heap, xs) == Heap[xs, val] +); + +// Framing axioms +function head#frame(frame: FrameType, xs: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, xs: Ref :: + { state(Heap, Mask), head'(Heap, xs) } + state(Heap, Mask) ==> head'(Heap, xs) == head#frame(Heap[null, List(xs)], xs) +); + +// Trigger function (controlling recursive postconditions) +function head#trigger(frame: FrameType, xs: Ref): bool; + +// State-independent trigger function +function head#triggerStateless(xs: Ref): int; + +// Check contract well-formedness and postcondition +procedure head#definedness(xs: Ref) returns (Result: int) + modifies Heap, Mask; +{ + var perm: Perm; + var UnfoldingHeap: HeapType; + var UnfoldingMask: MaskType; + var newPMask: PMaskType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[xs, $allocated]; + assume AssumeFunctionsAbove == 0; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + perm := FullPerm; + Mask[null, List(xs)] := Mask[null, List(xs)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (unfolding acc(List(xs), write) in xs.val) + UnfoldingHeap := Heap; + UnfoldingMask := Mask; + assume List#trigger(UnfoldingHeap, List(xs)); + assume UnfoldingHeap[null, List(xs)] == CombineFrames(FrameFragment(UnfoldingHeap[xs, val]), CombineFrames(FrameFragment(UnfoldingHeap[xs, next]), FrameFragment((if UnfoldingHeap[xs, next] != null then UnfoldingHeap[null, List(UnfoldingHeap[xs, next])] else EmptyFrame)))); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access List(xs) (list_insert_noseq.vpr@24.1--26.33) [236]"} + perm <= UnfoldingMask[null, List(xs)]; + } + UnfoldingMask[null, List(xs)] := UnfoldingMask[null, List(xs)] - perm; + perm := FullPerm; + assume xs != null; + UnfoldingMask[xs, val] := UnfoldingMask[xs, val] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + perm := FullPerm; + assume xs != null; + UnfoldingMask[xs, next] := UnfoldingMask[xs, next] + perm; + assume state(UnfoldingHeap, UnfoldingMask); + if (UnfoldingHeap[xs, next] != null) { + perm := FullPerm; + UnfoldingMask[null, List(UnfoldingHeap[xs, next])] := UnfoldingMask[null, List(UnfoldingHeap[xs, next])] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(List(xs), UnfoldingHeap[null, List(xs)], List(UnfoldingHeap[xs, next]), UnfoldingHeap[null, List(UnfoldingHeap[xs, next])]); + assume state(UnfoldingHeap, UnfoldingMask); + } + assume state(UnfoldingHeap, UnfoldingMask); + assert {:msg " Function might not be well-formed. There might be insufficient permission to access xs.val (list_insert_noseq.vpr@24.1--26.33) [237]"} + HasDirectPerm(UnfoldingMask, xs, val); + + // -- Free assumptions (exp module) + Heap[null, List#sm(xs)][xs, val] := true; + Heap[null, List#sm(xs)][xs, next] := true; + if (Heap[xs, next] != null) { + havoc newPMask; + assume (forall o_3: Ref, f_7: (Field A B) :: + { newPMask[o_3, f_7] } + Heap[null, List#sm(xs)][o_3, f_7] || Heap[null, List#sm(Heap[xs, next])][o_3, f_7] ==> newPMask[o_3, f_7] + ); + Heap[null, List#sm(xs)] := newPMask; + } + assume state(Heap, Mask); + + // -- Translate function body + Result := Heap[xs, val]; +} + +// ================================================== +// Translation of predicate List +// ================================================== + +type PredicateType_List; +function List(xs: Ref): Field PredicateType_List FrameType; +function List#sm(xs: Ref): Field PredicateType_List PMaskType; +axiom (forall xs: Ref :: + { PredicateMaskField(List(xs)) } + PredicateMaskField(List(xs)) == List#sm(xs) +); +axiom (forall xs: Ref :: + { List(xs) } + IsPredicateField(List(xs)) +); +axiom (forall xs: Ref :: + { List(xs) } + getPredicateId(List(xs)) == 0 +); +function List#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function List#everUsed(pred: (Field A FrameType)): bool; +axiom (forall xs: Ref, xs2: Ref :: + { List(xs), List(xs2) } + List(xs) == List(xs2) ==> xs == xs2 +); +axiom (forall xs: Ref, xs2: Ref :: + { List#sm(xs), List#sm(xs2) } + List#sm(xs) == List#sm(xs2) ==> xs == xs2 +); + +axiom (forall Heap: HeapType, xs: Ref :: + { List#trigger(Heap, List(xs)) } + List#everUsed(List(xs)) +); + +procedure List#definedness(xs: Ref) returns () + modifies Heap, Mask; +{ + var perm: Perm; + + // -- Check definedness of predicate body of List + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + assume Heap[xs, $allocated]; + perm := FullPerm; + assume xs != null; + Mask[xs, val] := Mask[xs, val] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume xs != null; + Mask[xs, next] := Mask[xs, next] + perm; + assume state(Heap, Mask); + + // -- Check definedness of xs.next != null + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access xs.next (list_insert_noseq.vpr@14.1--16.2) [238]"} + HasDirectPerm(Mask, xs, next); + if (Heap[xs, next] != null) { + + // -- Check definedness of acc(List(xs.next), write) + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access xs.next (list_insert_noseq.vpr@14.1--16.2) [239]"} + HasDirectPerm(Mask, xs, next); + perm := FullPerm; + Mask[null, List(Heap[xs, next])] := Mask[null, List(Heap[xs, next])] + perm; + assume state(Heap, Mask); + } + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method insert +// ================================================== + +procedure insert(xs: Ref, x: int) returns (i: int) + modifies Heap, Mask; +{ + var perm: Perm; + var ExhaleHeap: HeapType; + var PostHeap: HeapType; + var PostMask: MaskType; + var crt: Ref; + var nxt: Ref; + var node: Ref; + var newVersion: FrameType; + var Ops_1Heap: HeapType; + var Ops_1Mask: MaskType; + var b_1_1: bool; + var UsedHeap: HeapType; + var UsedMask: MaskType; + var b_2: bool; + var Labellhs1Mask: MaskType; + var Labellhs1Heap: HeapType; + var boolCur: bool; + var Used_1Heap: HeapType; + var Used_1Mask: MaskType; + var b_2_1: bool; + var arg: Ref; + var neededTransfer: Perm; + var initNeededTransfer: Perm; + var accVar2: bool; + var maskTransfer: Perm; + var takeTransfer: Perm; + var TempMask: MaskType; + var newPMask: PMaskType; + var b_3: bool; + var ResultHeap: HeapType; + var ResultMask: MaskType; + var WandDefLHSHeap: HeapType; + var WandDefLHSMask: MaskType; + var Labellhs3Mask: MaskType; + var Labellhs3Heap: HeapType; + var WandDefRHSHeap: HeapType; + var WandDefRHSMask: MaskType; + var loopHeap: HeapType; + var loopMask: MaskType; + var oldCrt: Ref; + var prev: Ref; + var Ops_3Heap: HeapType; + var Ops_3Mask: MaskType; + var b_5: bool; + var Used_2Heap: HeapType; + var Used_2Mask: MaskType; + var b_4: bool; + var Labellhs4Mask: MaskType; + var Labellhs4Heap: HeapType; + var boolCur_1: bool; + var Used_3Heap: HeapType; + var Used_3Mask: MaskType; + var b_6: bool; + var rcvLocal: Ref; + var b_7: bool; + var Result_1Heap: HeapType; + var Result_1Mask: MaskType; + var b_8: bool; + var Result_2Heap: HeapType; + var Result_2Mask: MaskType; + var arg_1: Ref; + var b_9: bool; + var Result_3Heap: HeapType; + var Result_3Mask: MaskType; + var b_10: bool; + var Result_4Heap: HeapType; + var Result_4Mask: MaskType; + var freshVersion: FrameType; + var Used_4Heap: HeapType; + var Used_4Mask: MaskType; + var b_11: bool; + var Labellhs7Mask: MaskType; + var Labellhs7Heap: HeapType; + var b_12: bool; + var Result_5Heap: HeapType; + var Result_5Mask: MaskType; + var Used_5Heap: HeapType; + var Used_5Mask: MaskType; + var b_13: bool; + var arg_2: Ref; + var b_14: bool; + var Result_6Heap: HeapType; + var Result_6Mask: MaskType; + var Used_6Heap: HeapType; + var Used_6Mask: MaskType; + var b_15: bool; + var arg_3: Ref; + var b_16: bool; + var Result_7Heap: HeapType; + var Result_7Mask: MaskType; + var freshObj: Ref; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[xs, $allocated]; + + // -- Checked inhaling of precondition + perm := FullPerm; + Mask[null, List(xs)] := Mask[null, List(xs)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of head(xs) < x + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function head might not hold. There might be insufficient permission to access List(xs) (list_insert_noseq.vpr@33.12--33.20) [240]"} + perm <= Mask[null, List(xs)]; + } + Mask[null, List(xs)] := Mask[null, List(xs)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assume head(Heap, xs) < x; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + perm := FullPerm; + PostMask[null, List(xs)] := PostMask[null, List(xs)] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Assumptions about local variables + assume Heap[crt, $allocated]; + assume Heap[nxt, $allocated]; + assume Heap[node, $allocated]; + + // -- Translating statement: i := 0 -- list_insert_noseq.vpr@39.3--39.9 + i := 0; + assume state(Heap, Mask); + + // -- Translating statement: unfold acc(List(xs), write) -- list_insert_noseq.vpr@44.3--44.18 + assume List#trigger(Heap, List(xs)); + assume Heap[null, List(xs)] == CombineFrames(FrameFragment(Heap[xs, val]), CombineFrames(FrameFragment(Heap[xs, next]), FrameFragment((if Heap[xs, next] != null then Heap[null, List(Heap[xs, next])] else EmptyFrame)))); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding List(xs) might fail. There might be insufficient permission to access List(xs) (list_insert_noseq.vpr@44.3--44.18) [242]"} + perm <= Mask[null, List(xs)]; + } + Mask[null, List(xs)] := Mask[null, List(xs)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, List(xs))) { + havoc newVersion; + Heap[null, List(xs)] := newVersion; + } + perm := FullPerm; + assume xs != null; + Mask[xs, val] := Mask[xs, val] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume xs != null; + Mask[xs, next] := Mask[xs, next] + perm; + assume state(Heap, Mask); + if (Heap[xs, next] != null) { + perm := FullPerm; + Mask[null, List(Heap[xs, next])] := Mask[null, List(Heap[xs, next])] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(List(xs), Heap[null, List(xs)], List(Heap[xs, next]), Heap[null, List(Heap[xs, next])]); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: crt := xs -- list_insert_noseq.vpr@45.3--45.12 + crt := xs; + assume state(Heap, Mask); + + // -- Translating statement: nxt := xs.next -- list_insert_noseq.vpr@46.3--46.17 + + // -- Check definedness of xs.next + assert {:msg " Assignment might fail. There might be insufficient permission to access xs.next (list_insert_noseq.vpr@46.3--46.17) [246]"} + HasDirectPerm(Mask, xs, next); + nxt := Heap[xs, next]; + assume state(Heap, Mask); + + // -- Translating statement: package acc(List(crt), write) --* acc(List(xs), write) { + // + // } -- list_insert_noseq.vpr@48.3--48.18 + havoc Ops_1Heap; + Ops_1Mask := ZeroMask; + b_1_1 := b_1_1 && state(Ops_1Heap, Ops_1Mask); + havoc UsedHeap; + UsedMask := ZeroMask; + b_2 := b_2 && state(UsedHeap, UsedMask); + // Inhaling left hand side of current wand into hypothetical state + if (b_1_1) { + perm := FullPerm; + b_1_1 := b_1_1; + Ops_1Mask[null, List(crt)] := Ops_1Mask[null, List(crt)] + perm; + b_1_1 := b_1_1 && state(Ops_1Heap, Ops_1Mask); + } + b_1_1 := b_1_1 && state(Ops_1Heap, Ops_1Mask); + + // -- Translating statement: label lhs1 -- list_insert_noseq.vpr@48.11--48.18 + lhs1: + Labellhs1Mask := Ops_1Mask; + Labellhs1Heap := Ops_1Heap; + b_1_1 := b_1_1 && state(Ops_1Heap, Ops_1Mask); + boolCur := true; + // Translating exec of non-ghost operationacc(List(xs), write) + havoc Used_1Heap; + Used_1Mask := ZeroMask; + b_2_1 := b_2_1 && state(Used_1Heap, Used_1Mask); + + // -- Transfer of acc(List(xs), write) + arg := xs; + neededTransfer := FullPerm; + initNeededTransfer := Used_1Mask[null, List(arg)] + neededTransfer; + assert {:msg " Packaging wand might fail. Fraction acc(List(xs), write) might be negative. (list_insert_noseq.vpr@48.3--48.18) [247]"} + neededTransfer >= 0.000000000; + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if ((((b_1_1 && b_1_1) && b_2_1) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Ops_1Mask[null, List(arg)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_1Mask[null, List(arg)] := Used_1Mask[null, List(arg)] + takeTransfer; + b_2_1 := b_2_1 && state(Used_1Heap, Used_1Mask); + TempMask := ZeroMask; + TempMask[null, List(arg)] := FullPerm; + b_2_1 := b_2_1 && IdenticalOnKnownLocations(Ops_1Heap, Used_1Heap, TempMask); + Ops_1Mask[null, List(arg)] := Ops_1Mask[null, List(arg)] - takeTransfer; + } + } + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if ((((b_1_1 && b_1_1) && b_2_1) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Mask[null, List(arg)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_1Mask[null, List(arg)] := Used_1Mask[null, List(arg)] + takeTransfer; + b_2_1 := b_2_1 && state(Used_1Heap, Used_1Mask); + TempMask := ZeroMask; + TempMask[null, List(arg)] := FullPerm; + b_2_1 := b_2_1 && IdenticalOnKnownLocations(Heap, Used_1Heap, TempMask); + Mask[null, List(arg)] := Mask[null, List(arg)] - takeTransfer; + havoc newPMask; + assume (forall o_4: Ref, f_8: (Field A B) :: + { newPMask[o_4, f_8] } + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)][o_4, f_8] || Heap[null, List#sm(xs)][o_4, f_8] ==> newPMask[o_4, f_8] + ); + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)] := newPMask; + } + } + assert {:msg " Packaging wand might fail. There might be insufficient permission to access List(xs) (list_insert_noseq.vpr@48.3--48.18) [248]"} + (b_1_1 && b_1_1) && b_2_1 ==> neededTransfer == 0.000000000 && Used_1Mask[null, List(arg)] == initNeededTransfer; + + // -- Creating state which is the sum of the two previously built up states + b_3 := b_1_1 && b_2_1; + b_3 := b_3 && state(ResultHeap, ResultMask); + b_3 := b_3 && sumMask(ResultMask, Ops_1Mask, Used_1Mask); + b_3 := (b_3 && IdenticalOnKnownLocations(Ops_1Heap, ResultHeap, Ops_1Mask)) && IdenticalOnKnownLocations(Used_1Heap, ResultHeap, Used_1Mask); + b_3 := b_3 && state(ResultHeap, ResultMask); + b_1_1 := b_1_1 && b_3; + Mask[null, wand(crt, FullPerm, xs, FullPerm)] := Mask[null, wand(crt, FullPerm, xs, FullPerm)] + FullPerm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: while (nxt != null && head(nxt) < x) -- list_insert_noseq.vpr@54.3--77.4 + + // -- Before loop head + + // -- Exhale loop invariant before loop + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(crt.val, write) && acc(crt.next, write) might not hold on entry. There might be insufficient permission to access crt.val (list_insert_noseq.vpr@57.15--57.44) [249]"} + perm <= Mask[crt, val]; + } + Mask[crt, val] := Mask[crt, val] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(crt.val, write) && acc(crt.next, write) might not hold on entry. There might be insufficient permission to access crt.next (list_insert_noseq.vpr@57.15--57.44) [250]"} + perm <= Mask[crt, next]; + } + Mask[crt, next] := Mask[crt, next] - perm; + assert {:msg " Loop invariant nxt == crt.next might not hold on entry. Assertion nxt == crt.next might not hold. (list_insert_noseq.vpr@58.15--58.30) [251]"} + nxt == Heap[crt, next]; + if (nxt != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant nxt != null ==> acc(List(nxt), write) might not hold on entry. There might be insufficient permission to access List(nxt) (list_insert_noseq.vpr@60.15--60.47) [252]"} + perm <= Mask[null, List(nxt)]; + } + Mask[null, List(nxt)] := Mask[null, List(nxt)] - perm; + } + // permLe + assert {:msg " Loop invariant acc(List(crt), write) --* acc(List(xs), write) might not hold on entry. Magic wand instance not found. (list_insert_noseq.vpr@61.15--61.22) [253]"} + FullPerm <= Mask[null, wand(crt, FullPerm, xs, FullPerm)]; + Mask[null, wand(crt, FullPerm, xs, FullPerm)] := Mask[null, wand(crt, FullPerm, xs, FullPerm)] - FullPerm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Havoc loop written variables (except locals) + havoc i, nxt, crt; + assume Heap[nxt, $allocated]; + assume Heap[crt, $allocated]; + + // -- Check definedness of invariant + if (*) { + perm := FullPerm; + assume crt != null; + Mask[crt, val] := Mask[crt, val] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume crt != null; + Mask[crt, next] := Mask[crt, next] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of nxt == crt.next + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access crt.next (list_insert_noseq.vpr@58.15--58.30) [254]"} + HasDirectPerm(Mask, crt, next); + assume nxt == Heap[crt, next]; + assume state(Heap, Mask); + if (nxt != null) { + perm := FullPerm; + Mask[null, List(nxt)] := Mask[null, List(nxt)] + perm; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Check definedness of acc(List(crt), write) --* acc(List(xs), write) + if (*) { + havoc WandDefLHSHeap; + WandDefLHSMask := ZeroMask; + perm := FullPerm; + WandDefLHSMask[null, List(crt)] := WandDefLHSMask[null, List(crt)] + perm; + assume state(WandDefLHSHeap, WandDefLHSMask); + assume state(WandDefLHSHeap, WandDefLHSMask); + + // -- Translating statement: label lhs3 -- list_insert_noseq.vpr@61.15--61.22 + lhs3: + Labellhs3Mask := WandDefLHSMask; + Labellhs3Heap := WandDefLHSHeap; + assume state(WandDefLHSHeap, WandDefLHSMask); + havoc WandDefRHSHeap; + WandDefRHSMask := ZeroMask; + perm := FullPerm; + WandDefRHSMask[null, List(xs)] := WandDefRHSMask[null, List(xs)] + perm; + assume state(WandDefRHSHeap, WandDefRHSMask); + assume state(WandDefRHSHeap, WandDefRHSMask); + assume false; + } + Mask[null, wand(crt, FullPerm, xs, FullPerm)] := Mask[null, wand(crt, FullPerm, xs, FullPerm)] + FullPerm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + perm := FullPerm; + assume crt != null; + Mask[crt, val] := Mask[crt, val] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume crt != null; + Mask[crt, next] := Mask[crt, next] + perm; + assume state(Heap, Mask); + assume nxt == Heap[crt, next]; + if (nxt != null) { + perm := FullPerm; + Mask[null, List(nxt)] := Mask[null, List(nxt)] + perm; + assume state(Heap, Mask); + } + Mask[null, wand(crt, FullPerm, xs, FullPerm)] := Mask[null, wand(crt, FullPerm, xs, FullPerm)] + FullPerm; + assume state(Heap, Mask); + assume state(Heap, Mask); + // Check and assume guard + + // -- Check definedness of nxt != null && head(nxt) < x + if (nxt != null) { + if (*) { + // Exhale precondition of function application + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Precondition of function head might not hold. There might be insufficient permission to access List(nxt) (list_insert_noseq.vpr@54.25--54.34) [255]"} + perm <= Mask[null, List(nxt)]; + } + Mask[null, List(nxt)] := Mask[null, List(nxt)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + } + assume nxt != null && head(Heap, nxt) < x; + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Assumptions about local variables + assume Heap[oldCrt, $allocated]; + assume Heap[prev, $allocated]; + + // -- Translating statement: oldCrt := crt -- list_insert_noseq.vpr@65.5--65.27 + oldCrt := crt; + assume state(Heap, Mask); + + // -- Translating statement: prev := crt -- list_insert_noseq.vpr@66.5--66.25 + prev := crt; + assume state(Heap, Mask); + + // -- Translating statement: unfold acc(List(nxt), write) -- list_insert_noseq.vpr@68.5--68.21 + assume List#trigger(Heap, List(nxt)); + assume Heap[null, List(nxt)] == CombineFrames(FrameFragment(Heap[nxt, val]), CombineFrames(FrameFragment(Heap[nxt, next]), FrameFragment((if Heap[nxt, next] != null then Heap[null, List(Heap[nxt, next])] else EmptyFrame)))); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding List(nxt) might fail. There might be insufficient permission to access List(nxt) (list_insert_noseq.vpr@68.5--68.21) [256]"} + perm <= Mask[null, List(nxt)]; + } + Mask[null, List(nxt)] := Mask[null, List(nxt)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, List(nxt))) { + havoc newVersion; + Heap[null, List(nxt)] := newVersion; + } + perm := FullPerm; + assume nxt != null; + Mask[nxt, val] := Mask[nxt, val] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume nxt != null; + Mask[nxt, next] := Mask[nxt, next] + perm; + assume state(Heap, Mask); + if (Heap[nxt, next] != null) { + perm := FullPerm; + Mask[null, List(Heap[nxt, next])] := Mask[null, List(Heap[nxt, next])] + perm; + + // -- Extra unfolding of predicate + assume InsidePredicate(List(nxt), Heap[null, List(nxt)], List(Heap[nxt, next]), Heap[null, List(Heap[nxt, next])]); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: crt := nxt -- list_insert_noseq.vpr@69.5--69.15 + crt := nxt; + assume state(Heap, Mask); + + // -- Translating statement: nxt := nxt.next -- list_insert_noseq.vpr@70.5--70.20 + + // -- Check definedness of nxt.next + assert {:msg " Assignment might fail. There might be insufficient permission to access nxt.next (list_insert_noseq.vpr@70.5--70.20) [257]"} + HasDirectPerm(Mask, nxt, next); + nxt := Heap[nxt, next]; + assume state(Heap, Mask); + + // -- Translating statement: i := i + 1 -- list_insert_noseq.vpr@71.5--71.15 + i := i + 1; + assume state(Heap, Mask); + + // -- Translating statement: package acc(List(crt), write) --* acc(List(xs), write) { + // fold acc(List(prev), write) + // apply acc(List(oldCrt), write) --* acc(List(xs), write) + // } -- list_insert_noseq.vpr@73.5--76.6 + havoc Ops_3Heap; + Ops_3Mask := ZeroMask; + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + havoc Used_2Heap; + Used_2Mask := ZeroMask; + b_4 := b_4 && state(Used_2Heap, Used_2Mask); + // Inhaling left hand side of current wand into hypothetical state + if (b_5) { + perm := FullPerm; + b_5 := b_5; + Ops_3Mask[null, List(crt)] := Ops_3Mask[null, List(crt)] + perm; + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + } + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + + // -- Translating statement: label lhs4 -- list_insert_noseq.vpr@73.13--73.22 + lhs4: + Labellhs4Mask := Ops_3Mask; + Labellhs4Heap := Ops_3Heap; + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + boolCur_1 := true; + if (b_5) { + + // -- Translating statement: fold acc(List(prev), write) -- list_insert_noseq.vpr@74.9--74.24 + havoc Used_3Heap; + Used_3Mask := ZeroMask; + b_6 := b_6 && state(Used_3Heap, Used_3Mask); + + // -- Transfer of acc(prev.val, write) + rcvLocal := prev; + neededTransfer := FullPerm; + initNeededTransfer := Used_3Mask[rcvLocal, val] + neededTransfer; + assert {:msg " Folding List(prev) might fail. Fraction acc(prev.val, write) might be negative. (list_insert_noseq.vpr@74.9--74.24) [258]"} + neededTransfer >= 0.000000000; + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_6) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Ops_3Mask[rcvLocal, val]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_3Mask[rcvLocal, val] := Used_3Mask[rcvLocal, val] + takeTransfer; + b_6 := b_6 && state(Used_3Heap, Used_3Mask); + b_6 := b_6 && Ops_3Heap[rcvLocal, val] == Used_3Heap[rcvLocal, val]; + Ops_3Mask[rcvLocal, val] := Ops_3Mask[rcvLocal, val] - takeTransfer; + } + } + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_6) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Mask[rcvLocal, val]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_3Mask[rcvLocal, val] := Used_3Mask[rcvLocal, val] + takeTransfer; + b_6 := b_6 && state(Used_3Heap, Used_3Mask); + b_6 := b_6 && Heap[rcvLocal, val] == Used_3Heap[rcvLocal, val]; + Mask[rcvLocal, val] := Mask[rcvLocal, val] - takeTransfer; + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)][prev, val] := true; + } + } + assert {:msg " Folding List(prev) might fail. There might be insufficient permission to access prev.val (list_insert_noseq.vpr@74.9--74.24) [259]"} + b_5 && b_6 ==> neededTransfer == 0.000000000 && Used_3Mask[rcvLocal, val] == initNeededTransfer; + + // -- Creating state which is the sum of the two previously built up states + b_7 := b_5 && b_6; + b_7 := b_7 && state(Result_1Heap, Result_1Mask); + b_7 := b_7 && sumMask(Result_1Mask, Ops_3Mask, Used_3Mask); + b_7 := (b_7 && IdenticalOnKnownLocations(Ops_3Heap, Result_1Heap, Ops_3Mask)) && IdenticalOnKnownLocations(Used_3Heap, Result_1Heap, Used_3Mask); + b_7 := b_7 && state(Result_1Heap, Result_1Mask); + b_5 := b_5 && b_7; + b_5 := b_5 && b_6; + b_5 := b_5 && Used_3Heap == Ops_3Heap; + + // -- Transfer of acc(prev.next, write) + rcvLocal := prev; + neededTransfer := FullPerm; + initNeededTransfer := Used_3Mask[rcvLocal, next] + neededTransfer; + assert {:msg " Folding List(prev) might fail. Fraction acc(prev.next, write) might be negative. (list_insert_noseq.vpr@74.9--74.24) [260]"} + neededTransfer >= 0.000000000; + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_6) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Ops_3Mask[rcvLocal, next]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_3Mask[rcvLocal, next] := Used_3Mask[rcvLocal, next] + takeTransfer; + b_6 := b_6 && state(Used_3Heap, Used_3Mask); + b_6 := b_6 && Ops_3Heap[rcvLocal, next] == Used_3Heap[rcvLocal, next]; + Ops_3Mask[rcvLocal, next] := Ops_3Mask[rcvLocal, next] - takeTransfer; + } + } + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_6) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Mask[rcvLocal, next]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_3Mask[rcvLocal, next] := Used_3Mask[rcvLocal, next] + takeTransfer; + b_6 := b_6 && state(Used_3Heap, Used_3Mask); + b_6 := b_6 && Heap[rcvLocal, next] == Used_3Heap[rcvLocal, next]; + Mask[rcvLocal, next] := Mask[rcvLocal, next] - takeTransfer; + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)][prev, next] := true; + } + } + assert {:msg " Folding List(prev) might fail. There might be insufficient permission to access prev.next (list_insert_noseq.vpr@74.9--74.24) [261]"} + b_5 && b_6 ==> neededTransfer == 0.000000000 && Used_3Mask[rcvLocal, next] == initNeededTransfer; + + // -- Creating state which is the sum of the two previously built up states + b_8 := b_5 && b_6; + b_8 := b_8 && state(Result_2Heap, Result_2Mask); + b_8 := b_8 && sumMask(Result_2Mask, Ops_3Mask, Used_3Mask); + b_8 := (b_8 && IdenticalOnKnownLocations(Ops_3Heap, Result_2Heap, Ops_3Mask)) && IdenticalOnKnownLocations(Used_3Heap, Result_2Heap, Used_3Mask); + b_8 := b_8 && state(Result_2Heap, Result_2Mask); + b_5 := b_5 && b_8; + b_5 := b_5 && b_6; + b_5 := b_5 && Used_3Heap == Ops_3Heap; + if (b_5 ==> Result_2Heap[prev, next] != null) { + + // -- Transfer of acc(List(prev.next), write) + + // -- checking if access predicate defined in used state + if (b_5 && b_6) { + if (b_5) { + + // -- Check definedness of acc(List(prev.next), write) + assert {:msg " Folding List(prev) might fail. There might be insufficient permission to access prev.next (list_insert_noseq.vpr@74.9--74.24) [262]"} + HasDirectPerm(Result_2Mask, prev, next); + } + } + arg_1 := Result_2Heap[prev, next]; + neededTransfer := FullPerm; + initNeededTransfer := Used_3Mask[null, List(arg_1)] + neededTransfer; + assert {:msg " Folding List(prev) might fail. Fraction acc(List(prev.next), write) might be negative. (list_insert_noseq.vpr@74.9--74.24) [263]"} + neededTransfer >= 0.000000000; + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_6) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Ops_3Mask[null, List(arg_1)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_3Mask[null, List(arg_1)] := Used_3Mask[null, List(arg_1)] + takeTransfer; + b_6 := b_6 && state(Used_3Heap, Used_3Mask); + TempMask := ZeroMask; + TempMask[null, List(arg_1)] := FullPerm; + b_6 := b_6 && IdenticalOnKnownLocations(Ops_3Heap, Used_3Heap, TempMask); + Ops_3Mask[null, List(arg_1)] := Ops_3Mask[null, List(arg_1)] - takeTransfer; + } + } + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_6) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Mask[null, List(arg_1)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_3Mask[null, List(arg_1)] := Used_3Mask[null, List(arg_1)] + takeTransfer; + b_6 := b_6 && state(Used_3Heap, Used_3Mask); + TempMask := ZeroMask; + TempMask[null, List(arg_1)] := FullPerm; + b_6 := b_6 && IdenticalOnKnownLocations(Heap, Used_3Heap, TempMask); + Mask[null, List(arg_1)] := Mask[null, List(arg_1)] - takeTransfer; + havoc newPMask; + assume (forall o_5: Ref, f_9: (Field A B) :: + { newPMask[o_5, f_9] } + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)][o_5, f_9] || Heap[null, List#sm(Heap[prev, next])][o_5, f_9] ==> newPMask[o_5, f_9] + ); + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)] := newPMask; + } + } + assert {:msg " Folding List(prev) might fail. There might be insufficient permission to access List(prev.next) (list_insert_noseq.vpr@74.9--74.24) [264]"} + b_5 && b_6 ==> neededTransfer == 0.000000000 && Used_3Mask[null, List(arg_1)] == initNeededTransfer; + + // -- Creating state which is the sum of the two previously built up states + b_9 := b_5 && b_6; + b_9 := b_9 && state(Result_3Heap, Result_3Mask); + b_9 := b_9 && sumMask(Result_3Mask, Ops_3Mask, Used_3Mask); + b_9 := (b_9 && IdenticalOnKnownLocations(Ops_3Heap, Result_3Heap, Ops_3Mask)) && IdenticalOnKnownLocations(Used_3Heap, Result_3Heap, Used_3Mask); + b_9 := b_9 && state(Result_3Heap, Result_3Mask); + b_5 := b_5 && b_9; + b_5 := b_5 && b_6; + b_5 := b_5 && Used_3Heap == Ops_3Heap; + } + + // -- Creating state which is the sum of the two previously built up states + b_10 := b_5 && b_6; + b_10 := b_10 && state(Result_4Heap, Result_4Mask); + b_10 := b_10 && sumMask(Result_4Mask, Ops_3Mask, Used_3Mask); + b_10 := (b_10 && IdenticalOnKnownLocations(Ops_3Heap, Result_4Heap, Ops_3Mask)) && IdenticalOnKnownLocations(Used_3Heap, Result_4Heap, Used_3Mask); + b_10 := b_10 && state(Result_4Heap, Result_4Mask); + b_5 := b_5 && b_10; + perm := FullPerm; + b_5 := b_5; + Ops_3Mask[null, List(prev)] := Ops_3Mask[null, List(prev)] + perm; + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + assume List#trigger(Ops_3Heap, List(prev)); + assume Ops_3Heap[null, List(prev)] == CombineFrames(FrameFragment(Ops_3Heap[prev, val]), CombineFrames(FrameFragment(Ops_3Heap[prev, next]), FrameFragment((if Ops_3Heap[prev, next] != null then Ops_3Heap[null, List(Ops_3Heap[prev, next])] else EmptyFrame)))); + if (!HasDirectPerm(Ops_3Mask, null, List(prev))) { + Ops_3Heap[null, List#sm(prev)] := ZeroPMask; + havoc freshVersion; + Ops_3Heap[null, List(prev)] := freshVersion; + } + Ops_3Heap[null, List#sm(prev)][prev, val] := true; + Ops_3Heap[null, List#sm(prev)][prev, next] := true; + if (Ops_3Heap[prev, next] != null) { + havoc newPMask; + assume (forall o_6: Ref, f_10: (Field A B) :: + { newPMask[o_6, f_10] } + Ops_3Heap[null, List#sm(prev)][o_6, f_10] || Ops_3Heap[null, List#sm(Ops_3Heap[prev, next])][o_6, f_10] ==> newPMask[o_6, f_10] + ); + Ops_3Heap[null, List#sm(prev)] := newPMask; + } + assume state(Ops_3Heap, Ops_3Mask); + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + } + if (b_5) { + + // -- Translating statement: apply acc(List(oldCrt), write) --* acc(List(xs), write) -- list_insert_noseq.vpr@75.9--75.50 + + // -- check if wand is held and remove an instance + havoc Used_4Heap; + Used_4Mask := ZeroMask; + b_11 := b_11 && state(Used_4Heap, Used_4Mask); + + // -- Transfer of acc(List(oldCrt), write) --* acc(List(xs), write) + + // -- checking if access predicate defined in used state + if (b_5 && b_11) { + if (b_5) { + + // -- Check definedness of acc(List(oldCrt), write) --* acc(List(xs), write) + if (*) { + havoc WandDefLHSHeap; + WandDefLHSMask := ZeroMask; + perm := FullPerm; + WandDefLHSMask[null, List(oldCrt)] := WandDefLHSMask[null, List(oldCrt)] + perm; + assume state(WandDefLHSHeap, WandDefLHSMask); + assume state(WandDefLHSHeap, WandDefLHSMask); + + // -- Translating statement: label lhs7 -- list_insert_noseq.vpr@75.15--75.50 + lhs7: + Labellhs7Mask := WandDefLHSMask; + Labellhs7Heap := WandDefLHSHeap; + assume state(WandDefLHSHeap, WandDefLHSMask); + havoc WandDefRHSHeap; + WandDefRHSMask := ZeroMask; + perm := FullPerm; + WandDefRHSMask[null, List(xs)] := WandDefRHSMask[null, List(xs)] + perm; + assume state(WandDefRHSHeap, WandDefRHSMask); + assume state(WandDefRHSHeap, WandDefRHSMask); + assume false; + } + } + } + neededTransfer := 1.000000000; + initNeededTransfer := Used_4Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] + neededTransfer; + assert {:msg " Applying wand might fail. Fraction acc(List(oldCrt), write) --* acc(List(xs), write) might be negative. (list_insert_noseq.vpr@75.9--75.50) [265]"} + neededTransfer >= 0.000000000; + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_11) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Ops_3Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_4Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] := Used_4Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] + takeTransfer; + b_11 := b_11 && state(Used_4Heap, Used_4Mask); + Ops_3Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] := Ops_3Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] - takeTransfer; + } + } + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_11) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_4Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] := Used_4Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] + takeTransfer; + b_11 := b_11 && state(Used_4Heap, Used_4Mask); + Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] := Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] - takeTransfer; + } + } + assert {:msg " Applying wand might fail. Magic wand instance not found. (list_insert_noseq.vpr@75.9--75.50) [266]"} + b_5 && b_11 ==> neededTransfer == 0.000000000 && Used_4Mask[null, wand(oldCrt, FullPerm, xs, FullPerm)] == initNeededTransfer; + + // -- Creating state which is the sum of the two previously built up states + b_12 := b_5 && b_11; + b_12 := b_12 && state(Result_5Heap, Result_5Mask); + b_12 := b_12 && sumMask(Result_5Mask, Ops_3Mask, Used_4Mask); + b_12 := (b_12 && IdenticalOnKnownLocations(Ops_3Heap, Result_5Heap, Ops_3Mask)) && IdenticalOnKnownLocations(Used_4Heap, Result_5Heap, Used_4Mask); + b_12 := b_12 && state(Result_5Heap, Result_5Mask); + b_5 := b_5 && b_12; + b_5 := b_5 && b_11; + b_5 := b_5 && Used_4Heap == Ops_3Heap; + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + + // -- check if LHS holds and remove permissions + havoc Used_5Heap; + Used_5Mask := ZeroMask; + b_13 := b_13 && state(Used_5Heap, Used_5Mask); + + // -- Transfer of acc(List(oldCrt), write) + arg_2 := oldCrt; + neededTransfer := FullPerm; + initNeededTransfer := Used_5Mask[null, List(arg_2)] + neededTransfer; + assert {:msg " Applying wand might fail. Fraction acc(List(oldCrt), write) might be negative. (list_insert_noseq.vpr@75.9--75.50) [267]"} + neededTransfer >= 0.000000000; + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_13) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Ops_3Mask[null, List(arg_2)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_5Mask[null, List(arg_2)] := Used_5Mask[null, List(arg_2)] + takeTransfer; + b_13 := b_13 && state(Used_5Heap, Used_5Mask); + TempMask := ZeroMask; + TempMask[null, List(arg_2)] := FullPerm; + b_13 := b_13 && IdenticalOnKnownLocations(Ops_3Heap, Used_5Heap, TempMask); + Ops_3Mask[null, List(arg_2)] := Ops_3Mask[null, List(arg_2)] - takeTransfer; + } + } + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if (((b_5 && b_13) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Mask[null, List(arg_2)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_5Mask[null, List(arg_2)] := Used_5Mask[null, List(arg_2)] + takeTransfer; + b_13 := b_13 && state(Used_5Heap, Used_5Mask); + TempMask := ZeroMask; + TempMask[null, List(arg_2)] := FullPerm; + b_13 := b_13 && IdenticalOnKnownLocations(Heap, Used_5Heap, TempMask); + Mask[null, List(arg_2)] := Mask[null, List(arg_2)] - takeTransfer; + havoc newPMask; + assume (forall o_7: Ref, f_11: (Field A B) :: + { newPMask[o_7, f_11] } + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)][o_7, f_11] || Heap[null, List#sm(oldCrt)][o_7, f_11] ==> newPMask[o_7, f_11] + ); + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)] := newPMask; + } + } + assert {:msg " Applying wand might fail. There might be insufficient permission to access List(oldCrt) (list_insert_noseq.vpr@75.9--75.50) [268]"} + b_5 && b_13 ==> neededTransfer == 0.000000000 && Used_5Mask[null, List(arg_2)] == initNeededTransfer; + + // -- Creating state which is the sum of the two previously built up states + b_14 := b_5 && b_13; + b_14 := b_14 && state(Result_6Heap, Result_6Mask); + b_14 := b_14 && sumMask(Result_6Mask, Ops_3Mask, Used_5Mask); + b_14 := (b_14 && IdenticalOnKnownLocations(Ops_3Heap, Result_6Heap, Ops_3Mask)) && IdenticalOnKnownLocations(Used_5Heap, Result_6Heap, Used_5Mask); + b_14 := b_14 && state(Result_6Heap, Result_6Mask); + b_5 := b_5 && b_14; + b_5 := b_5 && b_13; + b_5 := b_5 && Used_5Heap == Ops_3Heap; + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + + // -- inhale the RHS of the wand + perm := FullPerm; + b_5 := b_5; + Ops_3Mask[null, List(xs)] := Ops_3Mask[null, List(xs)] + perm; + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Ops_3Heap, ExhaleHeap, Ops_3Mask); + Ops_3Heap := ExhaleHeap; + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + b_5 := b_5 && state(Ops_3Heap, Ops_3Mask); + } + // Translating exec of non-ghost operationacc(List(xs), write) + havoc Used_6Heap; + Used_6Mask := ZeroMask; + b_15 := b_15 && state(Used_6Heap, Used_6Mask); + + // -- Transfer of acc(List(xs), write) + arg_3 := xs; + neededTransfer := FullPerm; + initNeededTransfer := Used_6Mask[null, List(arg_3)] + neededTransfer; + assert {:msg " Packaging wand might fail. Fraction acc(List(xs), write) might be negative. (list_insert_noseq.vpr@73.5--76.6) [269]"} + neededTransfer >= 0.000000000; + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if ((((b_5 && b_5) && b_15) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Ops_3Mask[null, List(arg_3)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_6Mask[null, List(arg_3)] := Used_6Mask[null, List(arg_3)] + takeTransfer; + b_15 := b_15 && state(Used_6Heap, Used_6Mask); + TempMask := ZeroMask; + TempMask[null, List(arg_3)] := FullPerm; + b_15 := b_15 && IdenticalOnKnownLocations(Ops_3Heap, Used_6Heap, TempMask); + Ops_3Mask[null, List(arg_3)] := Ops_3Mask[null, List(arg_3)] - takeTransfer; + } + } + + // -- transfer code for top state of stack + // accumulate constraints which need to be satisfied for transfer to occur + accVar2 := true; + // actual code for the transfer from current state on stack + if ((((b_5 && b_5) && b_15) && accVar2) && neededTransfer > 0.000000000) { + maskTransfer := Mask[null, List(arg_3)]; + if (neededTransfer <= maskTransfer) { + takeTransfer := neededTransfer; + } else { + takeTransfer := maskTransfer; + } + if (takeTransfer > 0.000000000) { + neededTransfer := neededTransfer - takeTransfer; + Used_6Mask[null, List(arg_3)] := Used_6Mask[null, List(arg_3)] + takeTransfer; + b_15 := b_15 && state(Used_6Heap, Used_6Mask); + TempMask := ZeroMask; + TempMask[null, List(arg_3)] := FullPerm; + b_15 := b_15 && IdenticalOnKnownLocations(Heap, Used_6Heap, TempMask); + Mask[null, List(arg_3)] := Mask[null, List(arg_3)] - takeTransfer; + havoc newPMask; + assume (forall o_8: Ref, f_12: (Field A B) :: + { newPMask[o_8, f_12] } + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)][o_8, f_12] || Heap[null, List#sm(xs)][o_8, f_12] ==> newPMask[o_8, f_12] + ); + Heap[null, wand#sm(crt, FullPerm, xs, FullPerm)] := newPMask; + } + } + assert {:msg " Packaging wand might fail. There might be insufficient permission to access List(xs) (list_insert_noseq.vpr@73.5--76.6) [270]"} + (b_5 && b_5) && b_15 ==> neededTransfer == 0.000000000 && Used_6Mask[null, List(arg_3)] == initNeededTransfer; + + // -- Creating state which is the sum of the two previously built up states + b_16 := b_5 && b_15; + b_16 := b_16 && state(Result_7Heap, Result_7Mask); + b_16 := b_16 && sumMask(Result_7Mask, Ops_3Mask, Used_6Mask); + b_16 := (b_16 && IdenticalOnKnownLocations(Ops_3Heap, Result_7Heap, Ops_3Mask)) && IdenticalOnKnownLocations(Used_6Heap, Result_7Heap, Used_6Mask); + b_16 := b_16 && state(Result_7Heap, Result_7Mask); + b_5 := b_5 && b_16; + Mask[null, wand(crt, FullPerm, xs, FullPerm)] := Mask[null, wand(crt, FullPerm, xs, FullPerm)] + FullPerm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + // Exhale invariant + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(crt.val, write) && acc(crt.next, write) might not be preserved. There might be insufficient permission to access crt.val (list_insert_noseq.vpr@57.15--57.44) [271]"} + perm <= Mask[crt, val]; + } + Mask[crt, val] := Mask[crt, val] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(crt.val, write) && acc(crt.next, write) might not be preserved. There might be insufficient permission to access crt.next (list_insert_noseq.vpr@57.15--57.44) [272]"} + perm <= Mask[crt, next]; + } + Mask[crt, next] := Mask[crt, next] - perm; + assert {:msg " Loop invariant nxt == crt.next might not be preserved. Assertion nxt == crt.next might not hold. (list_insert_noseq.vpr@58.15--58.30) [273]"} + nxt == Heap[crt, next]; + if (nxt != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant nxt != null ==> acc(List(nxt), write) might not be preserved. There might be insufficient permission to access List(nxt) (list_insert_noseq.vpr@60.15--60.47) [274]"} + perm <= Mask[null, List(nxt)]; + } + Mask[null, List(nxt)] := Mask[null, List(nxt)] - perm; + } + // permLe + assert {:msg " Loop invariant acc(List(crt), write) --* acc(List(xs), write) might not be preserved. Magic wand instance not found. (list_insert_noseq.vpr@61.15--61.22) [275]"} + FullPerm <= Mask[null, wand(crt, FullPerm, xs, FullPerm)]; + Mask[null, wand(crt, FullPerm, xs, FullPerm)] := Mask[null, wand(crt, FullPerm, xs, FullPerm)] - FullPerm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(nxt != null && head(Heap, nxt) < x); + assume state(Heap, Mask); + perm := FullPerm; + assume crt != null; + Mask[crt, val] := Mask[crt, val] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume crt != null; + Mask[crt, next] := Mask[crt, next] + perm; + assume state(Heap, Mask); + assume nxt == Heap[crt, next]; + if (nxt != null) { + perm := FullPerm; + Mask[null, List(nxt)] := Mask[null, List(nxt)] + perm; + assume state(Heap, Mask); + } + Mask[null, wand(crt, FullPerm, xs, FullPerm)] := Mask[null, wand(crt, FullPerm, xs, FullPerm)] + FullPerm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: node := new(val, next) -- list_insert_noseq.vpr@81.3--81.7 + havoc freshObj; + assume freshObj != null && !Heap[freshObj, $allocated]; + Heap[freshObj, $allocated] := true; + node := freshObj; + Mask[node, val] := Mask[node, val] + FullPerm; + Mask[node, next] := Mask[node, next] + FullPerm; + assume state(Heap, Mask); + + // -- Translating statement: node.val := x -- list_insert_noseq.vpr@82.3--82.16 + assert {:msg " Assignment might fail. There might be insufficient permission to access node.val (list_insert_noseq.vpr@82.3--82.16) [276]"} + FullPerm == Mask[node, val]; + Heap[node, val] := x; + assume state(Heap, Mask); + + // -- Translating statement: node.next := nxt -- list_insert_noseq.vpr@83.3--83.19 + assert {:msg " Assignment might fail. There might be insufficient permission to access node.next (list_insert_noseq.vpr@83.3--83.19) [277]"} + FullPerm == Mask[node, next]; + Heap[node, next] := nxt; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(List(node), write) -- list_insert_noseq.vpr@84.3--84.18 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(node) might fail. There might be insufficient permission to access node.val (list_insert_noseq.vpr@84.3--84.18) [279]"} + perm <= Mask[node, val]; + } + Mask[node, val] := Mask[node, val] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(node) might fail. There might be insufficient permission to access node.next (list_insert_noseq.vpr@84.3--84.18) [281]"} + perm <= Mask[node, next]; + } + Mask[node, next] := Mask[node, next] - perm; + if (Heap[node, next] != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(node) might fail. There might be insufficient permission to access List(node.next) (list_insert_noseq.vpr@84.3--84.18) [283]"} + perm <= Mask[null, List(Heap[node, next])]; + } + Mask[null, List(Heap[node, next])] := Mask[null, List(Heap[node, next])] - perm; + + // -- Record predicate instance information + assume InsidePredicate(List(node), Heap[null, List(node)], List(Heap[node, next]), Heap[null, List(Heap[node, next])]); + } + perm := FullPerm; + Mask[null, List(node)] := Mask[null, List(node)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume List#trigger(Heap, List(node)); + assume Heap[null, List(node)] == CombineFrames(FrameFragment(Heap[node, val]), CombineFrames(FrameFragment(Heap[node, next]), FrameFragment((if Heap[node, next] != null then Heap[null, List(Heap[node, next])] else EmptyFrame)))); + if (!HasDirectPerm(Mask, null, List(node))) { + Heap[null, List#sm(node)] := ZeroPMask; + havoc freshVersion; + Heap[null, List(node)] := freshVersion; + } + Heap[null, List#sm(node)][node, val] := true; + Heap[null, List#sm(node)][node, next] := true; + if (Heap[node, next] != null) { + havoc newPMask; + assume (forall o_9: Ref, f_13: (Field A B) :: + { newPMask[o_9, f_13] } + Heap[null, List#sm(node)][o_9, f_13] || Heap[null, List#sm(Heap[node, next])][o_9, f_13] ==> newPMask[o_9, f_13] + ); + Heap[null, List#sm(node)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: crt.next := node -- list_insert_noseq.vpr@89.3--89.19 + assert {:msg " Assignment might fail. There might be insufficient permission to access crt.next (list_insert_noseq.vpr@89.3--89.19) [285]"} + FullPerm == Mask[crt, next]; + Heap[crt, next] := node; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(List(crt), write) -- list_insert_noseq.vpr@90.3--90.17 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(crt) might fail. There might be insufficient permission to access crt.val (list_insert_noseq.vpr@90.3--90.17) [287]"} + perm <= Mask[crt, val]; + } + Mask[crt, val] := Mask[crt, val] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(crt) might fail. There might be insufficient permission to access crt.next (list_insert_noseq.vpr@90.3--90.17) [289]"} + perm <= Mask[crt, next]; + } + Mask[crt, next] := Mask[crt, next] - perm; + if (Heap[crt, next] != null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding List(crt) might fail. There might be insufficient permission to access List(crt.next) (list_insert_noseq.vpr@90.3--90.17) [291]"} + perm <= Mask[null, List(Heap[crt, next])]; + } + Mask[null, List(Heap[crt, next])] := Mask[null, List(Heap[crt, next])] - perm; + + // -- Record predicate instance information + assume InsidePredicate(List(crt), Heap[null, List(crt)], List(Heap[crt, next]), Heap[null, List(Heap[crt, next])]); + } + perm := FullPerm; + Mask[null, List(crt)] := Mask[null, List(crt)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume List#trigger(Heap, List(crt)); + assume Heap[null, List(crt)] == CombineFrames(FrameFragment(Heap[crt, val]), CombineFrames(FrameFragment(Heap[crt, next]), FrameFragment((if Heap[crt, next] != null then Heap[null, List(Heap[crt, next])] else EmptyFrame)))); + if (!HasDirectPerm(Mask, null, List(crt))) { + Heap[null, List#sm(crt)] := ZeroPMask; + havoc freshVersion; + Heap[null, List(crt)] := freshVersion; + } + Heap[null, List#sm(crt)][crt, val] := true; + Heap[null, List#sm(crt)][crt, next] := true; + if (Heap[crt, next] != null) { + havoc newPMask; + assume (forall o_10: Ref, f_14: (Field A B) :: + { newPMask[o_10, f_14] } + Heap[null, List#sm(crt)][o_10, f_14] || Heap[null, List#sm(Heap[crt, next])][o_10, f_14] ==> newPMask[o_10, f_14] + ); + Heap[null, List#sm(crt)] := newPMask; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: apply acc(List(crt), write) --* acc(List(xs), write) -- list_insert_noseq.vpr@95.3--95.16 + + // -- check if wand is held and remove an instance + // permLe + assert {:msg " Applying wand might fail. Magic wand instance not found. (list_insert_noseq.vpr@95.3--95.16) [293]"} + FullPerm <= Mask[null, wand(crt, FullPerm, xs, FullPerm)]; + Mask[null, wand(crt, FullPerm, xs, FullPerm)] := Mask[null, wand(crt, FullPerm, xs, FullPerm)] - FullPerm; + assume state(Heap, Mask); + + // -- check if LHS holds and remove permissions + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Applying wand might fail. There might be insufficient permission to access List(crt) (list_insert_noseq.vpr@95.3--95.16) [295]"} + perm <= Mask[null, List(crt)]; + } + Mask[null, List(crt)] := Mask[null, List(crt)] - perm; + assume state(Heap, Mask); + + // -- inhale the RHS of the wand + perm := FullPerm; + Mask[null, List(xs)] := Mask[null, List(xs)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of insert might not hold. There might be insufficient permission to access List(xs) (list_insert_noseq.vpr@34.11--34.24) [297]"} + perm <= Mask[null, List(xs)]; + } + Mask[null, List(xs)] := Mask[null, List(xs)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} diff --git a/Test/monomorphize/viper/longest-common-prefix.bpl b/Test/monomorphize/viper/longest-common-prefix.bpl new file mode 100644 index 000000000..ee5132b01 --- /dev/null +++ b/Test/monomorphize/viper/longest-common-prefix.bpl @@ -0,0 +1,786 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(k$0_1: int): bool; +function neverTriggered2(k$1_1: int): bool; +function neverTriggered3(k$1_2: int): bool; +function neverTriggered4(k$2: int): bool; +function neverTriggered5(k$2_2: int): bool; +function neverTriggered6(k$2_3: int): bool; +function neverTriggered7(k$2_4: int): bool; +function neverTriggered8(k$2_5: int): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(recv: Ref): int; +function invRecv2(recv: Ref): int; +function invRecv3(recv: Ref): int; +function invRecv4(recv: Ref): int; +function invRecv5(recv: Ref): int; +function invRecv6(recv: Ref): int; +function invRecv7(recv: Ref): int; +function invRecv8(recv: Ref): int; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(recv: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(recv: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(recv: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(recv: Ref): bool; +function qpRange8(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Translation of domain IArray +// ================================================== + +// The type for domain IArray +type IArrayDomainType; + +// Translation of domain function loc +function loc(a_2: IArrayDomainType, i: int): Ref; + +// Translation of domain function len +function len(a_2: IArrayDomainType): int; + +// Translation of domain function first +function first(r_1: Ref): IArrayDomainType; + +// Translation of domain function second +function second(r_1: Ref): int; + +// Translation of domain axiom all_diff +axiom (forall a_3: IArrayDomainType, i_1: int :: + { (loc(a_3, i_1): Ref) } + (first((loc(a_3, i_1): Ref)): IArrayDomainType) == a_3 && (second((loc(a_3, i_1): Ref)): int) == i_1 +); + +// Translation of domain axiom length_nonneg +axiom (forall a_3: IArrayDomainType :: + { (len(a_3): int) } + (len(a_3): int) >= 0 +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique val: Field NormalField int; +axiom !IsPredicateField(val); +axiom !IsWandField(val); + +// ================================================== +// Translation of method lcp +// ================================================== + +procedure lcp(a_3: IArrayDomainType, x: int, y: int) returns (n: int) + modifies Heap, Mask; +{ + var QPMask: MaskType; + var PostHeap: HeapType; + var PostMask: MaskType; + var k: int; + var k_4: int; + var ExhaleHeap: HeapType; + var k_2: int; + var loopHeap: HeapType; + var loopMask: MaskType; + var k_9: int; + var k_2_1: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Checked inhaling of precondition + + // -- Check definedness of (forall k$0: Int :: { loc(a, k$0) } 0 <= k$0 && k$0 < len(a) ==> acc(loc(a, k$0).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, k$0).val might not be injective. (longest-common-prefix.vpr@16.12--16.21) [105]"} + (forall k$0_1: int, k$0_1_1: int :: + + (((k$0_1 != k$0_1_1 && (0 <= k$0_1 && k$0_1 < (len(a_3): int))) && (0 <= k$0_1_1 && k$0_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, k$0_1): Ref) != (loc(a_3, k$0_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall k$0_1: int :: + { (loc(a_3, k$0_1): Ref) } { (loc(a_3, k$0_1): Ref) } + (0 <= k$0_1 && k$0_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange1((loc(a_3, k$0_1): Ref)) && invRecv1((loc(a_3, k$0_1): Ref)) == k$0_1 + ); + assume (forall o_3: Ref :: + { invRecv1(o_3) } + ((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3) ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k$0_1: int :: + { (loc(a_3, k$0_1): Ref) } { (loc(a_3, k$0_1): Ref) } + 0 <= k$0_1 && k$0_1 < (len(a_3): int) ==> (loc(a_3, k$0_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume 0 <= x; + assume 0 <= y; + assume x < (len(a_3): int); + assume y < (len(a_3): int); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Check definedness of (forall k$1: Int :: { loc(a, k$1) } 0 <= k$1 && k$1 < len(a) ==> acc(loc(a, k$1).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, k$1).val might not be injective. (longest-common-prefix.vpr@18.12--18.21) [106]"} + (forall k$1_1: int, k$1_1_1: int :: + + (((k$1_1 != k$1_1_1 && (0 <= k$1_1 && k$1_1 < (len(a_3): int))) && (0 <= k$1_1_1 && k$1_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, k$1_1): Ref) != (loc(a_3, k$1_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall k$1_1: int :: + { (loc(a_3, k$1_1): Ref) } { (loc(a_3, k$1_1): Ref) } + (0 <= k$1_1 && k$1_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange2((loc(a_3, k$1_1): Ref)) && invRecv2((loc(a_3, k$1_1): Ref)) == k$1_1 + ); + assume (forall o_3: Ref :: + { invRecv2(o_3) } + ((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3) ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k$1_1: int :: + { (loc(a_3, k$1_1): Ref) } { (loc(a_3, k$1_1): Ref) } + 0 <= k$1_1 && k$1_1 < (len(a_3): int) ==> (loc(a_3, k$1_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3) && QPMask[o_3, val] == PostMask[o_3, val] + FullPerm) && (!(((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3)) ==> QPMask[o_3, val] == PostMask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume 0 <= n; + assume x + n <= (len(a_3): int); + assume y + n <= (len(a_3): int); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall k: Int :: { loc(a, k) } x <= k && k < x + n ==> loc(a, k).val == loc(a, y + k - x).val) + if (*) { + if (x <= k && k < x + n) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, k).val (longest-common-prefix.vpr@20.12--20.91) [107]"} + HasDirectPerm(PostMask, (loc(a_3, k): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, y + k - x).val (longest-common-prefix.vpr@20.12--20.91) [108]"} + HasDirectPerm(PostMask, (loc(a_3, y + k - x): Ref), val); + } + assume false; + } + assume (forall k_1: int :: + { (loc(a_3, k_1): Ref) } + x <= k_1 && k_1 < x + n ==> PostHeap[(loc(a_3, k_1): Ref), val] == PostHeap[(loc(a_3, y + k_1 - x): Ref), val] + ); + assume state(PostHeap, PostMask); + if (x + n < (len(a_3): int) && y + n < (len(a_3): int)) { + + // -- Check definedness of loc(a, x + n).val != loc(a, y + n).val + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, x + n).val (longest-common-prefix.vpr@26.12--26.87) [109]"} + HasDirectPerm(PostMask, (loc(a_3, x + n): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, y + n).val (longest-common-prefix.vpr@26.12--26.87) [110]"} + HasDirectPerm(PostMask, (loc(a_3, y + n): Ref), val); + assume PostHeap[(loc(a_3, x + n): Ref), val] != PostHeap[(loc(a_3, y + n): Ref), val]; + } + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: n := 0 -- longest-common-prefix.vpr@28.4--28.10 + n := 0; + assume state(Heap, Mask); + + // -- Translating statement: while (x + n < len(a) && (y + n < len(a) && loc(a, x + n).val == loc(a, y + n).val)) -- longest-common-prefix.vpr@29.4--36.5 + + // -- Before loop head + + // -- Exhale loop invariant before loop + assert {:msg " Loop invariant n >= 0 might not hold on entry. Assertion n >= 0 might not hold. (longest-common-prefix.vpr@30.16--30.22) [111]"} + n >= 0; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, k$2) is injective + assert {:msg " Loop invariant (forall k$2: Int :: { loc(a, k$2) } 0 <= k$2 && k$2 < len(a) ==> acc(loc(a, k$2).val, write)) might not hold on entry. Quantified resource loc(a, k$2).val might not be injective. (longest-common-prefix.vpr@31.16--31.25) [112]"} + (forall k$2: int, k$2_1: int :: + { neverTriggered4(k$2), neverTriggered4(k$2_1) } + (((k$2 != k$2_1 && (0 <= k$2 && k$2 < (len(a_3): int))) && (0 <= k$2_1 && k$2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, k$2): Ref) != (loc(a_3, k$2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall k$2: Int :: { loc(a, k$2) } 0 <= k$2 && k$2 < len(a) ==> acc(loc(a, k$2).val, write)) might not hold on entry. There might be insufficient permission to access loc(a, k$2).val (longest-common-prefix.vpr@31.16--31.25) [113]"} + (forall k$2: int :: + { (loc(a_3, k$2): Ref) } { (loc(a_3, k$2): Ref) } + 0 <= k$2 && k$2 < (len(a_3): int) ==> Mask[(loc(a_3, k$2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, k$2) + assume (forall k$2: int :: + { (loc(a_3, k$2): Ref) } { (loc(a_3, k$2): Ref) } + (0 <= k$2 && k$2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange4((loc(a_3, k$2): Ref)) && invRecv4((loc(a_3, k$2): Ref)) == k$2 + ); + assume (forall o_3: Ref :: + { invRecv4(o_3) } + (0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assert {:msg " Loop invariant x + n <= len(a) && y + n <= len(a) might not hold on entry. Assertion x + n <= len(a) might not hold. (longest-common-prefix.vpr@32.16--32.50) [114]"} + x + n <= (len(a_3): int); + assert {:msg " Loop invariant x + n <= len(a) && y + n <= len(a) might not hold on entry. Assertion y + n <= len(a) might not hold. (longest-common-prefix.vpr@32.16--32.50) [115]"} + y + n <= (len(a_3): int); + if (*) { + if (x <= k_4 && k_4 < x + n) { + assert {:msg " Loop invariant (forall k: Int :: { loc(a, k) } x <= k && k < x + n ==> loc(a, k).val == loc(a, y + k - x).val) might not hold on entry. Assertion loc(a, k).val == loc(a, y + k - x).val might not hold. (longest-common-prefix.vpr@33.16--33.95) [116]"} + Heap[(loc(a_3, k_4): Ref), val] == Heap[(loc(a_3, y + k_4 - x): Ref), val]; + } + assume false; + } + assume (forall k_5_1: int :: + { (loc(a_3, k_5_1): Ref) } + x <= k_5_1 && k_5_1 < x + n ==> Heap[(loc(a_3, k_5_1): Ref), val] == Heap[(loc(a_3, y + k_5_1 - x): Ref), val] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Havoc loop written variables (except locals) + havoc n; + + // -- Check definedness of invariant + if (*) { + assume n >= 0; + assume state(Heap, Mask); + + // -- Check definedness of (forall k$2: Int :: { loc(a, k$2) } 0 <= k$2 && k$2 < len(a) ==> acc(loc(a, k$2).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, k$2).val might not be injective. (longest-common-prefix.vpr@31.16--31.25) [117]"} + (forall k$2_2: int, k$2_2_1: int :: + + (((k$2_2 != k$2_2_1 && (0 <= k$2_2 && k$2_2 < (len(a_3): int))) && (0 <= k$2_2_1 && k$2_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, k$2_2): Ref) != (loc(a_3, k$2_2_1): Ref) + ); + + // -- Define Inverse Function + assume (forall k$2_2: int :: + { (loc(a_3, k$2_2): Ref) } { (loc(a_3, k$2_2): Ref) } + (0 <= k$2_2 && k$2_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange5((loc(a_3, k$2_2): Ref)) && invRecv5((loc(a_3, k$2_2): Ref)) == k$2_2 + ); + assume (forall o_3: Ref :: + { invRecv5(o_3) } + ((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3) ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k$2_2: int :: + { (loc(a_3, k$2_2): Ref) } { (loc(a_3, k$2_2): Ref) } + 0 <= k$2_2 && k$2_2 < (len(a_3): int) ==> (loc(a_3, k$2_2): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume x + n <= (len(a_3): int); + assume y + n <= (len(a_3): int); + assume state(Heap, Mask); + + // -- Check definedness of (forall k: Int :: { loc(a, k) } x <= k && k < x + n ==> loc(a, k).val == loc(a, y + k - x).val) + if (*) { + if (x <= k_2 && k_2 < x + n) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, k).val (longest-common-prefix.vpr@33.16--33.95) [118]"} + HasDirectPerm(Mask, (loc(a_3, k_2): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, y + k - x).val (longest-common-prefix.vpr@33.16--33.95) [119]"} + HasDirectPerm(Mask, (loc(a_3, y + k_2 - x): Ref), val); + } + assume false; + } + assume (forall k_7: int :: + { (loc(a_3, k_7): Ref) } + x <= k_7 && k_7 < x + n ==> Heap[(loc(a_3, k_7): Ref), val] == Heap[(loc(a_3, y + k_7 - x): Ref), val] + ); + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + assume n >= 0; + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource loc(a, k$2).val might not be injective. (longest-common-prefix.vpr@31.16--31.25) [120]"} + (forall k$2_3: int, k$2_3_1: int :: + + (((k$2_3 != k$2_3_1 && (0 <= k$2_3 && k$2_3 < (len(a_3): int))) && (0 <= k$2_3_1 && k$2_3_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, k$2_3): Ref) != (loc(a_3, k$2_3_1): Ref) + ); + + // -- Define Inverse Function + assume (forall k$2_3: int :: + { (loc(a_3, k$2_3): Ref) } { (loc(a_3, k$2_3): Ref) } + (0 <= k$2_3 && k$2_3 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange6((loc(a_3, k$2_3): Ref)) && invRecv6((loc(a_3, k$2_3): Ref)) == k$2_3 + ); + assume (forall o_3: Ref :: + { invRecv6(o_3) } + ((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3) ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k$2_3: int :: + { (loc(a_3, k$2_3): Ref) } { (loc(a_3, k$2_3): Ref) } + 0 <= k$2_3 && k$2_3 < (len(a_3): int) ==> (loc(a_3, k$2_3): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume x + n <= (len(a_3): int); + assume y + n <= (len(a_3): int); + assume (forall k_8: int :: + { (loc(a_3, k_8): Ref) } + x <= k_8 && k_8 < x + n ==> Heap[(loc(a_3, k_8): Ref), val] == Heap[(loc(a_3, y + k_8 - x): Ref), val] + ); + assume state(Heap, Mask); + // Check and assume guard + + // -- Check definedness of x + n < len(a) && (y + n < len(a) && loc(a, x + n).val == loc(a, y + n).val) + if (x + n < (len(a_3): int)) { + if (y + n < (len(a_3): int)) { + assert {:msg " While statement might fail. There might be insufficient permission to access loc(a, x + n).val (longest-common-prefix.vpr@29.11--29.86) [121]"} + HasDirectPerm(Mask, (loc(a_3, x + n): Ref), val); + assert {:msg " While statement might fail. There might be insufficient permission to access loc(a, y + n).val (longest-common-prefix.vpr@29.11--29.86) [122]"} + HasDirectPerm(Mask, (loc(a_3, y + n): Ref), val); + } + } + assume x + n < (len(a_3): int) && (y + n < (len(a_3): int) && Heap[(loc(a_3, x + n): Ref), val] == Heap[(loc(a_3, y + n): Ref), val]); + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Translating statement: n := n + 1 -- longest-common-prefix.vpr@35.6--35.16 + n := n + 1; + assume state(Heap, Mask); + // Exhale invariant + assert {:msg " Loop invariant n >= 0 might not be preserved. Assertion n >= 0 might not hold. (longest-common-prefix.vpr@30.16--30.22) [123]"} + n >= 0; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, k$2) is injective + assert {:msg " Loop invariant (forall k$2: Int :: { loc(a, k$2) } 0 <= k$2 && k$2 < len(a) ==> acc(loc(a, k$2).val, write)) might not be preserved. Quantified resource loc(a, k$2).val might not be injective. (longest-common-prefix.vpr@31.16--31.25) [124]"} + (forall k$2_4: int, k$2_4_1: int :: + { neverTriggered7(k$2_4), neverTriggered7(k$2_4_1) } + (((k$2_4 != k$2_4_1 && (0 <= k$2_4 && k$2_4 < (len(a_3): int))) && (0 <= k$2_4_1 && k$2_4_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, k$2_4): Ref) != (loc(a_3, k$2_4_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall k$2: Int :: { loc(a, k$2) } 0 <= k$2 && k$2 < len(a) ==> acc(loc(a, k$2).val, write)) might not be preserved. There might be insufficient permission to access loc(a, k$2).val (longest-common-prefix.vpr@31.16--31.25) [125]"} + (forall k$2_4: int :: + { (loc(a_3, k$2_4): Ref) } { (loc(a_3, k$2_4): Ref) } + 0 <= k$2_4 && k$2_4 < (len(a_3): int) ==> Mask[(loc(a_3, k$2_4): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, k$2) + assume (forall k$2_4: int :: + { (loc(a_3, k$2_4): Ref) } { (loc(a_3, k$2_4): Ref) } + (0 <= k$2_4 && k$2_4 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange7((loc(a_3, k$2_4): Ref)) && invRecv7((loc(a_3, k$2_4): Ref)) == k$2_4 + ); + assume (forall o_3: Ref :: + { invRecv7(o_3) } + (0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3)) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3)) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assert {:msg " Loop invariant x + n <= len(a) && y + n <= len(a) might not be preserved. Assertion x + n <= len(a) might not hold. (longest-common-prefix.vpr@32.16--32.50) [126]"} + x + n <= (len(a_3): int); + assert {:msg " Loop invariant x + n <= len(a) && y + n <= len(a) might not be preserved. Assertion y + n <= len(a) might not hold. (longest-common-prefix.vpr@32.16--32.50) [127]"} + y + n <= (len(a_3): int); + if (*) { + if (x <= k_9 && k_9 < x + n) { + assert {:msg " Loop invariant (forall k: Int :: { loc(a, k) } x <= k && k < x + n ==> loc(a, k).val == loc(a, y + k - x).val) might not be preserved. Assertion loc(a, k).val == loc(a, y + k - x).val might not hold. (longest-common-prefix.vpr@33.16--33.95) [128]"} + Heap[(loc(a_3, k_9): Ref), val] == Heap[(loc(a_3, y + k_9 - x): Ref), val]; + } + assume false; + } + assume (forall k_10_1: int :: + { (loc(a_3, k_10_1): Ref) } + x <= k_10_1 && k_10_1 < x + n ==> Heap[(loc(a_3, k_10_1): Ref), val] == Heap[(loc(a_3, y + k_10_1 - x): Ref), val] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(x + n < (len(a_3): int) && (y + n < (len(a_3): int) && Heap[(loc(a_3, x + n): Ref), val] == Heap[(loc(a_3, y + n): Ref), val])); + assume state(Heap, Mask); + assume n >= 0; + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource loc(a, k$2).val might not be injective. (longest-common-prefix.vpr@31.16--31.25) [129]"} + (forall k$2_5: int, k$2_5_1: int :: + + (((k$2_5 != k$2_5_1 && (0 <= k$2_5 && k$2_5 < (len(a_3): int))) && (0 <= k$2_5_1 && k$2_5_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, k$2_5): Ref) != (loc(a_3, k$2_5_1): Ref) + ); + + // -- Define Inverse Function + assume (forall k$2_5: int :: + { (loc(a_3, k$2_5): Ref) } { (loc(a_3, k$2_5): Ref) } + (0 <= k$2_5 && k$2_5 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange8((loc(a_3, k$2_5): Ref)) && invRecv8((loc(a_3, k$2_5): Ref)) == k$2_5 + ); + assume (forall o_3: Ref :: + { invRecv8(o_3) } + ((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3) ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k$2_5: int :: + { (loc(a_3, k$2_5): Ref) } { (loc(a_3, k$2_5): Ref) } + 0 <= k$2_5 && k$2_5 < (len(a_3): int) ==> (loc(a_3, k$2_5): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume x + n <= (len(a_3): int); + assume y + n <= (len(a_3): int); + assume (forall k_11: int :: + { (loc(a_3, k_11): Ref) } + x <= k_11 && k_11 < x + n ==> Heap[(loc(a_3, k_11): Ref), val] == Heap[(loc(a_3, y + k_11 - x): Ref), val] + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, k$1) is injective + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, k$1).val might not be injective. (longest-common-prefix.vpr@18.12--18.21) [130]"} + (forall k$1_2: int, k$1_2_1: int :: + { neverTriggered3(k$1_2), neverTriggered3(k$1_2_1) } + (((k$1_2 != k$1_2_1 && (0 <= k$1_2 && k$1_2 < (len(a_3): int))) && (0 <= k$1_2_1 && k$1_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, k$1_2): Ref) != (loc(a_3, k$1_2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of lcp might not hold. There might be insufficient permission to access loc(a, k$1).val (longest-common-prefix.vpr@18.12--18.21) [131]"} + (forall k$1_2: int :: + { (loc(a_3, k$1_2): Ref) } { (loc(a_3, k$1_2): Ref) } + 0 <= k$1_2 && k$1_2 < (len(a_3): int) ==> Mask[(loc(a_3, k$1_2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, k$1) + assume (forall k$1_2: int :: + { (loc(a_3, k$1_2): Ref) } { (loc(a_3, k$1_2): Ref) } + (0 <= k$1_2 && k$1_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange3((loc(a_3, k$1_2): Ref)) && invRecv3((loc(a_3, k$1_2): Ref)) == k$1_2 + ); + assume (forall o_3: Ref :: + { invRecv3(o_3) } + (0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3)) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3)) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assert {:msg " Postcondition of lcp might not hold. Assertion 0 <= n might not hold. (longest-common-prefix.vpr@19.12--19.56) [132]"} + 0 <= n; + assert {:msg " Postcondition of lcp might not hold. Assertion x + n <= len(a) might not hold. (longest-common-prefix.vpr@19.12--19.56) [133]"} + x + n <= (len(a_3): int); + assert {:msg " Postcondition of lcp might not hold. Assertion y + n <= len(a) might not hold. (longest-common-prefix.vpr@19.12--19.56) [134]"} + y + n <= (len(a_3): int); + if (*) { + if (x <= k_2_1 && k_2_1 < x + n) { + assert {:msg " Postcondition of lcp might not hold. Assertion loc(a, k).val == loc(a, y + k - x).val might not hold. (longest-common-prefix.vpr@20.12--20.91) [135]"} + Heap[(loc(a_3, k_2_1): Ref), val] == Heap[(loc(a_3, y + k_2_1 - x): Ref), val]; + } + assume false; + } + assume (forall k_3_1: int :: + { (loc(a_3, k_3_1): Ref) } + x <= k_3_1 && k_3_1 < x + n ==> Heap[(loc(a_3, k_3_1): Ref), val] == Heap[(loc(a_3, y + k_3_1 - x): Ref), val] + ); + if (x + n < (len(a_3): int) && y + n < (len(a_3): int)) { + assert {:msg " Postcondition of lcp might not hold. Assertion loc(a, x + n).val != loc(a, y + n).val might not hold. (longest-common-prefix.vpr@26.12--26.87) [136]"} + Heap[(loc(a_3, x + n): Ref), val] != Heap[(loc(a_3, y + n): Ref), val]; + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} diff --git a/Test/monomorphize/viper/max-array-elimination.bpl b/Test/monomorphize/viper/max-array-elimination.bpl new file mode 100644 index 000000000..ff86385f5 --- /dev/null +++ b/Test/monomorphize/viper/max-array-elimination.bpl @@ -0,0 +1,1125 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(j_1: int): bool; +function neverTriggered2(j$0_1: int): bool; +function neverTriggered3(j$0_2: int): bool; +function neverTriggered4(j$3: int): bool; +function neverTriggered5(j$3_2: int): bool; +function neverTriggered6(j$3_3: int): bool; +function neverTriggered7(j$3_4: int): bool; +function neverTriggered8(j$3_5: int): bool; +function neverTriggered9(j_1: int): bool; +function neverTriggered10(j_2: int): bool; +function neverTriggered11(j$0: int): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(recv: Ref): int; +function invRecv2(recv: Ref): int; +function invRecv3(recv: Ref): int; +function invRecv4(recv: Ref): int; +function invRecv5(recv: Ref): int; +function invRecv6(recv: Ref): int; +function invRecv7(recv: Ref): int; +function invRecv8(recv: Ref): int; +function invRecv9(recv: Ref): int; +function invRecv10(recv: Ref): int; +function invRecv11(recv: Ref): int; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(recv: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(recv: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(recv: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(recv: Ref): bool; +function qpRange8(recv: Ref): bool; +function qpRange9(recv: Ref): bool; +function qpRange10(recv: Ref): bool; +function qpRange11(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Translation of domain IArray +// ================================================== + +// The type for domain IArray +type IArrayDomainType; + +// Translation of domain function loc +function loc(a_2: IArrayDomainType, i: int): Ref; + +// Translation of domain function len +function len(a_2: IArrayDomainType): int; + +// Translation of domain function first +function first(r_1: Ref): IArrayDomainType; + +// Translation of domain function second +function second(r_1: Ref): int; + +// Translation of domain axiom all_diff +axiom (forall a_3: IArrayDomainType, i_1: int :: + { (loc(a_3, i_1): Ref) } + (first((loc(a_3, i_1): Ref)): IArrayDomainType) == a_3 && (second((loc(a_3, i_1): Ref)): int) == i_1 +); + +// Translation of domain axiom len_nonneg +axiom (forall a_3: IArrayDomainType :: + { (len(a_3): int) } + (len(a_3): int) >= 0 +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique val: Field NormalField int; +axiom !IsPredicateField(val); +axiom !IsWandField(val); + +// ================================================== +// Translation of method max +// ================================================== + +procedure vmax(a_3: IArrayDomainType) returns (x: int) + modifies Heap, Mask; +{ + var QPMask: MaskType; + var PostHeap: HeapType; + var PostMask: MaskType; + var j$1: int; + var j$2: int; + var y: int; + var j$4: int; + var ExhaleHeap: HeapType; + var j$4_1: int; + var i_2: int; + var i_4: int; + var loopHeap: HeapType; + var loopMask: MaskType; + var j$4_5: int; + var j$1_2: int; + var j$2_2: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Checked inhaling of precondition + + // -- Check definedness of (forall j: Int :: { loc(a, j) } 0 <= j && j < len(a) ==> acc(loc(a, j).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j).val might not be injective. (max-array-elimination.vpr@13.12--13.21) [157]"} + (forall j_1: int, j_1_1: int :: + + (((j_1 != j_1_1 && (0 <= j_1 && j_1 < (len(a_3): int))) && (0 <= j_1_1 && j_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j_1): Ref) != (loc(a_3, j_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j_1: int :: + { (loc(a_3, j_1): Ref) } { (loc(a_3, j_1): Ref) } + (0 <= j_1 && j_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange1((loc(a_3, j_1): Ref)) && invRecv1((loc(a_3, j_1): Ref)) == j_1 + ); + assume (forall o_3: Ref :: + { invRecv1(o_3) } + ((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3) ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j_1: int :: + { (loc(a_3, j_1): Ref) } { (loc(a_3, j_1): Ref) } + 0 <= j_1 && j_1 < (len(a_3): int) ==> (loc(a_3, j_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Check definedness of (forall j$0: Int :: { loc(a, j$0) } 0 <= j$0 && j$0 < len(a) ==> acc(loc(a, j$0).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$0).val might not be injective. (max-array-elimination.vpr@14.12--14.37) [158]"} + (forall j$0_1: int, j$0_1_1: int :: + + (((j$0_1 != j$0_1_1 && (0 <= j$0_1 && j$0_1 < (len(a_3): int))) && (0 <= j$0_1_1 && j$0_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$0_1): Ref) != (loc(a_3, j$0_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$0_1: int :: + { (loc(a_3, j$0_1): Ref) } { (loc(a_3, j$0_1): Ref) } + (0 <= j$0_1 && j$0_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange2((loc(a_3, j$0_1): Ref)) && invRecv2((loc(a_3, j$0_1): Ref)) == j$0_1 + ); + assume (forall o_3: Ref :: + { invRecv2(o_3) } + ((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3) ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$0_1: int :: + { (loc(a_3, j$0_1): Ref) } { (loc(a_3, j$0_1): Ref) } + 0 <= j$0_1 && j$0_1 < (len(a_3): int) ==> (loc(a_3, j$0_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3) && QPMask[o_3, val] == PostMask[o_3, val] + FullPerm) && (!(((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3)) ==> QPMask[o_3, val] == PostMask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall j$1: Int :: { loc(a, j$1) } 0 <= j$1 && j$1 < len(a) ==> loc(a, j$1).val == old(loc(a, j$1).val)) + if (*) { + if (0 <= j$1 && j$1 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$1).val (max-array-elimination.vpr@14.12--14.37) [159]"} + HasDirectPerm(PostMask, (loc(a_3, j$1): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$1).val (max-array-elimination.vpr@14.12--14.37) [160]"} + HasDirectPerm(old(Mask), (loc(a_3, j$1): Ref), val); + } + assume false; + } + assume (forall j$1_1: int :: + { (loc(a_3, j$1_1): Ref) } + 0 <= j$1_1 && j$1_1 < (len(a_3): int) ==> PostHeap[(loc(a_3, j$1_1): Ref), val] == old(Heap)[(loc(a_3, j$1_1): Ref), val] + ); + assume state(PostHeap, PostMask); + if ((len(a_3): int) == 0) { + assume x == -1; + } else { + assume 0 <= x; + assume x < (len(a_3): int); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall j$2: Int :: { loc(a, j$2) } 0 <= j$2 && j$2 < len(a) ==> loc(a, j$2).val <= loc(a, x).val) + if (*) { + if (0 <= j$2 && j$2 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$2).val (max-array-elimination.vpr@16.12--16.32) [161]"} + HasDirectPerm(PostMask, (loc(a_3, j$2): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, x).val (max-array-elimination.vpr@16.12--16.32) [162]"} + HasDirectPerm(PostMask, (loc(a_3, x): Ref), val); + } + assume false; + } + assume (forall j$2_1: int :: + { (loc(a_3, j$2_1): Ref) } + 0 <= j$2_1 && j$2_1 < (len(a_3): int) ==> PostHeap[(loc(a_3, j$2_1): Ref), val] <= PostHeap[(loc(a_3, x): Ref), val] + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: if (len(a) == 0) -- max-array-elimination.vpr@18.3--41.4 + if ((len(a_3): int) == 0) { + + // -- Translating statement: x := -1 -- max-array-elimination.vpr@19.5--19.12 + x := -1; + assume state(Heap, Mask); + } else { + + // -- Translating statement: x := 0 -- max-array-elimination.vpr@22.5--22.11 + x := 0; + assume state(Heap, Mask); + + // -- Translating statement: y := len(a) - 1 -- max-array-elimination.vpr@23.5--23.20 + y := (len(a_3): int) - 1; + assume state(Heap, Mask); + + // -- Translating statement: while (x != y) -- max-array-elimination.vpr@25.5--40.6 + + // -- Before loop head + + // -- Exhale loop invariant before loop + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$3) is injective + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. Quantified resource loc(a, j$3).val might not be injective. (max-array-elimination.vpr@26.17--26.42) [163]"} + (forall j$3: int, j$3_1: int :: + { neverTriggered4(j$3), neverTriggered4(j$3_1) } + (((j$3 != j$3_1 && (0 <= j$3 && j$3 < (len(a_3): int))) && (0 <= j$3_1 && j$3_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3): Ref) != (loc(a_3, j$3_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. There might be insufficient permission to access loc(a, j$3).val (max-array-elimination.vpr@26.17--26.42) [164]"} + (forall j$3: int :: + { (loc(a_3, j$3): Ref) } { (loc(a_3, j$3): Ref) } + 0 <= j$3 && j$3 < (len(a_3): int) ==> Mask[(loc(a_3, j$3): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$3) + assume (forall j$3: int :: + { (loc(a_3, j$3): Ref) } { (loc(a_3, j$3): Ref) } + (0 <= j$3 && j$3 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange4((loc(a_3, j$3): Ref)) && invRecv4((loc(a_3, j$3): Ref)) == j$3 + ); + assume (forall o_3: Ref :: + { invRecv4(o_3) } + (0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$4 && j$4 < (len(a_3): int)) { + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. Assertion loc(a, j$4).val == old(loc(a, j$4).val) might not hold. (max-array-elimination.vpr@26.17--26.42) [165]"} + Heap[(loc(a_3, j$4): Ref), val] == old(Heap)[(loc(a_3, j$4): Ref), val]; + } + assume false; + } + assume (forall j$4_1_1: int :: + { (loc(a_3, j$4_1_1): Ref) } + 0 <= j$4_1_1 && j$4_1_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_1_1): Ref), val] == old(Heap)[(loc(a_3, j$4_1_1): Ref), val] + ); + assert {:msg " Loop invariant 0 <= x && (x <= y && y < len(a)) might not hold on entry. Assertion 0 <= x might not hold. (max-array-elimination.vpr@27.17--27.47) [166]"} + 0 <= x; + assert {:msg " Loop invariant 0 <= x && (x <= y && y < len(a)) might not hold on entry. Assertion x <= y might not hold. (max-array-elimination.vpr@27.17--27.47) [167]"} + x <= y; + assert {:msg " Loop invariant 0 <= x && (x <= y && y < len(a)) might not hold on entry. Assertion y < len(a) might not hold. (max-array-elimination.vpr@27.17--27.47) [168]"} + y < (len(a_3): int); + assert {:msg " Loop invariant (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val < loc(a, x).val) || (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val <= loc(a, y).val) might not hold on entry. Assertion (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val < loc(a, x).val) || (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val <= loc(a, y).val) might not hold. (max-array-elimination.vpr@28.20--33.58) [169]"} + (forall i_1: int :: + { (loc(a_3, i_1): Ref) } + (0 <= i_1 && i_1 < x) || (y < i_1 && i_1 < (len(a_3): int)) ==> Heap[(loc(a_3, i_1): Ref), val] < Heap[(loc(a_3, x): Ref), val] + ) || (forall i_1_1: int :: + { (loc(a_3, i_1_1): Ref) } + (0 <= i_1_1 && i_1_1 < x) || (y < i_1_1 && i_1_1 < (len(a_3): int)) ==> Heap[(loc(a_3, i_1_1): Ref), val] <= Heap[(loc(a_3, y): Ref), val] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Havoc loop written variables (except locals) + havoc y, x; + + // -- Check definedness of invariant + if (*) { + + // -- Check definedness of (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$3).val might not be injective. (max-array-elimination.vpr@26.17--26.42) [170]"} + (forall j$3_2: int, j$3_2_1: int :: + + (((j$3_2 != j$3_2_1 && (0 <= j$3_2 && j$3_2 < (len(a_3): int))) && (0 <= j$3_2_1 && j$3_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_2): Ref) != (loc(a_3, j$3_2_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_2: int :: + { (loc(a_3, j$3_2): Ref) } { (loc(a_3, j$3_2): Ref) } + (0 <= j$3_2 && j$3_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange5((loc(a_3, j$3_2): Ref)) && invRecv5((loc(a_3, j$3_2): Ref)) == j$3_2 + ); + assume (forall o_3: Ref :: + { invRecv5(o_3) } + ((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3) ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_2: int :: + { (loc(a_3, j$3_2): Ref) } { (loc(a_3, j$3_2): Ref) } + 0 <= j$3_2 && j$3_2 < (len(a_3): int) ==> (loc(a_3, j$3_2): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + + // -- Check definedness of (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) + if (*) { + if (0 <= j$4_1 && j$4_1 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$4).val (max-array-elimination.vpr@26.17--26.42) [171]"} + HasDirectPerm(Mask, (loc(a_3, j$4_1): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$4).val (max-array-elimination.vpr@26.17--26.42) [172]"} + HasDirectPerm(old(Mask), (loc(a_3, j$4_1): Ref), val); + } + assume false; + } + assume (forall j$4_3: int :: + { (loc(a_3, j$4_3): Ref) } + 0 <= j$4_3 && j$4_3 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_3): Ref), val] == old(Heap)[(loc(a_3, j$4_3): Ref), val] + ); + assume state(Heap, Mask); + assume 0 <= x; + assume x <= y; + assume y < (len(a_3): int); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val < loc(a, x).val) || (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val <= loc(a, y).val) + if (*) { + if ((0 <= i_2 && i_2 < x) || (y < i_2 && i_2 < (len(a_3): int))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i).val (max-array-elimination.vpr@28.20--33.58) [173]"} + HasDirectPerm(Mask, (loc(a_3, i_2): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, x).val (max-array-elimination.vpr@28.20--33.58) [174]"} + HasDirectPerm(Mask, (loc(a_3, x): Ref), val); + } + assume false; + } + if (!(forall i_3: int :: + { (loc(a_3, i_3): Ref) } + (0 <= i_3 && i_3 < x) || (y < i_3 && i_3 < (len(a_3): int)) ==> Heap[(loc(a_3, i_3): Ref), val] < Heap[(loc(a_3, x): Ref), val] + )) { + if (*) { + if ((0 <= i_4 && i_4 < x) || (y < i_4 && i_4 < (len(a_3): int))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i).val (max-array-elimination.vpr@28.20--33.58) [175]"} + HasDirectPerm(Mask, (loc(a_3, i_4): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, y).val (max-array-elimination.vpr@28.20--33.58) [176]"} + HasDirectPerm(Mask, (loc(a_3, y): Ref), val); + } + assume false; + } + } + assume (forall i_5: int :: + { (loc(a_3, i_5): Ref) } + (0 <= i_5 && i_5 < x) || (y < i_5 && i_5 < (len(a_3): int)) ==> Heap[(loc(a_3, i_5): Ref), val] < Heap[(loc(a_3, x): Ref), val] + ) || (forall i_6: int :: + { (loc(a_3, i_6): Ref) } + (0 <= i_6 && i_6 < x) || (y < i_6 && i_6 < (len(a_3): int)) ==> Heap[(loc(a_3, i_6): Ref), val] <= Heap[(loc(a_3, y): Ref), val] + ); + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource loc(a, j$3).val might not be injective. (max-array-elimination.vpr@26.17--26.42) [177]"} + (forall j$3_3: int, j$3_3_1: int :: + + (((j$3_3 != j$3_3_1 && (0 <= j$3_3 && j$3_3 < (len(a_3): int))) && (0 <= j$3_3_1 && j$3_3_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_3): Ref) != (loc(a_3, j$3_3_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_3: int :: + { (loc(a_3, j$3_3): Ref) } { (loc(a_3, j$3_3): Ref) } + (0 <= j$3_3 && j$3_3 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange6((loc(a_3, j$3_3): Ref)) && invRecv6((loc(a_3, j$3_3): Ref)) == j$3_3 + ); + assume (forall o_3: Ref :: + { invRecv6(o_3) } + ((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3) ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_3: int :: + { (loc(a_3, j$3_3): Ref) } { (loc(a_3, j$3_3): Ref) } + 0 <= j$3_3 && j$3_3 < (len(a_3): int) ==> (loc(a_3, j$3_3): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall j$4_4: int :: + { (loc(a_3, j$4_4): Ref) } + 0 <= j$4_4 && j$4_4 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_4): Ref), val] == old(Heap)[(loc(a_3, j$4_4): Ref), val] + ); + assume 0 <= x; + assume x <= y; + assume y < (len(a_3): int); + assume (forall i_7: int :: + { (loc(a_3, i_7): Ref) } + (0 <= i_7 && i_7 < x) || (y < i_7 && i_7 < (len(a_3): int)) ==> Heap[(loc(a_3, i_7): Ref), val] < Heap[(loc(a_3, x): Ref), val] + ) || (forall i_8: int :: + { (loc(a_3, i_8): Ref) } + (0 <= i_8 && i_8 < x) || (y < i_8 && i_8 < (len(a_3): int)) ==> Heap[(loc(a_3, i_8): Ref), val] <= Heap[(loc(a_3, y): Ref), val] + ); + assume state(Heap, Mask); + // Check and assume guard + assume x != y; + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Translating statement: if (loc(a, x).val <= loc(a, y).val) -- max-array-elimination.vpr@35.7--39.8 + + // -- Check definedness of loc(a, x).val <= loc(a, y).val + assert {:msg " Conditional statement might fail. There might be insufficient permission to access loc(a, x).val (max-array-elimination.vpr@35.11--35.41) [178]"} + HasDirectPerm(Mask, (loc(a_3, x): Ref), val); + assert {:msg " Conditional statement might fail. There might be insufficient permission to access loc(a, y).val (max-array-elimination.vpr@35.11--35.41) [179]"} + HasDirectPerm(Mask, (loc(a_3, y): Ref), val); + if (Heap[(loc(a_3, x): Ref), val] <= Heap[(loc(a_3, y): Ref), val]) { + + // -- Translating statement: x := x + 1 -- max-array-elimination.vpr@36.9--36.19 + x := x + 1; + assume state(Heap, Mask); + } else { + + // -- Translating statement: y := y - 1 -- max-array-elimination.vpr@38.9--38.19 + y := y - 1; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + // Exhale invariant + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$3) is injective + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. Quantified resource loc(a, j$3).val might not be injective. (max-array-elimination.vpr@26.17--26.42) [180]"} + (forall j$3_4: int, j$3_4_1: int :: + { neverTriggered7(j$3_4), neverTriggered7(j$3_4_1) } + (((j$3_4 != j$3_4_1 && (0 <= j$3_4 && j$3_4 < (len(a_3): int))) && (0 <= j$3_4_1 && j$3_4_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_4): Ref) != (loc(a_3, j$3_4_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. There might be insufficient permission to access loc(a, j$3).val (max-array-elimination.vpr@26.17--26.42) [181]"} + (forall j$3_4: int :: + { (loc(a_3, j$3_4): Ref) } { (loc(a_3, j$3_4): Ref) } + 0 <= j$3_4 && j$3_4 < (len(a_3): int) ==> Mask[(loc(a_3, j$3_4): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$3) + assume (forall j$3_4: int :: + { (loc(a_3, j$3_4): Ref) } { (loc(a_3, j$3_4): Ref) } + (0 <= j$3_4 && j$3_4 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange7((loc(a_3, j$3_4): Ref)) && invRecv7((loc(a_3, j$3_4): Ref)) == j$3_4 + ); + assume (forall o_3: Ref :: + { invRecv7(o_3) } + (0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3)) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3)) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$4_5 && j$4_5 < (len(a_3): int)) { + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. Assertion loc(a, j$4).val == old(loc(a, j$4).val) might not hold. (max-array-elimination.vpr@26.17--26.42) [182]"} + Heap[(loc(a_3, j$4_5): Ref), val] == old(Heap)[(loc(a_3, j$4_5): Ref), val]; + } + assume false; + } + assume (forall j$4_6_1: int :: + { (loc(a_3, j$4_6_1): Ref) } + 0 <= j$4_6_1 && j$4_6_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_6_1): Ref), val] == old(Heap)[(loc(a_3, j$4_6_1): Ref), val] + ); + assert {:msg " Loop invariant 0 <= x && (x <= y && y < len(a)) might not be preserved. Assertion 0 <= x might not hold. (max-array-elimination.vpr@27.17--27.47) [183]"} + 0 <= x; + assert {:msg " Loop invariant 0 <= x && (x <= y && y < len(a)) might not be preserved. Assertion x <= y might not hold. (max-array-elimination.vpr@27.17--27.47) [184]"} + x <= y; + assert {:msg " Loop invariant 0 <= x && (x <= y && y < len(a)) might not be preserved. Assertion y < len(a) might not hold. (max-array-elimination.vpr@27.17--27.47) [185]"} + y < (len(a_3): int); + assert {:msg " Loop invariant (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val < loc(a, x).val) || (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val <= loc(a, y).val) might not be preserved. Assertion (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val < loc(a, x).val) || (forall i: Int :: { loc(a, i) } 0 <= i && i < x || y < i && i < len(a) ==> loc(a, i).val <= loc(a, y).val) might not hold. (max-array-elimination.vpr@28.20--33.58) [186]"} + (forall i_9: int :: + { (loc(a_3, i_9): Ref) } + (0 <= i_9 && i_9 < x) || (y < i_9 && i_9 < (len(a_3): int)) ==> Heap[(loc(a_3, i_9): Ref), val] < Heap[(loc(a_3, x): Ref), val] + ) || (forall i_10: int :: + { (loc(a_3, i_10): Ref) } + (0 <= i_10 && i_10 < x) || (y < i_10 && i_10 < (len(a_3): int)) ==> Heap[(loc(a_3, i_10): Ref), val] <= Heap[(loc(a_3, y): Ref), val] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(x != y); + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource loc(a, j$3).val might not be injective. (max-array-elimination.vpr@26.17--26.42) [187]"} + (forall j$3_5: int, j$3_5_1: int :: + + (((j$3_5 != j$3_5_1 && (0 <= j$3_5 && j$3_5 < (len(a_3): int))) && (0 <= j$3_5_1 && j$3_5_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_5): Ref) != (loc(a_3, j$3_5_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_5: int :: + { (loc(a_3, j$3_5): Ref) } { (loc(a_3, j$3_5): Ref) } + (0 <= j$3_5 && j$3_5 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange8((loc(a_3, j$3_5): Ref)) && invRecv8((loc(a_3, j$3_5): Ref)) == j$3_5 + ); + assume (forall o_3: Ref :: + { invRecv8(o_3) } + ((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3) ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_5: int :: + { (loc(a_3, j$3_5): Ref) } { (loc(a_3, j$3_5): Ref) } + 0 <= j$3_5 && j$3_5 < (len(a_3): int) ==> (loc(a_3, j$3_5): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall j$4_7: int :: + { (loc(a_3, j$4_7): Ref) } + 0 <= j$4_7 && j$4_7 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_7): Ref), val] == old(Heap)[(loc(a_3, j$4_7): Ref), val] + ); + assume 0 <= x; + assume x <= y; + assume y < (len(a_3): int); + assume (forall i_11: int :: + { (loc(a_3, i_11): Ref) } + (0 <= i_11 && i_11 < x) || (y < i_11 && i_11 < (len(a_3): int)) ==> Heap[(loc(a_3, i_11): Ref), val] < Heap[(loc(a_3, x): Ref), val] + ) || (forall i_12: int :: + { (loc(a_3, i_12): Ref) } + (0 <= i_12 && i_12 < x) || (y < i_12 && i_12 < (len(a_3): int)) ==> Heap[(loc(a_3, i_12): Ref), val] <= Heap[(loc(a_3, y): Ref), val] + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Exhaling postcondition + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$0) is injective + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$0).val might not be injective. (max-array-elimination.vpr@14.12--14.21) [188]"} + (forall j$0_2: int, j$0_2_1: int :: + { neverTriggered3(j$0_2), neverTriggered3(j$0_2_1) } + (((j$0_2 != j$0_2_1 && (0 <= j$0_2 && j$0_2 < (len(a_3): int))) && (0 <= j$0_2_1 && j$0_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$0_2): Ref) != (loc(a_3, j$0_2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of max might not hold. There might be insufficient permission to access loc(a, j$0).val (max-array-elimination.vpr@14.12--14.37) [189]"} + (forall j$0_2: int :: + { (loc(a_3, j$0_2): Ref) } { (loc(a_3, j$0_2): Ref) } + 0 <= j$0_2 && j$0_2 < (len(a_3): int) ==> Mask[(loc(a_3, j$0_2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$0) + assume (forall j$0_2: int :: + { (loc(a_3, j$0_2): Ref) } { (loc(a_3, j$0_2): Ref) } + (0 <= j$0_2 && j$0_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange3((loc(a_3, j$0_2): Ref)) && invRecv3((loc(a_3, j$0_2): Ref)) == j$0_2 + ); + assume (forall o_3: Ref :: + { invRecv3(o_3) } + (0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3)) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3)) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$1_2 && j$1_2 < (len(a_3): int)) { + assert {:msg " Postcondition of max might not hold. Assertion loc(a, j$1).val == old(loc(a, j$1).val) might not hold. (max-array-elimination.vpr@14.12--14.37) [190]"} + Heap[(loc(a_3, j$1_2): Ref), val] == old(Heap)[(loc(a_3, j$1_2): Ref), val]; + } + assume false; + } + assume (forall j$1_3_1: int :: + { (loc(a_3, j$1_3_1): Ref) } + 0 <= j$1_3_1 && j$1_3_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$1_3_1): Ref), val] == old(Heap)[(loc(a_3, j$1_3_1): Ref), val] + ); + if ((len(a_3): int) == 0) { + assert {:msg " Postcondition of max might not hold. Assertion x == -1 might not hold. (max-array-elimination.vpr@15.12--15.58) [191]"} + x == -1; + } else { + assert {:msg " Postcondition of max might not hold. Assertion 0 <= x might not hold. (max-array-elimination.vpr@15.12--15.58) [192]"} + 0 <= x; + assert {:msg " Postcondition of max might not hold. Assertion x < len(a) might not hold. (max-array-elimination.vpr@15.12--15.58) [193]"} + x < (len(a_3): int); + } + if (*) { + if (0 <= j$2_2 && j$2_2 < (len(a_3): int)) { + assert {:msg " Postcondition of max might not hold. Assertion loc(a, j$2).val <= loc(a, x).val might not hold. (max-array-elimination.vpr@16.12--16.32) [194]"} + Heap[(loc(a_3, j$2_2): Ref), val] <= Heap[(loc(a_3, x): Ref), val]; + } + assume false; + } + assume (forall j$2_3_1: int :: + { (loc(a_3, j$2_3_1): Ref) } + 0 <= j$2_3_1 && j$2_3_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$2_3_1): Ref), val] <= Heap[(loc(a_3, x): Ref), val] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method client +// ================================================== + +procedure client() returns () + modifies Heap, Mask; +{ + var a_3: IArrayDomainType; + var QPMask: MaskType; + var i_13: int; + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var x: int; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: inhale len(a) == 3 -- max-array-elimination.vpr@46.3--46.21 + assume (len(a_3): int) == 3; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall j: Int :: + // { loc(a, j) } + // 0 <= j && j < len(a) ==> acc(loc(a, j).val, write)) -- max-array-elimination.vpr@47.3--47.19 + + // -- Check definedness of (forall j: Int :: { loc(a, j) } 0 <= j && j < len(a) ==> acc(loc(a, j).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Inhale might fail. Quantified resource loc(a, j).val might not be injective. (max-array-elimination.vpr@47.10--47.19) [195]"} + (forall j_1: int, j_1_1: int :: + + (((j_1 != j_1_1 && (0 <= j_1 && j_1 < (len(a_3): int))) && (0 <= j_1_1 && j_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j_1): Ref) != (loc(a_3, j_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j_1: int :: + { (loc(a_3, j_1): Ref) } { (loc(a_3, j_1): Ref) } + (0 <= j_1 && j_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange9((loc(a_3, j_1): Ref)) && invRecv9((loc(a_3, j_1): Ref)) == j_1 + ); + assume (forall o_3: Ref :: + { invRecv9(o_3) } + ((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3) ==> (loc(a_3, invRecv9(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j_1: int :: + { (loc(a_3, j_1): Ref) } { (loc(a_3, j_1): Ref) } + 0 <= j_1 && j_1 < (len(a_3): int) ==> (loc(a_3, j_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv9(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall i: Int :: + // { loc(a, i) } + // 0 <= i && i < len(a) ==> loc(a, i).val == i) -- max-array-elimination.vpr@48.3--48.70 + + // -- Check definedness of (forall i: Int :: { loc(a, i) } 0 <= i && i < len(a) ==> loc(a, i).val == i) + if (*) { + if (0 <= i_13 && i_13 < (len(a_3): int)) { + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i).val (max-array-elimination.vpr@48.10--48.70) [196]"} + HasDirectPerm(Mask, (loc(a_3, i_13): Ref), val); + } + assume false; + } + assume (forall i_1_1: int :: + { (loc(a_3, i_1_1): Ref) } + 0 <= i_1_1 && i_1_1 < (len(a_3): int) ==> Heap[(loc(a_3, i_1_1): Ref), val] == i_1_1 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: x := max(a) -- max-array-elimination.vpr@51.3--51.14 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc x; + + // -- Exhaling precondition + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j) is injective + assert {:msg " The precondition of method max might not hold. Quantified resource loc(a, j).val might not be injective. (max-array-elimination.vpr@51.3--51.14) [197]"} + (forall j_2: int, j_2_1: int :: + { neverTriggered10(j_2), neverTriggered10(j_2_1) } + (((j_2 != j_2_1 && (0 <= j_2 && j_2 < (len(a_3): int))) && (0 <= j_2_1 && j_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j_2): Ref) != (loc(a_3, j_2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " The precondition of method max might not hold. There might be insufficient permission to access loc(a, j).val (max-array-elimination.vpr@51.3--51.14) [198]"} + (forall j_2: int :: + { (loc(a_3, j_2): Ref) } { (loc(a_3, j_2): Ref) } + 0 <= j_2 && j_2 < (len(a_3): int) ==> Mask[(loc(a_3, j_2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j) + assume (forall j_2: int :: + { (loc(a_3, j_2): Ref) } { (loc(a_3, j_2): Ref) } + (0 <= j_2 && j_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange10((loc(a_3, j_2): Ref)) && invRecv10((loc(a_3, j_2): Ref)) == j_2 + ); + assume (forall o_3: Ref :: + { invRecv10(o_3) } + (0 <= invRecv10(o_3) && invRecv10(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange10(o_3)) ==> (loc(a_3, invRecv10(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv10(o_3) && invRecv10(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange10(o_3)) ==> (loc(a_3, invRecv10(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv10(o_3) && invRecv10(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange10(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + havoc QPMask; + assert {:msg " Method call might fail. Quantified resource loc(a, j$0).val might not be injective. (max-array-elimination.vpr@51.3--51.14) [199]"} + (forall j$0: int, j$0_3: int :: + + (((j$0 != j$0_3 && (0 <= j$0 && j$0 < (len(a_3): int))) && (0 <= j$0_3 && j$0_3 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$0): Ref) != (loc(a_3, j$0_3): Ref) + ); + + // -- Define Inverse Function + assume (forall j$0: int :: + { (loc(a_3, j$0): Ref) } { (loc(a_3, j$0): Ref) } + (0 <= j$0 && j$0 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange11((loc(a_3, j$0): Ref)) && invRecv11((loc(a_3, j$0): Ref)) == j$0 + ); + assume (forall o_3: Ref :: + { invRecv11(o_3) } + ((0 <= invRecv11(o_3) && invRecv11(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange11(o_3) ==> (loc(a_3, invRecv11(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$0: int :: + { (loc(a_3, j$0): Ref) } { (loc(a_3, j$0): Ref) } + 0 <= j$0 && j$0 < (len(a_3): int) ==> (loc(a_3, j$0): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv11(o_3) && invRecv11(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange11(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv11(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv11(o_3) && invRecv11(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange11(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall j$1_3: int :: + { (loc(a_3, j$1_3): Ref) } + 0 <= j$1_3 && j$1_3 < (len(a_3): int) ==> Heap[(loc(a_3, j$1_3): Ref), val] == old(PreCallHeap)[(loc(a_3, j$1_3): Ref), val] + ); + if ((len(a_3): int) == 0) { + assume x == -1; + } else { + assume 0 <= x; + assume x < (len(a_3): int); + } + assume (forall j$2_3: int :: + { (loc(a_3, j$2_3): Ref) } + 0 <= j$2_3 && j$2_3 < (len(a_3): int) ==> Heap[(loc(a_3, j$2_3): Ref), val] <= Heap[(loc(a_3, x): Ref), val] + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: assert loc(a, 0).val <= x -- max-array-elimination.vpr@53.3--53.28 + + // -- Check definedness of loc(a, 0).val <= x + assert {:msg " Assert might fail. There might be insufficient permission to access loc(a, 0).val (max-array-elimination.vpr@53.10--53.28) [200]"} + HasDirectPerm(Mask, (loc(a_3, 0): Ref), val); + assert {:msg " Assert might fail. Assertion loc(a, 0).val <= x might not hold. (max-array-elimination.vpr@53.10--53.28) [201]"} + Heap[(loc(a_3, 0): Ref), val] <= x; + assume state(Heap, Mask); + + // -- Translating statement: assert x == loc(a, len(a) - 1).val -- max-array-elimination.vpr@55.3--55.37 + + // -- Check definedness of x == loc(a, len(a) - 1).val + assert {:msg " Assert might fail. There might be insufficient permission to access loc(a, len(a) - 1).val (max-array-elimination.vpr@55.10--55.37) [202]"} + HasDirectPerm(Mask, (loc(a_3, (len(a_3): int) - 1): Ref), val); + assert {:msg " Assert might fail. Assertion x == loc(a, len(a) - 1).val might not hold. (max-array-elimination.vpr@55.10--55.37) [203]"} + x == Heap[(loc(a_3, (len(a_3): int) - 1): Ref), val]; + assume state(Heap, Mask); + + // -- Translating statement: assert x == 2 -- max-array-elimination.vpr@58.3--58.16 + assert {:msg " Assert might fail. Assertion x == 2 might not hold. (max-array-elimination.vpr@58.10--58.16) [204]"} + x == 2; + assume state(Heap, Mask); + + // -- Translating statement: assert loc(a, 1).val < x -- max-array-elimination.vpr@60.3--60.27 + + // -- Check definedness of loc(a, 1).val < x + assert {:msg " Assert might fail. There might be insufficient permission to access loc(a, 1).val (max-array-elimination.vpr@60.10--60.27) [205]"} + HasDirectPerm(Mask, (loc(a_3, 1): Ref), val); + assert {:msg " Assert might fail. Assertion loc(a, 1).val < x might not hold. (max-array-elimination.vpr@60.10--60.27) [206]"} + Heap[(loc(a_3, 1): Ref), val] < x; + assume state(Heap, Mask); +} diff --git a/Test/monomorphize/viper/max-array-standard.bpl b/Test/monomorphize/viper/max-array-standard.bpl new file mode 100644 index 000000000..6a4f7ade2 --- /dev/null +++ b/Test/monomorphize/viper/max-array-standard.bpl @@ -0,0 +1,1116 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(j_1: int): bool; +function neverTriggered2(j$0_1: int): bool; +function neverTriggered3(j$0_2: int): bool; +function neverTriggered4(j$3: int): bool; +function neverTriggered5(j$3_2: int): bool; +function neverTriggered6(j$3_3: int): bool; +function neverTriggered7(j$3_4: int): bool; +function neverTriggered8(j$3_5: int): bool; +function neverTriggered9(j_1: int): bool; +function neverTriggered10(j_2: int): bool; +function neverTriggered11(j$0: int): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(recv: Ref): int; +function invRecv2(recv: Ref): int; +function invRecv3(recv: Ref): int; +function invRecv4(recv: Ref): int; +function invRecv5(recv: Ref): int; +function invRecv6(recv: Ref): int; +function invRecv7(recv: Ref): int; +function invRecv8(recv: Ref): int; +function invRecv9(recv: Ref): int; +function invRecv10(recv: Ref): int; +function invRecv11(recv: Ref): int; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(recv: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(recv: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(recv: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(recv: Ref): bool; +function qpRange8(recv: Ref): bool; +function qpRange9(recv: Ref): bool; +function qpRange10(recv: Ref): bool; +function qpRange11(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Translation of domain IArray +// ================================================== + +// The type for domain IArray +type IArrayDomainType; + +// Translation of domain function loc +function loc(a_2: IArrayDomainType, i: int): Ref; + +// Translation of domain function len +function len(a_2: IArrayDomainType): int; + +// Translation of domain function first +function first(r_1: Ref): IArrayDomainType; + +// Translation of domain function second +function second(r_1: Ref): int; + +// Translation of domain axiom all_diff +axiom (forall a_3: IArrayDomainType, i_1: int :: + { (loc(a_3, i_1): Ref) } + (first((loc(a_3, i_1): Ref)): IArrayDomainType) == a_3 && (second((loc(a_3, i_1): Ref)): int) == i_1 +); + +// Translation of domain axiom length_nonneg +axiom (forall a_3: IArrayDomainType :: + { (len(a_3): int) } + (len(a_3): int) >= 0 +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique val: Field NormalField int; +axiom !IsPredicateField(val); +axiom !IsWandField(val); + +// ================================================== +// Translation of method max +// ================================================== + +procedure vmax(a_3: IArrayDomainType) returns (at: int) + modifies Heap, Mask; +{ + var QPMask: MaskType; + var PostHeap: HeapType; + var PostMask: MaskType; + var j$1: int; + var j$2: int; + var k: int; + var j$4: int; + var j$5: int; + var ExhaleHeap: HeapType; + var j$4_1: int; + var j$5_1: int; + var loopHeap: HeapType; + var loopMask: MaskType; + var j$4_5: int; + var j$5_5: int; + var j$1_2: int; + var j$2_2: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Checked inhaling of precondition + + // -- Check definedness of (forall j: Int :: { loc(a, j) } 0 <= j && j < len(a) ==> acc(loc(a, j).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j).val might not be injective. (max-array-standard.vpr@18.12--18.21) [155]"} + (forall j_1: int, j_1_1: int :: + + (((j_1 != j_1_1 && (0 <= j_1 && j_1 < (len(a_3): int))) && (0 <= j_1_1 && j_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j_1): Ref) != (loc(a_3, j_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j_1: int :: + { (loc(a_3, j_1): Ref) } { (loc(a_3, j_1): Ref) } + (0 <= j_1 && j_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange1((loc(a_3, j_1): Ref)) && invRecv1((loc(a_3, j_1): Ref)) == j_1 + ); + assume (forall o_3: Ref :: + { invRecv1(o_3) } + ((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3) ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j_1: int :: + { (loc(a_3, j_1): Ref) } { (loc(a_3, j_1): Ref) } + 0 <= j_1 && j_1 < (len(a_3): int) ==> (loc(a_3, j_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv1(o_3) && invRecv1(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange1(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Check definedness of (forall j$0: Int :: { loc(a, j$0) } 0 <= j$0 && j$0 < len(a) ==> acc(loc(a, j$0).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$0).val might not be injective. (max-array-standard.vpr@19.12--19.37) [156]"} + (forall j$0_1: int, j$0_1_1: int :: + + (((j$0_1 != j$0_1_1 && (0 <= j$0_1 && j$0_1 < (len(a_3): int))) && (0 <= j$0_1_1 && j$0_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$0_1): Ref) != (loc(a_3, j$0_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$0_1: int :: + { (loc(a_3, j$0_1): Ref) } { (loc(a_3, j$0_1): Ref) } + (0 <= j$0_1 && j$0_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange2((loc(a_3, j$0_1): Ref)) && invRecv2((loc(a_3, j$0_1): Ref)) == j$0_1 + ); + assume (forall o_3: Ref :: + { invRecv2(o_3) } + ((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3) ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$0_1: int :: + { (loc(a_3, j$0_1): Ref) } { (loc(a_3, j$0_1): Ref) } + 0 <= j$0_1 && j$0_1 < (len(a_3): int) ==> (loc(a_3, j$0_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3) && QPMask[o_3, val] == PostMask[o_3, val] + FullPerm) && (!(((0 <= invRecv2(o_3) && invRecv2(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange2(o_3)) ==> QPMask[o_3, val] == PostMask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall j$1: Int :: { loc(a, j$1) } 0 <= j$1 && j$1 < len(a) ==> loc(a, j$1).val == old(loc(a, j$1).val)) + if (*) { + if (0 <= j$1 && j$1 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$1).val (max-array-standard.vpr@19.12--19.37) [157]"} + HasDirectPerm(PostMask, (loc(a_3, j$1): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$1).val (max-array-standard.vpr@19.12--19.37) [158]"} + HasDirectPerm(old(Mask), (loc(a_3, j$1): Ref), val); + } + assume false; + } + assume (forall j$1_1: int :: + { (loc(a_3, j$1_1): Ref) } + 0 <= j$1_1 && j$1_1 < (len(a_3): int) ==> PostHeap[(loc(a_3, j$1_1): Ref), val] == old(Heap)[(loc(a_3, j$1_1): Ref), val] + ); + assume state(PostHeap, PostMask); + if ((len(a_3): int) == 0) { + assume at == -1; + } else { + assume 0 <= at; + assume at < (len(a_3): int); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall j$2: Int :: { loc(a, j$2) } 0 <= j$2 && j$2 < len(a) ==> loc(a, j$2).val <= loc(a, at).val) + if (*) { + if (0 <= j$2 && j$2 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$2).val (max-array-standard.vpr@21.12--21.33) [159]"} + HasDirectPerm(PostMask, (loc(a_3, j$2): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, at).val (max-array-standard.vpr@21.12--21.33) [160]"} + HasDirectPerm(PostMask, (loc(a_3, at): Ref), val); + } + assume false; + } + assume (forall j$2_1: int :: + { (loc(a_3, j$2_1): Ref) } + 0 <= j$2_1 && j$2_1 < (len(a_3): int) ==> PostHeap[(loc(a_3, j$2_1): Ref), val] <= PostHeap[(loc(a_3, at): Ref), val] + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: if (len(a) == 0) -- max-array-standard.vpr@23.3--40.4 + if ((len(a_3): int) == 0) { + + // -- Translating statement: at := -1 -- max-array-standard.vpr@24.5--24.13 + at := -1; + assume state(Heap, Mask); + } else { + + // -- Translating statement: at := 0 -- max-array-standard.vpr@26.5--26.12 + at := 0; + assume state(Heap, Mask); + + // -- Translating statement: k := 1 -- max-array-standard.vpr@27.5--27.20 + k := 1; + assume state(Heap, Mask); + + // -- Translating statement: while (k < len(a)) -- max-array-standard.vpr@28.5--39.6 + + // -- Before loop head + + // -- Exhale loop invariant before loop + assert {:msg " Loop invariant 1 <= k && k <= len(a) might not hold on entry. Assertion 1 <= k might not hold. (max-array-standard.vpr@29.17--29.38) [161]"} + 1 <= k; + assert {:msg " Loop invariant 1 <= k && k <= len(a) might not hold on entry. Assertion k <= len(a) might not hold. (max-array-standard.vpr@29.17--29.38) [162]"} + k <= (len(a_3): int); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$3) is injective + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. Quantified resource loc(a, j$3).val might not be injective. (max-array-standard.vpr@30.17--30.42) [163]"} + (forall j$3: int, j$3_1: int :: + { neverTriggered4(j$3), neverTriggered4(j$3_1) } + (((j$3 != j$3_1 && (0 <= j$3 && j$3 < (len(a_3): int))) && (0 <= j$3_1 && j$3_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3): Ref) != (loc(a_3, j$3_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. There might be insufficient permission to access loc(a, j$3).val (max-array-standard.vpr@30.17--30.42) [164]"} + (forall j$3: int :: + { (loc(a_3, j$3): Ref) } { (loc(a_3, j$3): Ref) } + 0 <= j$3 && j$3 < (len(a_3): int) ==> Mask[(loc(a_3, j$3): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$3) + assume (forall j$3: int :: + { (loc(a_3, j$3): Ref) } { (loc(a_3, j$3): Ref) } + (0 <= j$3 && j$3 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange4((loc(a_3, j$3): Ref)) && invRecv4((loc(a_3, j$3): Ref)) == j$3 + ); + assume (forall o_3: Ref :: + { invRecv4(o_3) } + (0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv4(o_3) && invRecv4(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange4(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$4 && j$4 < (len(a_3): int)) { + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not hold on entry. Assertion loc(a, j$4).val == old(loc(a, j$4).val) might not hold. (max-array-standard.vpr@30.17--30.42) [165]"} + Heap[(loc(a_3, j$4): Ref), val] == old(Heap)[(loc(a_3, j$4): Ref), val]; + } + assume false; + } + assume (forall j$4_1_1: int :: + { (loc(a_3, j$4_1_1): Ref) } + 0 <= j$4_1_1 && j$4_1_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_1_1): Ref), val] == old(Heap)[(loc(a_3, j$4_1_1): Ref), val] + ); + assert {:msg " Loop invariant 0 <= at && at < k might not hold on entry. Assertion 0 <= at might not hold. (max-array-standard.vpr@31.17--31.34) [166]"} + 0 <= at; + assert {:msg " Loop invariant 0 <= at && at < k might not hold on entry. Assertion at < k might not hold. (max-array-standard.vpr@31.17--31.34) [167]"} + at < k; + if (*) { + if (0 <= j$5 && j$5 < k) { + assert {:msg " Loop invariant (forall j$5: Int :: { loc(a, j$5) } 0 <= j$5 && j$5 < k ==> loc(a, j$5).val <= loc(a, at).val) might not hold on entry. Assertion loc(a, j$5).val <= loc(a, at).val might not hold. (max-array-standard.vpr@32.17--32.33) [168]"} + Heap[(loc(a_3, j$5): Ref), val] <= Heap[(loc(a_3, at): Ref), val]; + } + assume false; + } + assume (forall j$5_1_1: int :: + { (loc(a_3, j$5_1_1): Ref) } + 0 <= j$5_1_1 && j$5_1_1 < k ==> Heap[(loc(a_3, j$5_1_1): Ref), val] <= Heap[(loc(a_3, at): Ref), val] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Havoc loop written variables (except locals) + havoc k, at; + + // -- Check definedness of invariant + if (*) { + assume 1 <= k; + assume k <= (len(a_3): int); + assume state(Heap, Mask); + + // -- Check definedness of (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$3).val might not be injective. (max-array-standard.vpr@30.17--30.42) [169]"} + (forall j$3_2: int, j$3_2_1: int :: + + (((j$3_2 != j$3_2_1 && (0 <= j$3_2 && j$3_2 < (len(a_3): int))) && (0 <= j$3_2_1 && j$3_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_2): Ref) != (loc(a_3, j$3_2_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_2: int :: + { (loc(a_3, j$3_2): Ref) } { (loc(a_3, j$3_2): Ref) } + (0 <= j$3_2 && j$3_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange5((loc(a_3, j$3_2): Ref)) && invRecv5((loc(a_3, j$3_2): Ref)) == j$3_2 + ); + assume (forall o_3: Ref :: + { invRecv5(o_3) } + ((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3) ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_2: int :: + { (loc(a_3, j$3_2): Ref) } { (loc(a_3, j$3_2): Ref) } + 0 <= j$3_2 && j$3_2 < (len(a_3): int) ==> (loc(a_3, j$3_2): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv5(o_3) && invRecv5(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange5(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + + // -- Check definedness of (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) + if (*) { + if (0 <= j$4_1 && j$4_1 < (len(a_3): int)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$4).val (max-array-standard.vpr@30.17--30.42) [170]"} + HasDirectPerm(Mask, (loc(a_3, j$4_1): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$4).val (max-array-standard.vpr@30.17--30.42) [171]"} + HasDirectPerm(old(Mask), (loc(a_3, j$4_1): Ref), val); + } + assume false; + } + assume (forall j$4_3: int :: + { (loc(a_3, j$4_3): Ref) } + 0 <= j$4_3 && j$4_3 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_3): Ref), val] == old(Heap)[(loc(a_3, j$4_3): Ref), val] + ); + assume state(Heap, Mask); + assume 0 <= at; + assume at < k; + assume state(Heap, Mask); + + // -- Check definedness of (forall j$5: Int :: { loc(a, j$5) } 0 <= j$5 && j$5 < k ==> loc(a, j$5).val <= loc(a, at).val) + if (*) { + if (0 <= j$5_1 && j$5_1 < k) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, j$5).val (max-array-standard.vpr@32.17--32.33) [172]"} + HasDirectPerm(Mask, (loc(a_3, j$5_1): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, at).val (max-array-standard.vpr@32.17--32.33) [173]"} + HasDirectPerm(Mask, (loc(a_3, at): Ref), val); + } + assume false; + } + assume (forall j$5_3: int :: + { (loc(a_3, j$5_3): Ref) } + 0 <= j$5_3 && j$5_3 < k ==> Heap[(loc(a_3, j$5_3): Ref), val] <= Heap[(loc(a_3, at): Ref), val] + ); + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + assume 1 <= k; + assume k <= (len(a_3): int); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource loc(a, j$3).val might not be injective. (max-array-standard.vpr@30.17--30.42) [174]"} + (forall j$3_3: int, j$3_3_1: int :: + + (((j$3_3 != j$3_3_1 && (0 <= j$3_3 && j$3_3 < (len(a_3): int))) && (0 <= j$3_3_1 && j$3_3_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_3): Ref) != (loc(a_3, j$3_3_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_3: int :: + { (loc(a_3, j$3_3): Ref) } { (loc(a_3, j$3_3): Ref) } + (0 <= j$3_3 && j$3_3 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange6((loc(a_3, j$3_3): Ref)) && invRecv6((loc(a_3, j$3_3): Ref)) == j$3_3 + ); + assume (forall o_3: Ref :: + { invRecv6(o_3) } + ((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3) ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_3: int :: + { (loc(a_3, j$3_3): Ref) } { (loc(a_3, j$3_3): Ref) } + 0 <= j$3_3 && j$3_3 < (len(a_3): int) ==> (loc(a_3, j$3_3): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv6(o_3) && invRecv6(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange6(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall j$4_4: int :: + { (loc(a_3, j$4_4): Ref) } + 0 <= j$4_4 && j$4_4 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_4): Ref), val] == old(Heap)[(loc(a_3, j$4_4): Ref), val] + ); + assume 0 <= at; + assume at < k; + assume (forall j$5_4: int :: + { (loc(a_3, j$5_4): Ref) } + 0 <= j$5_4 && j$5_4 < k ==> Heap[(loc(a_3, j$5_4): Ref), val] <= Heap[(loc(a_3, at): Ref), val] + ); + assume state(Heap, Mask); + // Check and assume guard + assume k < (len(a_3): int); + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Translating statement: if (loc(a, at).val < loc(a, k).val) -- max-array-standard.vpr@34.7--36.8 + + // -- Check definedness of loc(a, at).val < loc(a, k).val + assert {:msg " Conditional statement might fail. There might be insufficient permission to access loc(a, at).val (max-array-standard.vpr@34.11--34.41) [175]"} + HasDirectPerm(Mask, (loc(a_3, at): Ref), val); + assert {:msg " Conditional statement might fail. There might be insufficient permission to access loc(a, k).val (max-array-standard.vpr@34.11--34.41) [176]"} + HasDirectPerm(Mask, (loc(a_3, k): Ref), val); + if (Heap[(loc(a_3, at): Ref), val] < Heap[(loc(a_3, k): Ref), val]) { + + // -- Translating statement: at := k -- max-array-standard.vpr@35.9--35.16 + at := k; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: k := k + 1 -- max-array-standard.vpr@38.7--38.17 + k := k + 1; + assume state(Heap, Mask); + // Exhale invariant + assert {:msg " Loop invariant 1 <= k && k <= len(a) might not be preserved. Assertion 1 <= k might not hold. (max-array-standard.vpr@29.17--29.38) [177]"} + 1 <= k; + assert {:msg " Loop invariant 1 <= k && k <= len(a) might not be preserved. Assertion k <= len(a) might not hold. (max-array-standard.vpr@29.17--29.38) [178]"} + k <= (len(a_3): int); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$3) is injective + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. Quantified resource loc(a, j$3).val might not be injective. (max-array-standard.vpr@30.17--30.42) [179]"} + (forall j$3_4: int, j$3_4_1: int :: + { neverTriggered7(j$3_4), neverTriggered7(j$3_4_1) } + (((j$3_4 != j$3_4_1 && (0 <= j$3_4 && j$3_4 < (len(a_3): int))) && (0 <= j$3_4_1 && j$3_4_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_4): Ref) != (loc(a_3, j$3_4_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. There might be insufficient permission to access loc(a, j$3).val (max-array-standard.vpr@30.17--30.42) [180]"} + (forall j$3_4: int :: + { (loc(a_3, j$3_4): Ref) } { (loc(a_3, j$3_4): Ref) } + 0 <= j$3_4 && j$3_4 < (len(a_3): int) ==> Mask[(loc(a_3, j$3_4): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$3) + assume (forall j$3_4: int :: + { (loc(a_3, j$3_4): Ref) } { (loc(a_3, j$3_4): Ref) } + (0 <= j$3_4 && j$3_4 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange7((loc(a_3, j$3_4): Ref)) && invRecv7((loc(a_3, j$3_4): Ref)) == j$3_4 + ); + assume (forall o_3: Ref :: + { invRecv7(o_3) } + (0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3)) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3)) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv7(o_3) && invRecv7(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange7(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$4_5 && j$4_5 < (len(a_3): int)) { + assert {:msg " Loop invariant (forall j$3: Int :: { loc(a, j$3) } 0 <= j$3 && j$3 < len(a) ==> acc(loc(a, j$3).val, write)) && (forall j$4: Int :: { loc(a, j$4) } 0 <= j$4 && j$4 < len(a) ==> loc(a, j$4).val == old(loc(a, j$4).val)) might not be preserved. Assertion loc(a, j$4).val == old(loc(a, j$4).val) might not hold. (max-array-standard.vpr@30.17--30.42) [181]"} + Heap[(loc(a_3, j$4_5): Ref), val] == old(Heap)[(loc(a_3, j$4_5): Ref), val]; + } + assume false; + } + assume (forall j$4_6_1: int :: + { (loc(a_3, j$4_6_1): Ref) } + 0 <= j$4_6_1 && j$4_6_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_6_1): Ref), val] == old(Heap)[(loc(a_3, j$4_6_1): Ref), val] + ); + assert {:msg " Loop invariant 0 <= at && at < k might not be preserved. Assertion 0 <= at might not hold. (max-array-standard.vpr@31.17--31.34) [182]"} + 0 <= at; + assert {:msg " Loop invariant 0 <= at && at < k might not be preserved. Assertion at < k might not hold. (max-array-standard.vpr@31.17--31.34) [183]"} + at < k; + if (*) { + if (0 <= j$5_5 && j$5_5 < k) { + assert {:msg " Loop invariant (forall j$5: Int :: { loc(a, j$5) } 0 <= j$5 && j$5 < k ==> loc(a, j$5).val <= loc(a, at).val) might not be preserved. Assertion loc(a, j$5).val <= loc(a, at).val might not hold. (max-array-standard.vpr@32.17--32.33) [184]"} + Heap[(loc(a_3, j$5_5): Ref), val] <= Heap[(loc(a_3, at): Ref), val]; + } + assume false; + } + assume (forall j$5_6_1: int :: + { (loc(a_3, j$5_6_1): Ref) } + 0 <= j$5_6_1 && j$5_6_1 < k ==> Heap[(loc(a_3, j$5_6_1): Ref), val] <= Heap[(loc(a_3, at): Ref), val] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(k < (len(a_3): int)); + assume state(Heap, Mask); + assume 1 <= k; + assume k <= (len(a_3): int); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource loc(a, j$3).val might not be injective. (max-array-standard.vpr@30.17--30.42) [185]"} + (forall j$3_5: int, j$3_5_1: int :: + + (((j$3_5 != j$3_5_1 && (0 <= j$3_5 && j$3_5 < (len(a_3): int))) && (0 <= j$3_5_1 && j$3_5_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$3_5): Ref) != (loc(a_3, j$3_5_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j$3_5: int :: + { (loc(a_3, j$3_5): Ref) } { (loc(a_3, j$3_5): Ref) } + (0 <= j$3_5 && j$3_5 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange8((loc(a_3, j$3_5): Ref)) && invRecv8((loc(a_3, j$3_5): Ref)) == j$3_5 + ); + assume (forall o_3: Ref :: + { invRecv8(o_3) } + ((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3) ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$3_5: int :: + { (loc(a_3, j$3_5): Ref) } { (loc(a_3, j$3_5): Ref) } + 0 <= j$3_5 && j$3_5 < (len(a_3): int) ==> (loc(a_3, j$3_5): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv8(o_3) && invRecv8(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange8(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall j$4_7: int :: + { (loc(a_3, j$4_7): Ref) } + 0 <= j$4_7 && j$4_7 < (len(a_3): int) ==> Heap[(loc(a_3, j$4_7): Ref), val] == old(Heap)[(loc(a_3, j$4_7): Ref), val] + ); + assume 0 <= at; + assume at < k; + assume (forall j$5_7: int :: + { (loc(a_3, j$5_7): Ref) } + 0 <= j$5_7 && j$5_7 < k ==> Heap[(loc(a_3, j$5_7): Ref), val] <= Heap[(loc(a_3, at): Ref), val] + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Exhaling postcondition + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j$0) is injective + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, j$0).val might not be injective. (max-array-standard.vpr@19.12--19.21) [186]"} + (forall j$0_2: int, j$0_2_1: int :: + { neverTriggered3(j$0_2), neverTriggered3(j$0_2_1) } + (((j$0_2 != j$0_2_1 && (0 <= j$0_2 && j$0_2 < (len(a_3): int))) && (0 <= j$0_2_1 && j$0_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$0_2): Ref) != (loc(a_3, j$0_2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of max might not hold. There might be insufficient permission to access loc(a, j$0).val (max-array-standard.vpr@19.12--19.37) [187]"} + (forall j$0_2: int :: + { (loc(a_3, j$0_2): Ref) } { (loc(a_3, j$0_2): Ref) } + 0 <= j$0_2 && j$0_2 < (len(a_3): int) ==> Mask[(loc(a_3, j$0_2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j$0) + assume (forall j$0_2: int :: + { (loc(a_3, j$0_2): Ref) } { (loc(a_3, j$0_2): Ref) } + (0 <= j$0_2 && j$0_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange3((loc(a_3, j$0_2): Ref)) && invRecv3((loc(a_3, j$0_2): Ref)) == j$0_2 + ); + assume (forall o_3: Ref :: + { invRecv3(o_3) } + (0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3)) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3)) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv3(o_3) && invRecv3(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange3(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= j$1_2 && j$1_2 < (len(a_3): int)) { + assert {:msg " Postcondition of max might not hold. Assertion loc(a, j$1).val == old(loc(a, j$1).val) might not hold. (max-array-standard.vpr@19.12--19.37) [188]"} + Heap[(loc(a_3, j$1_2): Ref), val] == old(Heap)[(loc(a_3, j$1_2): Ref), val]; + } + assume false; + } + assume (forall j$1_3_1: int :: + { (loc(a_3, j$1_3_1): Ref) } + 0 <= j$1_3_1 && j$1_3_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$1_3_1): Ref), val] == old(Heap)[(loc(a_3, j$1_3_1): Ref), val] + ); + if ((len(a_3): int) == 0) { + assert {:msg " Postcondition of max might not hold. Assertion at == -1 might not hold. (max-array-standard.vpr@20.12--20.61) [189]"} + at == -1; + } else { + assert {:msg " Postcondition of max might not hold. Assertion 0 <= at might not hold. (max-array-standard.vpr@20.12--20.61) [190]"} + 0 <= at; + assert {:msg " Postcondition of max might not hold. Assertion at < len(a) might not hold. (max-array-standard.vpr@20.12--20.61) [191]"} + at < (len(a_3): int); + } + if (*) { + if (0 <= j$2_2 && j$2_2 < (len(a_3): int)) { + assert {:msg " Postcondition of max might not hold. Assertion loc(a, j$2).val <= loc(a, at).val might not hold. (max-array-standard.vpr@21.12--21.33) [192]"} + Heap[(loc(a_3, j$2_2): Ref), val] <= Heap[(loc(a_3, at): Ref), val]; + } + assume false; + } + assume (forall j$2_3_1: int :: + { (loc(a_3, j$2_3_1): Ref) } + 0 <= j$2_3_1 && j$2_3_1 < (len(a_3): int) ==> Heap[(loc(a_3, j$2_3_1): Ref), val] <= Heap[(loc(a_3, at): Ref), val] + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method client +// ================================================== + +procedure client() returns () + modifies Heap, Mask; +{ + var a_3: IArrayDomainType; + var QPMask: MaskType; + var i_2: int; + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var x: int; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: inhale len(a) == 3 -- max-array-standard.vpr@45.3--45.21 + assume (len(a_3): int) == 3; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall j: Int :: + // { loc(a, j) } + // 0 <= j && j < len(a) ==> acc(loc(a, j).val, write)) -- max-array-standard.vpr@46.3--46.19 + + // -- Check definedness of (forall j: Int :: { loc(a, j) } 0 <= j && j < len(a) ==> acc(loc(a, j).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Inhale might fail. Quantified resource loc(a, j).val might not be injective. (max-array-standard.vpr@46.10--46.19) [193]"} + (forall j_1: int, j_1_1: int :: + + (((j_1 != j_1_1 && (0 <= j_1 && j_1 < (len(a_3): int))) && (0 <= j_1_1 && j_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j_1): Ref) != (loc(a_3, j_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall j_1: int :: + { (loc(a_3, j_1): Ref) } { (loc(a_3, j_1): Ref) } + (0 <= j_1 && j_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange9((loc(a_3, j_1): Ref)) && invRecv9((loc(a_3, j_1): Ref)) == j_1 + ); + assume (forall o_3: Ref :: + { invRecv9(o_3) } + ((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3) ==> (loc(a_3, invRecv9(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j_1: int :: + { (loc(a_3, j_1): Ref) } { (loc(a_3, j_1): Ref) } + 0 <= j_1 && j_1 < (len(a_3): int) ==> (loc(a_3, j_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv9(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall i: Int :: + // { loc(a, i) } + // 0 <= i && i < len(a) ==> loc(a, i).val == i) -- max-array-standard.vpr@47.3--47.70 + + // -- Check definedness of (forall i: Int :: { loc(a, i) } 0 <= i && i < len(a) ==> loc(a, i).val == i) + if (*) { + if (0 <= i_2 && i_2 < (len(a_3): int)) { + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i).val (max-array-standard.vpr@47.10--47.70) [194]"} + HasDirectPerm(Mask, (loc(a_3, i_2): Ref), val); + } + assume false; + } + assume (forall i_1_1: int :: + { (loc(a_3, i_1_1): Ref) } + 0 <= i_1_1 && i_1_1 < (len(a_3): int) ==> Heap[(loc(a_3, i_1_1): Ref), val] == i_1_1 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: x := max(a) -- max-array-standard.vpr@50.3--50.14 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc x; + + // -- Exhaling precondition + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, j) is injective + assert {:msg " The precondition of method max might not hold. Quantified resource loc(a, j).val might not be injective. (max-array-standard.vpr@50.3--50.14) [195]"} + (forall j_2: int, j_2_1: int :: + { neverTriggered10(j_2), neverTriggered10(j_2_1) } + (((j_2 != j_2_1 && (0 <= j_2 && j_2 < (len(a_3): int))) && (0 <= j_2_1 && j_2_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j_2): Ref) != (loc(a_3, j_2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " The precondition of method max might not hold. There might be insufficient permission to access loc(a, j).val (max-array-standard.vpr@50.3--50.14) [196]"} + (forall j_2: int :: + { (loc(a_3, j_2): Ref) } { (loc(a_3, j_2): Ref) } + 0 <= j_2 && j_2 < (len(a_3): int) ==> Mask[(loc(a_3, j_2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, j) + assume (forall j_2: int :: + { (loc(a_3, j_2): Ref) } { (loc(a_3, j_2): Ref) } + (0 <= j_2 && j_2 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange10((loc(a_3, j_2): Ref)) && invRecv10((loc(a_3, j_2): Ref)) == j_2 + ); + assume (forall o_3: Ref :: + { invRecv10(o_3) } + (0 <= invRecv10(o_3) && invRecv10(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange10(o_3)) ==> (loc(a_3, invRecv10(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv10(o_3) && invRecv10(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange10(o_3)) ==> (loc(a_3, invRecv10(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv10(o_3) && invRecv10(o_3) < (len(a_3): int)) && (NoPerm < FullPerm && qpRange10(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + havoc QPMask; + assert {:msg " Method call might fail. Quantified resource loc(a, j$0).val might not be injective. (max-array-standard.vpr@50.3--50.14) [197]"} + (forall j$0: int, j$0_3: int :: + + (((j$0 != j$0_3 && (0 <= j$0 && j$0 < (len(a_3): int))) && (0 <= j$0_3 && j$0_3 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, j$0): Ref) != (loc(a_3, j$0_3): Ref) + ); + + // -- Define Inverse Function + assume (forall j$0: int :: + { (loc(a_3, j$0): Ref) } { (loc(a_3, j$0): Ref) } + (0 <= j$0 && j$0 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange11((loc(a_3, j$0): Ref)) && invRecv11((loc(a_3, j$0): Ref)) == j$0 + ); + assume (forall o_3: Ref :: + { invRecv11(o_3) } + ((0 <= invRecv11(o_3) && invRecv11(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange11(o_3) ==> (loc(a_3, invRecv11(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall j$0: int :: + { (loc(a_3, j$0): Ref) } { (loc(a_3, j$0): Ref) } + 0 <= j$0 && j$0 < (len(a_3): int) ==> (loc(a_3, j$0): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv11(o_3) && invRecv11(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange11(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv11(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv11(o_3) && invRecv11(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange11(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall j$1_3: int :: + { (loc(a_3, j$1_3): Ref) } + 0 <= j$1_3 && j$1_3 < (len(a_3): int) ==> Heap[(loc(a_3, j$1_3): Ref), val] == old(PreCallHeap)[(loc(a_3, j$1_3): Ref), val] + ); + if ((len(a_3): int) == 0) { + assume x == -1; + } else { + assume 0 <= x; + assume x < (len(a_3): int); + } + assume (forall j$2_3: int :: + { (loc(a_3, j$2_3): Ref) } + 0 <= j$2_3 && j$2_3 < (len(a_3): int) ==> Heap[(loc(a_3, j$2_3): Ref), val] <= Heap[(loc(a_3, x): Ref), val] + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: assert loc(a, 0).val <= x -- max-array-standard.vpr@52.3--52.28 + + // -- Check definedness of loc(a, 0).val <= x + assert {:msg " Assert might fail. There might be insufficient permission to access loc(a, 0).val (max-array-standard.vpr@52.10--52.28) [198]"} + HasDirectPerm(Mask, (loc(a_3, 0): Ref), val); + assert {:msg " Assert might fail. Assertion loc(a, 0).val <= x might not hold. (max-array-standard.vpr@52.10--52.28) [199]"} + Heap[(loc(a_3, 0): Ref), val] <= x; + assume state(Heap, Mask); + + // -- Translating statement: assert x == loc(a, len(a) - 1).val -- max-array-standard.vpr@53.3--53.37 + + // -- Check definedness of x == loc(a, len(a) - 1).val + assert {:msg " Assert might fail. There might be insufficient permission to access loc(a, len(a) - 1).val (max-array-standard.vpr@53.10--53.37) [200]"} + HasDirectPerm(Mask, (loc(a_3, (len(a_3): int) - 1): Ref), val); + assert {:msg " Assert might fail. Assertion x == loc(a, len(a) - 1).val might not hold. (max-array-standard.vpr@53.10--53.37) [201]"} + x == Heap[(loc(a_3, (len(a_3): int) - 1): Ref), val]; + assume state(Heap, Mask); + + // -- Translating statement: assert x == 2 -- max-array-standard.vpr@54.3--54.16 + assert {:msg " Assert might fail. Assertion x == 2 might not hold. (max-array-standard.vpr@54.10--54.16) [202]"} + x == 2; + assume state(Heap, Mask); + + // -- Translating statement: assert loc(a, 1).val < x -- max-array-standard.vpr@55.3--55.27 + + // -- Check definedness of loc(a, 1).val < x + assert {:msg " Assert might fail. There might be insufficient permission to access loc(a, 1).val (max-array-standard.vpr@55.10--55.27) [203]"} + HasDirectPerm(Mask, (loc(a_3, 1): Ref), val); + assert {:msg " Assert might fail. Assertion loc(a, 1).val < x might not hold. (max-array-standard.vpr@55.10--55.27) [204]"} + Heap[(loc(a_3, 1): Ref), val] < x; + assume state(Heap, Mask); +} diff --git a/Test/monomorphize/viper/parallel-array-replace.bpl b/Test/monomorphize/viper/parallel-array-replace.bpl new file mode 100644 index 000000000..8168de272 --- /dev/null +++ b/Test/monomorphize/viper/parallel-array-replace.bpl @@ -0,0 +1,1158 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(i_3: int): bool; +function neverTriggered2(i_1: int): bool; +function neverTriggered3(i$0_1: int): bool; +function neverTriggered4(i$0_2: int): bool; +function neverTriggered5(i$2_1: int): bool; +function neverTriggered6(i$3_1: int): bool; +function neverTriggered7(i$4_1: int): bool; +function neverTriggered8(i$6_1: int): bool; +function neverTriggered9(i_1: int): bool; +function neverTriggered10(i_2: int): bool; +function neverTriggered11(i_3: int): bool; +function neverTriggered12(i$0: int): bool; +function neverTriggered13(i_4: int): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(recv: Ref): int; +function invRecv2(recv: Ref): int; +function invRecv3(recv: Ref): int; +function invRecv4(recv: Ref): int; +function invRecv5(recv: Ref): int; +function invRecv6(recv: Ref): int; +function invRecv7(recv: Ref): int; +function invRecv8(recv: Ref): int; +function invRecv9(recv: Ref): int; +function invRecv10(recv: Ref): int; +function invRecv11(recv: Ref): int; +function invRecv12(recv: Ref): int; +function invRecv13(recv: Ref): int; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(recv: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(recv: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(recv: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(recv: Ref): bool; +function qpRange8(recv: Ref): bool; +function qpRange9(recv: Ref): bool; +function qpRange10(recv: Ref): bool; +function qpRange11(recv: Ref): bool; +function qpRange12(recv: Ref): bool; +function qpRange13(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Function heights (higher height means its body is available earlier): +// - height 0: Contains +const AssumeFunctionsAbove: int; +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Translation of domain Array +// ================================================== + +// The type for domain Array +type ArrayDomainType; + +// Translation of domain function loc +function loc(a_2: ArrayDomainType, i: int): Ref; + +// Translation of domain function len +function len(a_2: ArrayDomainType): int; + +// Translation of domain function first +function first(r_1: Ref): ArrayDomainType; + +// Translation of domain function second +function second(r_1: Ref): int; + +// Translation of domain axiom all_diff +axiom (forall a_3: ArrayDomainType, i_5: int :: + { (loc(a_3, i_5): Ref) } + (first((loc(a_3, i_5): Ref)): ArrayDomainType) == a_3 && (second((loc(a_3, i_5): Ref)): int) == i_5 +); + +// Translation of domain axiom length_nonneg +axiom (forall a_3: ArrayDomainType :: + { (len(a_3): int) } + (len(a_3): int) >= 0 +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique val: Field NormalField int; +axiom !IsPredicateField(val); +axiom !IsWandField(val); + +// ================================================== +// Translation of function Contains +// ================================================== + +// Uninterpreted function definitions +function Contains(Heap: HeapType, a_3: ArrayDomainType, v_2: int, before: int): bool; +function Contains'(Heap: HeapType, a_3: ArrayDomainType, v_2: int, before: int): bool; +axiom (forall Heap: HeapType, a_3: ArrayDomainType, v_2: int, before: int :: + { Contains(Heap, a_3, v_2, before) } + Contains(Heap, a_3, v_2, before) == Contains'(Heap, a_3, v_2, before) && dummyFunction(Contains#triggerStateless(a_3, v_2, before)) +); +axiom (forall Heap: HeapType, a_3: ArrayDomainType, v_2: int, before: int :: + { Contains'(Heap, a_3, v_2, before) } + dummyFunction(Contains#triggerStateless(a_3, v_2, before)) +); + +// Framing axioms +function Contains#frame(frame: FrameType, a_3: ArrayDomainType, v_2: int, before: int): bool; +axiom (forall Heap: HeapType, Mask: MaskType, a_3: ArrayDomainType, v_2: int, before: int :: + { state(Heap, Mask), Contains'(Heap, a_3, v_2, before) } + state(Heap, Mask) ==> Contains'(Heap, a_3, v_2, before) == Contains#frame(FrameFragment(Contains#condqp1(Heap, a_3, v_2, before)), a_3, v_2, before) +); +// ================================================== +// Function used for framing of quantified permission (forall i: Int :: { loc(a, i) } 0 <= i && i < before ==> acc(loc(a, i).val, write)) in function Contains +// ================================================== + +function Contains#condqp1(Heap: HeapType, a_1_1: ArrayDomainType, v_1_1: int, before_1_1: int): int; +axiom (forall Heap2Heap: HeapType, Heap1Heap: HeapType, a_3: ArrayDomainType, v_2: int, before: int :: + { Contains#condqp1(Heap2Heap, a_3, v_2, before), Contains#condqp1(Heap1Heap, a_3, v_2, before), succHeapTrans(Heap2Heap, Heap1Heap) } + (forall i_5: int :: + + ((0 <= i_5 && i_5 < before) && NoPerm < FullPerm <==> (0 <= i_5 && i_5 < before) && NoPerm < FullPerm) && ((0 <= i_5 && i_5 < before) && NoPerm < FullPerm ==> Heap2Heap[(loc(a_3, i_5): Ref), val] == Heap1Heap[(loc(a_3, i_5): Ref), val]) + ) ==> Contains#condqp1(Heap2Heap, a_3, v_2, before) == Contains#condqp1(Heap1Heap, a_3, v_2, before) +); + +// Trigger function (controlling recursive postconditions) +function Contains#trigger(frame: FrameType, a_3: ArrayDomainType, v_2: int, before: int): bool; + +// State-independent trigger function +function Contains#triggerStateless(a_3: ArrayDomainType, v_2: int, before: int): bool; + +// Check contract well-formedness and postcondition +procedure Contains#definedness(a_3: ArrayDomainType, v_2: int, before: int) returns (Result: bool) + modifies Heap, Mask; +{ + var QPMask: MaskType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 0; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume 0 <= before; + assume before <= (len(a_3): int); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int :: { loc(a, i) } 0 <= i && i < before ==> acc(loc(a, i).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, i).val might not be injective. (parallel-array-replace.vpr@54.12--54.72) [137]"} + (forall i_3: int, i_3_1: int :: + + (((i_3 != i_3_1 && (0 <= i_3 && i_3 < before)) && (0 <= i_3_1 && i_3_1 < before)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i_3): Ref) != (loc(a_3, i_3_1): Ref) + ); + + // -- Define Inverse Function + assume (forall i_3: int :: + { (loc(a_3, i_3): Ref) } { (loc(a_3, i_3): Ref) } + (0 <= i_3 && i_3 < before) && NoPerm < FullPerm ==> qpRange1((loc(a_3, i_3): Ref)) && invRecv1((loc(a_3, i_3): Ref)) == i_3 + ); + assume (forall o_3: Ref :: + { invRecv1(o_3) } + ((0 <= invRecv1(o_3) && invRecv1(o_3) < before) && NoPerm < FullPerm) && qpRange1(o_3) ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i_3: int :: + { (loc(a_3, i_3): Ref) } { (loc(a_3, i_3): Ref) } + 0 <= i_3 && i_3 < before ==> (loc(a_3, i_3): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv1(o_3) && invRecv1(o_3) < before) && NoPerm < FullPerm) && qpRange1(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv1(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv1(o_3) && invRecv1(o_3) < before) && NoPerm < FullPerm) && qpRange1(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method Replace +// ================================================== + +procedure Replace(a_3: ArrayDomainType, left: int, right: int, from: int, to: int) returns () + modifies Heap, Mask; +{ + var QPMask: MaskType; + var PostHeap: HeapType; + var PostMask: MaskType; + var i$1: int; + var mid: int; + var ExhaleHeap: HeapType; + var i$5: int; + var i$7: int; + var i$1_2: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Checked inhaling of precondition + assume 0 <= left; + assume left < right; + assume right <= (len(a_3): int); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int :: { loc(a, i) } left <= i && i < right ==> acc(loc(a, i).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, i).val might not be injective. (parallel-array-replace.vpr@14.12--14.32) [138]"} + (forall i_1: int, i_1_1: int :: + + (((i_1 != i_1_1 && (left <= i_1 && i_1 < right)) && (left <= i_1_1 && i_1_1 < right)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i_1): Ref) != (loc(a_3, i_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall i_1: int :: + { (loc(a_3, i_1): Ref) } { (loc(a_3, i_1): Ref) } + (left <= i_1 && i_1 < right) && NoPerm < FullPerm ==> qpRange2((loc(a_3, i_1): Ref)) && invRecv2((loc(a_3, i_1): Ref)) == i_1 + ); + assume (forall o_3: Ref :: + { invRecv2(o_3) } + ((left <= invRecv2(o_3) && invRecv2(o_3) < right) && NoPerm < FullPerm) && qpRange2(o_3) ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i_1: int :: + { (loc(a_3, i_1): Ref) } { (loc(a_3, i_1): Ref) } + left <= i_1 && i_1 < right ==> (loc(a_3, i_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((left <= invRecv2(o_3) && invRecv2(o_3) < right) && NoPerm < FullPerm) && qpRange2(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv2(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((left <= invRecv2(o_3) && invRecv2(o_3) < right) && NoPerm < FullPerm) && qpRange2(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Check definedness of (forall i$0: Int :: { loc(a, i$0) } left <= i$0 && i$0 < right ==> acc(loc(a, i$0).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, i$0).val might not be injective. (parallel-array-replace.vpr@15.12--15.33) [139]"} + (forall i$0_1: int, i$0_1_1: int :: + + (((i$0_1 != i$0_1_1 && (left <= i$0_1 && i$0_1 < right)) && (left <= i$0_1_1 && i$0_1_1 < right)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i$0_1): Ref) != (loc(a_3, i$0_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall i$0_1: int :: + { (loc(a_3, i$0_1): Ref) } { (loc(a_3, i$0_1): Ref) } + (left <= i$0_1 && i$0_1 < right) && NoPerm < FullPerm ==> qpRange3((loc(a_3, i$0_1): Ref)) && invRecv3((loc(a_3, i$0_1): Ref)) == i$0_1 + ); + assume (forall o_3: Ref :: + { invRecv3(o_3) } + ((left <= invRecv3(o_3) && invRecv3(o_3) < right) && NoPerm < FullPerm) && qpRange3(o_3) ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i$0_1: int :: + { (loc(a_3, i$0_1): Ref) } { (loc(a_3, i$0_1): Ref) } + left <= i$0_1 && i$0_1 < right ==> (loc(a_3, i$0_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((left <= invRecv3(o_3) && invRecv3(o_3) < right) && NoPerm < FullPerm) && qpRange3(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv3(o_3)): Ref) == o_3) && QPMask[o_3, val] == PostMask[o_3, val] + FullPerm) && (!(((left <= invRecv3(o_3) && invRecv3(o_3) < right) && NoPerm < FullPerm) && qpRange3(o_3)) ==> QPMask[o_3, val] == PostMask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall i$1: Int :: { loc(a, i$1) } left <= i$1 && i$1 < right ==> (old(loc(a, i$1).val == from) ? loc(a, i$1).val == to : loc(a, i$1).val == old(loc(a, i$1).val))) + if (*) { + if (left <= i$1 && i$1 < right) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i$1).val (parallel-array-replace.vpr@16.12--16.33) [140]"} + HasDirectPerm(old(Mask), (loc(a_3, i$1): Ref), val); + if (old(Heap)[(loc(a_3, i$1): Ref), val] == from) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i$1).val (parallel-array-replace.vpr@16.12--16.33) [141]"} + HasDirectPerm(PostMask, (loc(a_3, i$1): Ref), val); + } else { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i$1).val (parallel-array-replace.vpr@16.12--16.33) [142]"} + HasDirectPerm(PostMask, (loc(a_3, i$1): Ref), val); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access loc(a, i$1).val (parallel-array-replace.vpr@16.12--16.33) [143]"} + HasDirectPerm(old(Mask), (loc(a_3, i$1): Ref), val); + } + } + assume false; + } + assume (forall i$1_1: int :: + { (loc(a_3, i$1_1): Ref) } + left <= i$1_1 && i$1_1 < right ==> (if old(Heap)[(loc(a_3, i$1_1): Ref), val] == from then PostHeap[(loc(a_3, i$1_1): Ref), val] == to else PostHeap[(loc(a_3, i$1_1): Ref), val] == old(Heap)[(loc(a_3, i$1_1): Ref), val]) + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: if (right - left <= 1) -- parallel-array-replace.vpr@18.3--40.4 + if (right - left <= 1) { + + // -- Translating statement: if (loc(a, left).val == from) -- parallel-array-replace.vpr@19.5--21.6 + + // -- Check definedness of loc(a, left).val == from + assert {:msg " Conditional statement might fail. There might be insufficient permission to access loc(a, left).val (parallel-array-replace.vpr@19.8--19.32) [144]"} + HasDirectPerm(Mask, (loc(a_3, left): Ref), val); + if (Heap[(loc(a_3, left): Ref), val] == from) { + + // -- Translating statement: loc(a, left).val := to -- parallel-array-replace.vpr@20.7--20.29 + assert {:msg " Assignment might fail. There might be insufficient permission to access loc(a, left).val (parallel-array-replace.vpr@20.7--20.29) [145]"} + FullPerm == Mask[(loc(a_3, left): Ref), val]; + Heap[(loc(a_3, left): Ref), val] := to; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + } else { + + // -- Translating statement: mid := left + (right - left) / 2 -- parallel-array-replace.vpr@23.5--23.46 + mid := left + (right - left) div 2; + assume state(Heap, Mask); + + // -- Translating statement: exhale 0 <= left && (left < mid && mid <= len(a)) -- parallel-array-replace.vpr@26.5--26.30 + assert {:msg " Exhale might fail. Assertion 0 <= left might not hold. (parallel-array-replace.vpr@26.12--26.30) [146]"} + 0 <= left; + assert {:msg " Exhale might fail. Assertion left < mid might not hold. (parallel-array-replace.vpr@26.12--26.30) [147]"} + left < mid; + assert {:msg " Exhale might fail. Assertion mid <= len(a) might not hold. (parallel-array-replace.vpr@26.12--26.30) [148]"} + mid <= (len(a_3): int); + assume state(Heap, Mask); + + // -- Translating statement: exhale (forall i$2: Int :: + // { loc(a, i$2) } + // left <= i$2 && i$2 < mid ==> acc(loc(a, i$2).val, write)) -- parallel-array-replace.vpr@27.5--27.30 + + // -- Check definedness of (forall i$2: Int :: { loc(a, i$2) } left <= i$2 && i$2 < mid ==> acc(loc(a, i$2).val, write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, i$2) is injective + assert {:msg " Exhale might fail. Quantified resource loc(a, i$2).val might not be injective. (parallel-array-replace.vpr@27.12--27.30) [150]"} + (forall i$2_1: int, i$2_1_1: int :: + { neverTriggered5(i$2_1), neverTriggered5(i$2_1_1) } + (((i$2_1 != i$2_1_1 && (left <= i$2_1 && i$2_1 < mid)) && (left <= i$2_1_1 && i$2_1_1 < mid)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i$2_1): Ref) != (loc(a_3, i$2_1_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Exhale might fail. There might be insufficient permission to access loc(a, i$2).val (parallel-array-replace.vpr@27.12--27.30) [151]"} + (forall i$2_1: int :: + { (loc(a_3, i$2_1): Ref) } { (loc(a_3, i$2_1): Ref) } + left <= i$2_1 && i$2_1 < mid ==> Mask[(loc(a_3, i$2_1): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, i$2) + assume (forall i$2_1: int :: + { (loc(a_3, i$2_1): Ref) } { (loc(a_3, i$2_1): Ref) } + (left <= i$2_1 && i$2_1 < mid) && NoPerm < FullPerm ==> qpRange5((loc(a_3, i$2_1): Ref)) && invRecv5((loc(a_3, i$2_1): Ref)) == i$2_1 + ); + assume (forall o_3: Ref :: + { invRecv5(o_3) } + (left <= invRecv5(o_3) && invRecv5(o_3) < mid) && (NoPerm < FullPerm && qpRange5(o_3)) ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((left <= invRecv5(o_3) && invRecv5(o_3) < mid) && (NoPerm < FullPerm && qpRange5(o_3)) ==> (loc(a_3, invRecv5(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((left <= invRecv5(o_3) && invRecv5(o_3) < mid) && (NoPerm < FullPerm && qpRange5(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Translating statement: exhale 0 <= mid && (mid < right && right <= len(a)) -- parallel-array-replace.vpr@30.5--30.31 + assert {:msg " Exhale might fail. Assertion 0 <= mid might not hold. (parallel-array-replace.vpr@30.12--30.31) [152]"} + 0 <= mid; + assert {:msg " Exhale might fail. Assertion mid < right might not hold. (parallel-array-replace.vpr@30.12--30.31) [153]"} + mid < right; + assert {:msg " Exhale might fail. Assertion right <= len(a) might not hold. (parallel-array-replace.vpr@30.12--30.31) [154]"} + right <= (len(a_3): int); + assume state(Heap, Mask); + + // -- Translating statement: exhale (forall i$3: Int :: + // { loc(a, i$3) } + // mid <= i$3 && i$3 < right ==> acc(loc(a, i$3).val, write)) -- parallel-array-replace.vpr@31.5--31.31 + + // -- Check definedness of (forall i$3: Int :: { loc(a, i$3) } mid <= i$3 && i$3 < right ==> acc(loc(a, i$3).val, write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, i$3) is injective + assert {:msg " Exhale might fail. Quantified resource loc(a, i$3).val might not be injective. (parallel-array-replace.vpr@31.12--31.31) [156]"} + (forall i$3_1: int, i$3_1_1: int :: + { neverTriggered6(i$3_1), neverTriggered6(i$3_1_1) } + (((i$3_1 != i$3_1_1 && (mid <= i$3_1 && i$3_1 < right)) && (mid <= i$3_1_1 && i$3_1_1 < right)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i$3_1): Ref) != (loc(a_3, i$3_1_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Exhale might fail. There might be insufficient permission to access loc(a, i$3).val (parallel-array-replace.vpr@31.12--31.31) [157]"} + (forall i$3_1: int :: + { (loc(a_3, i$3_1): Ref) } { (loc(a_3, i$3_1): Ref) } + mid <= i$3_1 && i$3_1 < right ==> Mask[(loc(a_3, i$3_1): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, i$3) + assume (forall i$3_1: int :: + { (loc(a_3, i$3_1): Ref) } { (loc(a_3, i$3_1): Ref) } + (mid <= i$3_1 && i$3_1 < right) && NoPerm < FullPerm ==> qpRange6((loc(a_3, i$3_1): Ref)) && invRecv6((loc(a_3, i$3_1): Ref)) == i$3_1 + ); + assume (forall o_3: Ref :: + { invRecv6(o_3) } + (mid <= invRecv6(o_3) && invRecv6(o_3) < right) && (NoPerm < FullPerm && qpRange6(o_3)) ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((mid <= invRecv6(o_3) && invRecv6(o_3) < right) && (NoPerm < FullPerm && qpRange6(o_3)) ==> (loc(a_3, invRecv6(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((mid <= invRecv6(o_3) && invRecv6(o_3) < right) && (NoPerm < FullPerm && qpRange6(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall i$4: Int :: + // { loc(a, i$4) } + // left <= i$4 && i$4 < mid ==> acc(loc(a, i$4).val, write)) && + // true -- parallel-array-replace.vpr@34.5--34.31 + + // -- Check definedness of (forall i$4: Int :: { loc(a, i$4) } left <= i$4 && i$4 < mid ==> acc(loc(a, i$4).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Inhale might fail. Quantified resource loc(a, i$4).val might not be injective. (parallel-array-replace.vpr@34.12--34.31) [158]"} + (forall i$4_1: int, i$4_1_1: int :: + + (((i$4_1 != i$4_1_1 && (left <= i$4_1 && i$4_1 < mid)) && (left <= i$4_1_1 && i$4_1_1 < mid)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i$4_1): Ref) != (loc(a_3, i$4_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall i$4_1: int :: + { (loc(a_3, i$4_1): Ref) } { (loc(a_3, i$4_1): Ref) } + (left <= i$4_1 && i$4_1 < mid) && NoPerm < FullPerm ==> qpRange7((loc(a_3, i$4_1): Ref)) && invRecv7((loc(a_3, i$4_1): Ref)) == i$4_1 + ); + assume (forall o_3: Ref :: + { invRecv7(o_3) } + ((left <= invRecv7(o_3) && invRecv7(o_3) < mid) && NoPerm < FullPerm) && qpRange7(o_3) ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i$4_1: int :: + { (loc(a_3, i$4_1): Ref) } { (loc(a_3, i$4_1): Ref) } + left <= i$4_1 && i$4_1 < mid ==> (loc(a_3, i$4_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((left <= invRecv7(o_3) && invRecv7(o_3) < mid) && NoPerm < FullPerm) && qpRange7(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv7(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((left <= invRecv7(o_3) && invRecv7(o_3) < mid) && NoPerm < FullPerm) && qpRange7(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall i$5: Int :: + // { loc(a, i$5) } + // left <= i$5 && i$5 < mid ==> + // (old(loc(a, i$5).val == from) ? + // loc(a, i$5).val == to : + // loc(a, i$5).val == old(loc(a, i$5).val))) -- parallel-array-replace.vpr@35.5--35.31 + + // -- Check definedness of (forall i$5: Int :: { loc(a, i$5) } left <= i$5 && i$5 < mid ==> (old(loc(a, i$5).val == from) ? loc(a, i$5).val == to : loc(a, i$5).val == old(loc(a, i$5).val))) + if (*) { + if (left <= i$5 && i$5 < mid) { + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i$5).val (parallel-array-replace.vpr@35.12--35.31) [159]"} + HasDirectPerm(old(Mask), (loc(a_3, i$5): Ref), val); + if (old(Heap)[(loc(a_3, i$5): Ref), val] == from) { + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i$5).val (parallel-array-replace.vpr@35.12--35.31) [160]"} + HasDirectPerm(Mask, (loc(a_3, i$5): Ref), val); + } else { + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i$5).val (parallel-array-replace.vpr@35.12--35.31) [161]"} + HasDirectPerm(Mask, (loc(a_3, i$5): Ref), val); + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i$5).val (parallel-array-replace.vpr@35.12--35.31) [162]"} + HasDirectPerm(old(Mask), (loc(a_3, i$5): Ref), val); + } + } + assume false; + } + assume (forall i$5_1: int :: + { (loc(a_3, i$5_1): Ref) } + left <= i$5_1 && i$5_1 < mid ==> (if old(Heap)[(loc(a_3, i$5_1): Ref), val] == from then Heap[(loc(a_3, i$5_1): Ref), val] == to else Heap[(loc(a_3, i$5_1): Ref), val] == old(Heap)[(loc(a_3, i$5_1): Ref), val]) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall i$6: Int :: + // { loc(a, i$6) } + // mid <= i$6 && i$6 < right ==> acc(loc(a, i$6).val, write)) && + // true -- parallel-array-replace.vpr@38.5--38.32 + + // -- Check definedness of (forall i$6: Int :: { loc(a, i$6) } mid <= i$6 && i$6 < right ==> acc(loc(a, i$6).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Inhale might fail. Quantified resource loc(a, i$6).val might not be injective. (parallel-array-replace.vpr@38.12--38.32) [163]"} + (forall i$6_1: int, i$6_1_1: int :: + + (((i$6_1 != i$6_1_1 && (mid <= i$6_1 && i$6_1 < right)) && (mid <= i$6_1_1 && i$6_1_1 < right)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i$6_1): Ref) != (loc(a_3, i$6_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall i$6_1: int :: + { (loc(a_3, i$6_1): Ref) } { (loc(a_3, i$6_1): Ref) } + (mid <= i$6_1 && i$6_1 < right) && NoPerm < FullPerm ==> qpRange8((loc(a_3, i$6_1): Ref)) && invRecv8((loc(a_3, i$6_1): Ref)) == i$6_1 + ); + assume (forall o_3: Ref :: + { invRecv8(o_3) } + ((mid <= invRecv8(o_3) && invRecv8(o_3) < right) && NoPerm < FullPerm) && qpRange8(o_3) ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i$6_1: int :: + { (loc(a_3, i$6_1): Ref) } { (loc(a_3, i$6_1): Ref) } + mid <= i$6_1 && i$6_1 < right ==> (loc(a_3, i$6_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((mid <= invRecv8(o_3) && invRecv8(o_3) < right) && NoPerm < FullPerm) && qpRange8(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv8(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((mid <= invRecv8(o_3) && invRecv8(o_3) < right) && NoPerm < FullPerm) && qpRange8(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall i$7: Int :: + // { loc(a, i$7) } + // mid <= i$7 && i$7 < right ==> + // (old(loc(a, i$7).val == from) ? + // loc(a, i$7).val == to : + // loc(a, i$7).val == old(loc(a, i$7).val))) -- parallel-array-replace.vpr@39.5--39.32 + + // -- Check definedness of (forall i$7: Int :: { loc(a, i$7) } mid <= i$7 && i$7 < right ==> (old(loc(a, i$7).val == from) ? loc(a, i$7).val == to : loc(a, i$7).val == old(loc(a, i$7).val))) + if (*) { + if (mid <= i$7 && i$7 < right) { + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i$7).val (parallel-array-replace.vpr@39.12--39.32) [164]"} + HasDirectPerm(old(Mask), (loc(a_3, i$7): Ref), val); + if (old(Heap)[(loc(a_3, i$7): Ref), val] == from) { + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i$7).val (parallel-array-replace.vpr@39.12--39.32) [165]"} + HasDirectPerm(Mask, (loc(a_3, i$7): Ref), val); + } else { + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i$7).val (parallel-array-replace.vpr@39.12--39.32) [166]"} + HasDirectPerm(Mask, (loc(a_3, i$7): Ref), val); + assert {:msg " Inhale might fail. There might be insufficient permission to access loc(a, i$7).val (parallel-array-replace.vpr@39.12--39.32) [167]"} + HasDirectPerm(old(Mask), (loc(a_3, i$7): Ref), val); + } + } + assume false; + } + assume (forall i$7_1: int :: + { (loc(a_3, i$7_1): Ref) } + mid <= i$7_1 && i$7_1 < right ==> (if old(Heap)[(loc(a_3, i$7_1): Ref), val] == from then Heap[(loc(a_3, i$7_1): Ref), val] == to else Heap[(loc(a_3, i$7_1): Ref), val] == old(Heap)[(loc(a_3, i$7_1): Ref), val]) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Exhaling postcondition + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, i$0) is injective + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, i$0).val might not be injective. (parallel-array-replace.vpr@15.12--15.33) [168]"} + (forall i$0_2: int, i$0_2_1: int :: + { neverTriggered4(i$0_2), neverTriggered4(i$0_2_1) } + (((i$0_2 != i$0_2_1 && (left <= i$0_2 && i$0_2 < right)) && (left <= i$0_2_1 && i$0_2_1 < right)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i$0_2): Ref) != (loc(a_3, i$0_2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of Replace might not hold. There might be insufficient permission to access loc(a, i$0).val (parallel-array-replace.vpr@15.12--15.33) [169]"} + (forall i$0_2: int :: + { (loc(a_3, i$0_2): Ref) } { (loc(a_3, i$0_2): Ref) } + left <= i$0_2 && i$0_2 < right ==> Mask[(loc(a_3, i$0_2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, i$0) + assume (forall i$0_2: int :: + { (loc(a_3, i$0_2): Ref) } { (loc(a_3, i$0_2): Ref) } + (left <= i$0_2 && i$0_2 < right) && NoPerm < FullPerm ==> qpRange4((loc(a_3, i$0_2): Ref)) && invRecv4((loc(a_3, i$0_2): Ref)) == i$0_2 + ); + assume (forall o_3: Ref :: + { invRecv4(o_3) } + (left <= invRecv4(o_3) && invRecv4(o_3) < right) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((left <= invRecv4(o_3) && invRecv4(o_3) < right) && (NoPerm < FullPerm && qpRange4(o_3)) ==> (loc(a_3, invRecv4(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((left <= invRecv4(o_3) && invRecv4(o_3) < right) && (NoPerm < FullPerm && qpRange4(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (left <= i$1_2 && i$1_2 < right) { + if (old(Heap)[(loc(a_3, i$1_2): Ref), val] == from) { + assert {:msg " Postcondition of Replace might not hold. Assertion loc(a, i$1).val == to might not hold. (parallel-array-replace.vpr@16.12--16.33) [170]"} + Heap[(loc(a_3, i$1_2): Ref), val] == to; + } else { + assert {:msg " Postcondition of Replace might not hold. Assertion loc(a, i$1).val == old(loc(a, i$1).val) might not hold. (parallel-array-replace.vpr@16.12--16.33) [171]"} + Heap[(loc(a_3, i$1_2): Ref), val] == old(Heap)[(loc(a_3, i$1_2): Ref), val]; + } + } + assume false; + } + assume (forall i$1_3_1: int :: + { (loc(a_3, i$1_3_1): Ref) } + left <= i$1_3_1 && i$1_3_1 < right ==> (if old(Heap)[(loc(a_3, i$1_3_1): Ref), val] == from then Heap[(loc(a_3, i$1_3_1): Ref), val] == to else Heap[(loc(a_3, i$1_3_1): Ref), val] == old(Heap)[(loc(a_3, i$1_3_1): Ref), val]) + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method Client +// ================================================== + +procedure Client(a_3: ArrayDomainType) returns () + modifies Heap, Mask; +{ + var QPMask: MaskType; + var ExhaleHeap: HeapType; + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var arg_right: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Checked inhaling of precondition + assume 1 < (len(a_3): int); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int :: { loc(a, i) } 0 <= i && i < len(a) ==> acc(loc(a, i).val, write)) + if (*) { + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource loc(a, i).val might not be injective. (parallel-array-replace.vpr@45.12--45.72) [172]"} + (forall i_1: int, i_1_1: int :: + + (((i_1 != i_1_1 && (0 <= i_1 && i_1 < (len(a_3): int))) && (0 <= i_1_1 && i_1_1 < (len(a_3): int))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i_1): Ref) != (loc(a_3, i_1_1): Ref) + ); + + // -- Define Inverse Function + assume (forall i_1: int :: + { (loc(a_3, i_1): Ref) } { (loc(a_3, i_1): Ref) } + (0 <= i_1 && i_1 < (len(a_3): int)) && NoPerm < FullPerm ==> qpRange9((loc(a_3, i_1): Ref)) && invRecv9((loc(a_3, i_1): Ref)) == i_1 + ); + assume (forall o_3: Ref :: + { invRecv9(o_3) } + ((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3) ==> (loc(a_3, invRecv9(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i_1: int :: + { (loc(a_3, i_1): Ref) } { (loc(a_3, i_1): Ref) } + 0 <= i_1 && i_1 < (len(a_3): int) ==> (loc(a_3, i_1): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv9(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((0 <= invRecv9(o_3) && invRecv9(o_3) < (len(a_3): int)) && NoPerm < FullPerm) && qpRange9(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Contains(a, 5, 1) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function Contains might not hold. Assertion 1 <= len(a) might not hold. (parallel-array-replace.vpr@46.12--46.29) [173]"} + 1 <= (len(a_3): int); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, i) is injective + assert {:msg " Precondition of function Contains might not hold. Quantified resource loc(a, i).val might not be injective. (parallel-array-replace.vpr@46.12--46.29) [174]"} + (forall i_2: int, i_2_1: int :: + { neverTriggered10(i_2), neverTriggered10(i_2_1) } + (((i_2 != i_2_1 && (0 <= i_2 && i_2 < 1)) && (0 <= i_2_1 && i_2_1 < 1)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i_2): Ref) != (loc(a_3, i_2_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function Contains might not hold. There might be insufficient permission to access loc(a, i).val (parallel-array-replace.vpr@46.12--46.29) [175]"} + (forall i_2: int :: + { (loc(a_3, i_2): Ref) } { (loc(a_3, i_2): Ref) } + 0 <= i_2 && i_2 < 1 ==> Mask[(loc(a_3, i_2): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, i) + assume (forall i_2: int :: + { (loc(a_3, i_2): Ref) } { (loc(a_3, i_2): Ref) } + (0 <= i_2 && i_2 < 1) && NoPerm < FullPerm ==> qpRange10((loc(a_3, i_2): Ref)) && invRecv10((loc(a_3, i_2): Ref)) == i_2 + ); + assume (forall o_3: Ref :: + { invRecv10(o_3) } + (0 <= invRecv10(o_3) && invRecv10(o_3) < 1) && (NoPerm < FullPerm && qpRange10(o_3)) ==> (loc(a_3, invRecv10(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv10(o_3) && invRecv10(o_3) < 1) && (NoPerm < FullPerm && qpRange10(o_3)) ==> (loc(a_3, invRecv10(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv10(o_3) && invRecv10(o_3) < 1) && (NoPerm < FullPerm && qpRange10(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assume Contains(Heap, a_3, 5, 1); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: Replace(a, 1, len(a), 5, 7) -- parallel-array-replace.vpr@48.3--48.30 + PreCallHeap := Heap; + PreCallMask := Mask; + arg_right := (len(a_3): int); + + // -- Exhaling precondition + assert {:msg " The precondition of method Replace might not hold. Assertion 1 < len(a) might not hold. (parallel-array-replace.vpr@48.3--48.30) [176]"} + 1 < arg_right; + assert {:msg " The precondition of method Replace might not hold. Assertion len(a) <= len(a) might not hold. (parallel-array-replace.vpr@48.3--48.30) [177]"} + arg_right <= (len(a_3): int); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, i) is injective + assert {:msg " The precondition of method Replace might not hold. Quantified resource loc(a, i).val might not be injective. (parallel-array-replace.vpr@48.3--48.30) [178]"} + (forall i_3: int, i_3_1: int :: + { neverTriggered11(i_3), neverTriggered11(i_3_1) } + (((i_3 != i_3_1 && (1 <= i_3 && i_3 < arg_right)) && (1 <= i_3_1 && i_3_1 < arg_right)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i_3): Ref) != (loc(a_3, i_3_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " The precondition of method Replace might not hold. There might be insufficient permission to access loc(a, i).val (parallel-array-replace.vpr@48.3--48.30) [179]"} + (forall i_3: int :: + { (loc(a_3, i_3): Ref) } { (loc(a_3, i_3): Ref) } + 1 <= i_3 && i_3 < arg_right ==> Mask[(loc(a_3, i_3): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, i) + assume (forall i_3: int :: + { (loc(a_3, i_3): Ref) } { (loc(a_3, i_3): Ref) } + (1 <= i_3 && i_3 < arg_right) && NoPerm < FullPerm ==> qpRange11((loc(a_3, i_3): Ref)) && invRecv11((loc(a_3, i_3): Ref)) == i_3 + ); + assume (forall o_3: Ref :: + { invRecv11(o_3) } + (1 <= invRecv11(o_3) && invRecv11(o_3) < arg_right) && (NoPerm < FullPerm && qpRange11(o_3)) ==> (loc(a_3, invRecv11(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((1 <= invRecv11(o_3) && invRecv11(o_3) < arg_right) && (NoPerm < FullPerm && qpRange11(o_3)) ==> (loc(a_3, invRecv11(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((1 <= invRecv11(o_3) && invRecv11(o_3) < arg_right) && (NoPerm < FullPerm && qpRange11(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + havoc QPMask; + assert {:msg " Method call might fail. Quantified resource loc(a, i$0).val might not be injective. (parallel-array-replace.vpr@48.3--48.30) [180]"} + (forall i$0: int, i$0_3: int :: + + (((i$0 != i$0_3 && (1 <= i$0 && i$0 < arg_right)) && (1 <= i$0_3 && i$0_3 < arg_right)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i$0): Ref) != (loc(a_3, i$0_3): Ref) + ); + + // -- Define Inverse Function + assume (forall i$0: int :: + { (loc(a_3, i$0): Ref) } { (loc(a_3, i$0): Ref) } + (1 <= i$0 && i$0 < arg_right) && NoPerm < FullPerm ==> qpRange12((loc(a_3, i$0): Ref)) && invRecv12((loc(a_3, i$0): Ref)) == i$0 + ); + assume (forall o_3: Ref :: + { invRecv12(o_3) } + ((1 <= invRecv12(o_3) && invRecv12(o_3) < arg_right) && NoPerm < FullPerm) && qpRange12(o_3) ==> (loc(a_3, invRecv12(o_3)): Ref) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i$0: int :: + { (loc(a_3, i$0): Ref) } { (loc(a_3, i$0): Ref) } + 1 <= i$0 && i$0 < arg_right ==> (loc(a_3, i$0): Ref) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + (((1 <= invRecv12(o_3) && invRecv12(o_3) < arg_right) && NoPerm < FullPerm) && qpRange12(o_3) ==> (NoPerm < FullPerm ==> (loc(a_3, invRecv12(o_3)): Ref) == o_3) && QPMask[o_3, val] == Mask[o_3, val] + FullPerm) && (!(((1 <= invRecv12(o_3) && invRecv12(o_3) < arg_right) && NoPerm < FullPerm) && qpRange12(o_3)) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall i$1_3: int :: + { (loc(a_3, i$1_3): Ref) } + 1 <= i$1_3 && i$1_3 < arg_right ==> (if old(PreCallHeap)[(loc(a_3, i$1_3): Ref), val] == 5 then Heap[(loc(a_3, i$1_3): Ref), val] == 7 else Heap[(loc(a_3, i$1_3): Ref), val] == old(PreCallHeap)[(loc(a_3, i$1_3): Ref), val]) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: assert Contains(a, 5, 1) -- parallel-array-replace.vpr@49.3--49.27 + + // -- Check definedness of Contains(a, 5, 1) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function Contains might not hold. Assertion 1 <= len(a) might not hold. (parallel-array-replace.vpr@49.10--49.27) [181]"} + 1 <= (len(a_3): int); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver loc(a, i) is injective + assert {:msg " Precondition of function Contains might not hold. Quantified resource loc(a, i).val might not be injective. (parallel-array-replace.vpr@49.10--49.27) [182]"} + (forall i_4: int, i_4_1: int :: + { neverTriggered13(i_4), neverTriggered13(i_4_1) } + (((i_4 != i_4_1 && (0 <= i_4 && i_4 < 1)) && (0 <= i_4_1 && i_4_1 < 1)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> (loc(a_3, i_4): Ref) != (loc(a_3, i_4_1): Ref) + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function Contains might not hold. There might be insufficient permission to access loc(a, i).val (parallel-array-replace.vpr@49.10--49.27) [183]"} + (forall i_4: int :: + { (loc(a_3, i_4): Ref) } { (loc(a_3, i_4): Ref) } + 0 <= i_4 && i_4 < 1 ==> Mask[(loc(a_3, i_4): Ref), val] >= FullPerm + ); + + // -- assumptions for inverse of receiver loc(a, i) + assume (forall i_4: int :: + { (loc(a_3, i_4): Ref) } { (loc(a_3, i_4): Ref) } + (0 <= i_4 && i_4 < 1) && NoPerm < FullPerm ==> qpRange13((loc(a_3, i_4): Ref)) && invRecv13((loc(a_3, i_4): Ref)) == i_4 + ); + assume (forall o_3: Ref :: + { invRecv13(o_3) } + (0 <= invRecv13(o_3) && invRecv13(o_3) < 1) && (NoPerm < FullPerm && qpRange13(o_3)) ==> (loc(a_3, invRecv13(o_3)): Ref) == o_3 + ); + + // -- assume permission updates for field val + assume (forall o_3: Ref :: + { QPMask[o_3, val] } + ((0 <= invRecv13(o_3) && invRecv13(o_3) < 1) && (NoPerm < FullPerm && qpRange13(o_3)) ==> (loc(a_3, invRecv13(o_3)): Ref) == o_3 && QPMask[o_3, val] == Mask[o_3, val] - FullPerm) && (!((0 <= invRecv13(o_3) && invRecv13(o_3) < 1) && (NoPerm < FullPerm && qpRange13(o_3))) ==> QPMask[o_3, val] == Mask[o_3, val]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != val ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + assert {:msg " Assert might fail. Assertion Contains(a, 5, 1) might not hold. (parallel-array-replace.vpr@49.10--49.27) [184]"} + Contains(Heap, a_3, 5, 1); + assume state(Heap, Mask); +} diff --git a/Test/monomorphize/viper/quantification_over_pred_permissions.bpl b/Test/monomorphize/viper/quantification_over_pred_permissions.bpl new file mode 100644 index 000000000..3ba53c881 --- /dev/null +++ b/Test/monomorphize/viper/quantification_over_pred_permissions.bpl @@ -0,0 +1,680 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(x_1: Ref): bool; +function neverTriggered2(x1_1: Ref): bool; +function neverTriggered3(x1_3: Ref): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(this: Ref): Ref; +function invRecv2(this_1: Ref): Ref; +function invRecv3(this_2: Ref): Ref; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(this: Ref): bool; +function qpRange2(this_1: Ref): bool; +function qpRange3(this_2: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Set module. +// ================================================== + + +type Set T = [T]bool; + +function Set#Card(Set T): int; +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty(): Set T; +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); +axiom (forall s: Set T :: { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) && + (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T): Set T; +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); +axiom (forall r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o); +axiom (forall r: T :: { Set#Card(Set#Singleton(r)) } Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T): Set T; +axiom (forall a: Set T, x: T, o: T :: { Set#UnionOne(a,x)[o] } + Set#UnionOne(a,x)[o] <==> o == x || a[o]); +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } + Set#UnionOne(a, x)[x]); +axiom (forall a: Set T, x: T, y: T :: { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); +axiom (forall a: Set T, x: T :: { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); +axiom (forall a: Set T, x: T :: { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Union(a,b)[o] } + Set#Union(a,b)[o] <==> a[o] || b[o]); +axiom (forall a, b: Set T, y: T :: { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); +axiom (forall a, b: Set T, y: T :: { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); +//axiom (forall a, b: Set T :: { Set#Union(a, b) } +// Set#Disjoint(a, b) ==> +// Set#Difference(Set#Union(a, b), a) == b && +// Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Intersection(a,b)[o] } {Set#Intersection(a,b), a[o]} {Set#Intersection(a,b), b[o]} // AS: added alternative triggers 20/06/19 + Set#Intersection(a,b)[o] <==> a[o] && b[o]); + +axiom (forall a, b: Set T :: { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); +axiom (forall a, b: Set T :: { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); +axiom (forall a, b: Set T :: { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); +axiom (forall a, b: Set T :: { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); +axiom (forall a, b: Set T :: { Set#Card(Set#Union(a, b)) }{ Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Difference(a,b)[o] } { Set#Difference(a,b), a[o] } + Set#Difference(a,b)[o] <==> a[o] && !b[o]); +axiom (forall a, b: Set T, y: T :: { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y] ); +axiom (forall a, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) && + Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T): bool; +axiom(forall a: Set T, b: Set T :: { Set#Subset(a,b) } + Set#Subset(a,b) <==> (forall o: T :: {a[o]} {b[o]} a[o] ==> b[o])); +// axiom(forall a: Set T, b: Set T :: +// { Set#Subset(a,b), Set#Card(a), Set#Card(b) } // very restrictive trigger +// Set#Subset(a,b) ==> Set#Card(a) <= Set#Card(b)); + + +function Set#Equal(Set T, Set T): bool; +axiom(forall a: Set T, b: Set T :: { Set#Equal(a,b) } + Set#Equal(a,b) <==> (forall o: T :: {a[o]} {b[o]} a[o] <==> b[o])); +axiom(forall a: Set T, b: Set T :: { Set#Equal(a,b) } // extensionality axiom for sets + Set#Equal(a,b) ==> a == b); + +//function Set#Disjoint(Set T, Set T): bool; +//axiom (forall a: Set T, b: Set T :: { Set#Disjoint(a,b) } +// Set#Disjoint(a,b) <==> (forall o: T :: {a[o]} {b[o]} !a[o] || !b[o])); + +// --------------------------------------------------------------- +// -- Axiomatization of multisets -------------------------------- +// --------------------------------------------------------------- + +function Math#min(a: int, b: int): int; +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); +axiom (forall a: int, b: int :: { Math#min(a, b) } Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int): int; +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T; // = [T]int; + +function MultiSet#Select(ms: MultiSet T, x:T): int; + +//function $IsGoodMultiSet(ms: MultiSet T): bool; +// ints are non-negative, used after havocing, and for conversion from sequences to multisets. +//axiom (forall ms: MultiSet T :: { $IsGoodMultiSet(ms) } +// $IsGoodMultiSet(ms) <==> +// (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +axiom (forall ms: MultiSet T, x: T :: {MultiSet#Select(ms,x)} MultiSet#Select(ms,x) >= 0); // NEW + +function MultiSet#Card(MultiSet T): int; +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); +//axiom (forall s: MultiSet T, x: T, n: int :: { MultiSet#Card(s[x := n]) } +// 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); +// +function MultiSet#Empty(): MultiSet T; +axiom (forall o: T :: { MultiSet#Select(MultiSet#Empty(),o) } MultiSet#Select(MultiSet#Empty(),o) == 0); +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) && + (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < MultiSet#Select(s,x)))); + +function MultiSet#Singleton(T): MultiSet T; +axiom (forall r: T, o: T :: { MultiSet#Select(MultiSet#Singleton(r),o) } (MultiSet#Select(MultiSet#Singleton(r),o) == 1 <==> r == o) && + (MultiSet#Select(MultiSet#Singleton(r),o) == 0 <==> r != o)); +axiom (forall r: T :: { MultiSet#Singleton(r) } MultiSet#Card(MultiSet#Singleton(r)) == 1 && MultiSet#Select(MultiSet#Singleton(r),r) == 1); // AS: added +axiom (forall r: T :: { MultiSet#Singleton(r) } MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); // AS: remove this? + +function MultiSet#UnionOne(MultiSet T, T): MultiSet T; +// union-ing increases count by one for x, not for others +axiom (forall a: MultiSet T, x: T, o: T :: { MultiSet#Select(MultiSet#UnionOne(a,x),o) } { MultiSet#UnionOne(a, x), MultiSet#Select(a,o) } // AS: added back this trigger (used on a similar axiom before) + MultiSet#Select(MultiSet#UnionOne(a, x),o) == (if x==o then MultiSet#Select(a,o) + 1 else MultiSet#Select(a,o))); +// non-decreasing +axiom (forall a: MultiSet T, x: T :: { MultiSet#Card(MultiSet#UnionOne(a, x)) } {MultiSet#UnionOne(a, x), MultiSet#Card(a)} // AS: added alternative trigger + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); +// AS: added - concrete knowledge of element added +axiom (forall a: MultiSet T, x: T :: { MultiSet#UnionOne(a,x)} + MultiSet#Select(MultiSet#UnionOne(a, x),x) > 0 && MultiSet#Card(MultiSet#UnionOne(a, x)) > 0); + +function MultiSet#Union(MultiSet T, MultiSet T): MultiSet T; +// union-ing is the sum of the contents +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Union(a,b),o) } {MultiSet#Union(a,b), MultiSet#Select(a,o), MultiSet#Select(b,o)}// AS: added triggers + MultiSet#Select(MultiSet#Union(a,b),o) == MultiSet#Select(a,o) + MultiSet#Select(b,o)); +axiom (forall a: MultiSet T, b: MultiSet T :: { MultiSet#Card(MultiSet#Union(a,b)) } {MultiSet#Card(a), MultiSet#Union(a,b)} {MultiSet#Card(b), MultiSet#Union(a,b)} + MultiSet#Card(MultiSet#Union(a,b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T): MultiSet T; +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Intersection(a,b),o) } + MultiSet#Select(MultiSet#Intersection(a,b),o) == Math#min(MultiSet#Select(a,o), MultiSet#Select(b,o))); + +// left and right pseudo-idempotence +axiom (forall a, b: MultiSet T :: { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) == MultiSet#Intersection(a, b)); +axiom (forall a, b: MultiSet T :: { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) == MultiSet#Intersection(a, b)); + +// multiset difference, a - b. clip() makes it positive. +function MultiSet#Difference(MultiSet T, MultiSet T): MultiSet T; +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Difference(a,b),o) } + MultiSet#Select(MultiSet#Difference(a,b),o) == Math#clip(MultiSet#Select(a,o) - MultiSet#Select(b,o))); +axiom (forall a, b: MultiSet T, y: T :: { MultiSet#Difference(a, b), MultiSet#Select(b,y), MultiSet#Select(a,y) } + MultiSet#Select(a,y) <= MultiSet#Select(b,y) ==> MultiSet#Select(MultiSet#Difference(a, b),y) == 0 ); +axiom (forall a, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) && + MultiSet#Card(MultiSet#Difference(a, b)) == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +// multiset subset means a must have at most as many of each element as b +function MultiSet#Subset(MultiSet T, MultiSet T): bool; +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Subset(a,b) } + MultiSet#Subset(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) <= MultiSet#Select(b,o))); + +function MultiSet#Equal(MultiSet T, MultiSet T): bool; +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Equal(a,b) } + MultiSet#Equal(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) == MultiSet#Select(b,o))); +// extensionality axiom for multisets +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Equal(a,b) } + MultiSet#Equal(a,b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T): bool; +axiom (forall a: MultiSet T, b: MultiSet T :: { MultiSet#Disjoint(a,b) } + MultiSet#Disjoint(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) == 0 || MultiSet#Select(b,o) == 0)); + + + +// ================================================== +// Translation of all fields +// ================================================== + +const unique all: Field NormalField (Set Ref); +axiom !IsPredicateField(all); +axiom !IsWandField(all); +const unique f_7: Field NormalField Ref; +axiom !IsPredicateField(f_7); +axiom !IsWandField(f_7); + +// ================================================== +// Translation of predicate inv +// ================================================== + +type PredicateType_inv; +function inv(this: Ref): Field PredicateType_inv FrameType; +function inv#sm(this: Ref): Field PredicateType_inv PMaskType; +axiom (forall this: Ref :: + { PredicateMaskField(inv(this)) } + PredicateMaskField(inv(this)) == inv#sm(this) +); +axiom (forall this: Ref :: + { inv(this) } + IsPredicateField(inv(this)) +); +axiom (forall this: Ref :: + { inv(this) } + getPredicateId(inv(this)) == 0 +); +function inv#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function inv#everUsed(pred: (Field A FrameType)): bool; +axiom (forall this: Ref, this2: Ref :: + { inv(this), inv(this2) } + inv(this) == inv(this2) ==> this == this2 +); +axiom (forall this: Ref, this2: Ref :: + { inv#sm(this), inv#sm(this2) } + inv#sm(this) == inv#sm(this2) ==> this == this2 +); + +axiom (forall Heap: HeapType, this: Ref :: + { inv#trigger(Heap, inv(this)) } + inv#everUsed(inv(this)) +); + +procedure inv#definedness(this: Ref) returns () + modifies Heap, Mask; +{ + var perm: Perm; + + // -- Check definedness of predicate body of inv + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[this, $allocated]; + perm := 1 / 2; + assert {:msg " Predicate might not be well-formed. Fraction 1 / 2 might be negative. (quantification_over_pred_permissions.vpr@7.1--7.46) [26]"} + perm >= NoPerm; + assume perm > NoPerm ==> this != null; + Mask[this, f_7] := Mask[this, f_7] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method m +// ================================================== + +procedure m(S: (Set Ref)) returns () + modifies Heap, Mask; +{ + var QPMask: MaskType; + var PostHeap: HeapType; + var PostMask: MaskType; + var b_2: Ref; + var v_2: Ref; + var perm: Perm; + var newVersion: FrameType; + var freshVersion: FrameType; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + + // -- Checked inhaling of precondition + + // -- Check definedness of (forall x: Ref :: { (x in S) } (x in S) ==> acc(inv(x), write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check if receiver acc(inv(x), write) is injective + assert {:msg " Contract might not be well-formed. Quantified resource inv(x) might not be injective. (quantification_over_pred_permissions.vpr@10.12--10.58) [27]"} + (forall x_1: Ref, x_1_1: Ref :: + { neverTriggered1(x_1), neverTriggered1(x_1_1) } + (((x_1 != x_1_1 && S[x_1]) && S[x_1_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x_1 != x_1_1 + ); + + // -- Define Inverse Function + assume (forall x_1: Ref :: + { Heap[null, inv(x_1)] } { Mask[null, inv(x_1)] } { S[x_1] } + S[x_1] && NoPerm < FullPerm ==> invRecv1(x_1) == x_1 && qpRange1(x_1) + ); + assume (forall this: Ref :: + { invRecv1(this) } + (S[invRecv1(this)] && NoPerm < FullPerm) && qpRange1(this) ==> invRecv1(this) == this + ); + + // -- Define updated permissions + assume (forall this: Ref :: + { QPMask[null, inv(this)] } + (S[invRecv1(this)] && NoPerm < FullPerm) && qpRange1(this) ==> (NoPerm < FullPerm ==> invRecv1(this) == this) && QPMask[null, inv(this)] == Mask[null, inv(this)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + (o_3 != null || !IsPredicateField(f_5)) || getPredicateId(f_5) != 0 ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + assume (forall this: Ref :: + { QPMask[null, inv(this)] } + !((S[invRecv1(this)] && NoPerm < FullPerm) && qpRange1(this)) ==> QPMask[null, inv(this)] == Mask[null, inv(this)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Check definedness of (forall x1: Ref :: { (x1 in S) } (x1 in S) ==> acc(inv(x1), write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check if receiver acc(inv(x1), write) is injective + assert {:msg " Contract might not be well-formed. Quantified resource inv(x1) might not be injective. (quantification_over_pred_permissions.vpr@11.11--11.60) [28]"} + (forall x1_1: Ref, x1_1_1: Ref :: + { neverTriggered2(x1_1), neverTriggered2(x1_1_1) } + (((x1_1 != x1_1_1 && S[x1_1]) && S[x1_1_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x1_1 != x1_1_1 + ); + + // -- Define Inverse Function + assume (forall x1_1: Ref :: + { PostHeap[null, inv(x1_1)] } { PostMask[null, inv(x1_1)] } { S[x1_1] } + S[x1_1] && NoPerm < FullPerm ==> invRecv2(x1_1) == x1_1 && qpRange2(x1_1) + ); + assume (forall this_1: Ref :: + { invRecv2(this_1) } + (S[invRecv2(this_1)] && NoPerm < FullPerm) && qpRange2(this_1) ==> invRecv2(this_1) == this_1 + ); + + // -- Define updated permissions + assume (forall this_1: Ref :: + { QPMask[null, inv(this_1)] } + (S[invRecv2(this_1)] && NoPerm < FullPerm) && qpRange2(this_1) ==> (NoPerm < FullPerm ==> invRecv2(this_1) == this_1) && QPMask[null, inv(this_1)] == PostMask[null, inv(this_1)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + (o_3 != null || !IsPredicateField(f_5)) || getPredicateId(f_5) != 0 ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + assume (forall this_1: Ref :: + { QPMask[null, inv(this_1)] } + !((S[invRecv2(this_1)] && NoPerm < FullPerm) && qpRange2(this_1)) ==> QPMask[null, inv(this_1)] == PostMask[null, inv(this_1)] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Assumptions about local variables + assume Heap[b_2, $allocated]; + assume Heap[v_2, $allocated]; + + // -- Translating statement: inhale (b in S) -- quantification_over_pred_permissions.vpr@16.3--16.16 + assume S[b_2]; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: unfold acc(inv(b), write) -- quantification_over_pred_permissions.vpr@17.3--17.28 + assume inv#trigger(Heap, inv(b_2)); + assume Heap[null, inv(b_2)] == FrameFragment(Heap[b_2, f_7]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Unfolding inv(b) might fail. There might be insufficient permission to access inv(b) (quantification_over_pred_permissions.vpr@17.3--17.28) [30]"} + perm <= Mask[null, inv(b_2)]; + } + Mask[null, inv(b_2)] := Mask[null, inv(b_2)] - perm; + + // -- Update version of predicate + if (!HasDirectPerm(Mask, null, inv(b_2))) { + havoc newVersion; + Heap[null, inv(b_2)] := newVersion; + } + perm := 1 / 2; + assert {:msg " Unfolding inv(b) might fail. Fraction 1 / 2 might be negative. (quantification_over_pred_permissions.vpr@17.3--17.28) [31]"} + perm >= NoPerm; + assume perm > NoPerm ==> b_2 != null; + Mask[b_2, f_7] := Mask[b_2, f_7] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: v := b.f -- quantification_over_pred_permissions.vpr@18.3--18.11 + + // -- Check definedness of b.f + assert {:msg " Assignment might fail. There might be insufficient permission to access b.f (quantification_over_pred_permissions.vpr@18.3--18.11) [32]"} + HasDirectPerm(Mask, b_2, f_7); + v_2 := Heap[b_2, f_7]; + assume state(Heap, Mask); + + // -- Translating statement: fold acc(inv(b), write) -- quantification_over_pred_permissions.vpr@19.3--19.26 + assert {:msg " Folding inv(b) might fail. Fraction 1 / 2 might be negative. (quantification_over_pred_permissions.vpr@19.3--19.26) [33]"} + 1 / 2 >= NoPerm; + perm := 1 / 2; + if (perm != NoPerm) { + assert {:msg " Folding inv(b) might fail. There might be insufficient permission to access b.f (quantification_over_pred_permissions.vpr@19.3--19.26) [34]"} + perm <= Mask[b_2, f_7]; + } + Mask[b_2, f_7] := Mask[b_2, f_7] - perm; + perm := FullPerm; + Mask[null, inv(b_2)] := Mask[null, inv(b_2)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume inv#trigger(Heap, inv(b_2)); + assume Heap[null, inv(b_2)] == FrameFragment(Heap[b_2, f_7]); + if (!HasDirectPerm(Mask, null, inv(b_2))) { + Heap[null, inv#sm(b_2)] := ZeroPMask; + havoc freshVersion; + Heap[null, inv(b_2)] := freshVersion; + } + Heap[null, inv#sm(b_2)][b_2, f_7] := true; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver acc(inv(x1), write) is injective + assert {:msg " Contract might not be well-formed. Quantified resource inv(x1) might not be injective. (quantification_over_pred_permissions.vpr@11.11--11.60) [36]"} + (forall x1_3: Ref, x1_3_1: Ref :: + { neverTriggered3(x1_3), neverTriggered3(x1_3_1) } + (((x1_3 != x1_3_1 && S[x1_3]) && S[x1_3_1]) && NoPerm < FullPerm) && NoPerm < FullPerm ==> x1_3 != x1_3_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of m might not hold. There might be insufficient permission to access inv(x1) (quantification_over_pred_permissions.vpr@11.11--11.60) [37]"} + (forall x1_3: Ref :: + { Heap[null, inv(x1_3)] } { Mask[null, inv(x1_3)] } { S[x1_3] } + S[x1_3] ==> Mask[null, inv(x1_3)] >= FullPerm + ); + + // -- assumptions for inverse of receiver acc(inv(x1), write) + assume (forall x1_3: Ref :: + { Heap[null, inv(x1_3)] } { Mask[null, inv(x1_3)] } { S[x1_3] } + S[x1_3] && NoPerm < FullPerm ==> invRecv3(x1_3) == x1_3 && qpRange3(x1_3) + ); + assume (forall this_2: Ref :: + { invRecv3(this_2) } + (S[invRecv3(this_2)] && NoPerm < FullPerm) && qpRange3(this_2) ==> invRecv3(this_2) == this_2 + ); + + // -- assume permission updates for predicate inv + assume (forall this_2: Ref :: + { QPMask[null, inv(this_2)] } + (S[invRecv3(this_2)] && NoPerm < FullPerm) && qpRange3(this_2) ==> invRecv3(this_2) == this_2 && QPMask[null, inv(this_2)] == Mask[null, inv(this_2)] - FullPerm + ); + assume (forall this_2: Ref :: + { QPMask[null, inv(this_2)] } + !((S[invRecv3(this_2)] && NoPerm < FullPerm) && qpRange3(this_2)) ==> QPMask[null, inv(this_2)] == Mask[null, inv(this_2)] + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + (o_3 != null || !IsPredicateField(f_5)) || getPredicateId(f_5) != 0 ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} diff --git a/Test/monomorphize/viper/seq-slice-simple1.bpl b/Test/monomorphize/viper/seq-slice-simple1.bpl new file mode 100644 index 000000000..c926f27db --- /dev/null +++ b/Test/monomorphize/viper/seq-slice-simple1.bpl @@ -0,0 +1,1106 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Sequence module. +// ================================================== + + // diff 0 implemented (no difference) + // diff 1 implemented (fixes test5 in sequences.sil) + // diff 2 implemented (fixes m01 and m03 in quantifiedpermissions/issues/issue_0064) + // diff 3 implemented (no difference) + // diff 4 implemented (no difference) + // diff 5 implemented (fixes colourings0 in sequence-incompletenesses test case) + // diff 6 implemented (no difference) + // diff 7 implemented + // diff 8 implemented (allows for contains triggering, without destroying performance of e.g. functions/linkedlists test case) + // diff 11 implemented + // diff 13 implemented, for now (may reduce completeness, but there's a known matching loop when the first drop amount is 0); another option would be to add !=0 as an explicit condition + // diff 14 implemented: eliminate index over take/drop for trivial cases (to avoid matching loops when e.g. s[i..] == s is known) + // diff 16 implemented: remove general cases of equality-learning between take/drop/append subsequences; only allow when take/drop are at top level (this affects linkedlists test case) +// START BASICS +type Seq T; + +function Seq#Length(Seq T): int; +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty(): Seq T; +axiom (forall :: Seq#Length(Seq#Empty(): Seq T) == 0); +axiom (forall s: Seq T :: { Seq#Length(s) } Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T): Seq T; +//axiom (forall t: T :: { Seq#Length(Seq#Singleton(t)) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2: changed trigger) + +function Seq#Append(Seq T, Seq T): Seq T; +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Length(Seq#Append(s0,s1)) } +s0 != Seq#Empty() && s1 != Seq#Empty() ==> //diff 11: consider removing constraints + Seq#Length(Seq#Append(s0,s1)) == Seq#Length(s0) + Seq#Length(s1)); + +//axiom (forall s: Seq T :: { Seq#Append(Seq#Empty(),s) } Seq#Append(Seq#Empty(),s) == s); // (diff 11: switched to double-quantified version) +//axiom (forall s: Seq T :: { Seq#Append(s,Seq#Empty()) } Seq#Append(s,Seq#Empty()) == s); // (diff 11: switched to double-quantified version) +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Append(s0,s1) } (s0 == Seq#Empty() ==> Seq#Append(s0,s1) == s1) && (s1 == Seq#Empty() ==> Seq#Append(s0,s1) == s0)); // diff 11: switched to double-quantified version + +function Seq#Index(Seq T, int): T; +//axiom (forall t: T :: { Seq#Index(Seq#Singleton(t), 0) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2: changed trigger) + +// END BASICS + +// START INDEX-APPEND-UPDATE + +// extra addition function used to force equalities into the e-graph +function Seq#Add(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Add(i,j)} Seq#Add(i,j) == i + j); +function Seq#Sub(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Sub(i,j)} Seq#Sub(i,j) == i - j); + +// (diff 3 (old)) +//axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // {:weight 25} // AS: dropped weight +// s0 != Seq#Empty() && s1 != Seq#Empty() ==> +// ((n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n)) && +// (Seq#Length(s0) <= n ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, n - Seq#Length(s0))))); + +// (diff 3: split axiom, added constraints, replace arithmetic) // diff 11: consider removing constraints +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } { Seq#Index(s0, n), Seq#Append(s0,s1) } // AS: added alternative trigger + (s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= n && n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n))); +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // term below breaks loops + s0 != Seq#Empty() && s1 != Seq#Empty() && Seq#Length(s0) <= n && n < Seq#Length(Seq#Append(s0,s1)) ==> Seq#Add(Seq#Sub(n,Seq#Length(s0)),Seq#Length(s0)) == n && Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, Seq#Sub(n,Seq#Length(s0)))); +// AS: added "reverse triggering" versions of the axioms +axiom (forall s0: Seq T, s1: Seq T, m: int :: { Seq#Index(s1, m), Seq#Append(s0,s1)} // m == n-|s0|, n == m + |s0| + s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= m && m < Seq#Length(s1) ==> Seq#Sub(Seq#Add(m,Seq#Length(s0)),Seq#Length(s0)) == m && Seq#Index(Seq#Append(s0,s1), Seq#Add(m,Seq#Length(s0))) == Seq#Index(s1, m)); + +function Seq#Update(Seq T, int, T): Seq T; +axiom (forall s: Seq T, i: int, v: T :: { Seq#Length(Seq#Update(s,i,v)) } {Seq#Length(s),Seq#Update(s,i,v)} // (diff 4: added trigger) + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s,i,v)) == Seq#Length(s)); +axiom (forall s: Seq T, i: int, v: T, n: int :: { Seq#Index(Seq#Update(s,i,v),n) } { Seq#Index(s,n), Seq#Update(s,i,v) } // (diff 4: added trigger) + 0 <= n && n < Seq#Length(s) ==> + (i == n ==> Seq#Index(Seq#Update(s,i,v),n) == v) && + (i != n ==> Seq#Index(Seq#Update(s,i,v),n) == Seq#Index(s,n))); + +// END INDEX-APPEND-UPDATE + +// START TAKE/DROP + +function Seq#Take(s: Seq T, howMany: int): Seq T; +// AS: added triggers +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Take(s,n)) } { Seq#Take(s,n), Seq#Length(s)} // (diff 7: add trigger) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s,n)) == n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Take(s,n)) == Seq#Length(s))) + && + (n < 0 ==> Seq#Length(Seq#Take(s,n)) == 0)); // (diff 7: added case for n < 0) + +// ** AS: 2nd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Take(s,n), j) } {Seq#Index(s,j), Seq#Take(s,n)} // (diff 0: (was already done)) : add trigger // {:weight 25} // AS: dropped weight + 0 <= j && j < n && j < Seq#Length(s) ==> + Seq#Index(Seq#Take(s,n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int): Seq T; +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Drop(s,n)) } {Seq#Length(s), Seq#Drop(s,n)} // (diff 5: added trigger, exchange arithmetic) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s) - n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Drop(s,n)) == 0)) + && + (n < 0 ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s)) // (diff 7: added cases for n < 0) + ); + +// ** AS: 3rd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +// diff 5 (old) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// 0 <= n && 0 <= j && j < Seq#Length(s)-n ==> +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j+n)); +// +// diff already added // diff -1: try removing this axiom and checking effect +//axiom (forall s: Seq T, n: int, k: int :: { Seq#Drop(s,n), Seq#Index(s,k) } // AS: alternative triggering for above axiom +// 0 <= n && n <= k && k < Seq#Length(s) ==> +// Seq#Index(Seq#Drop(s,n), k-n) == Seq#Index(s, k)); + +// diff 5: split axiom, added triggering case, exhanged arithmetic + +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight + 0 < n && 0 <= j && j < Seq#Length(s)-n ==> // diff 14: change 0 <= n to 0 < n + Seq#Sub(Seq#Add(j,n),n) == j && Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, Seq#Add(j,n))); + +axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } + 0 < n && n <= i && i < Seq#Length(s) ==> // diff 14: change 0 <= n to 0 < n + Seq#Add(Seq#Sub(i,n),n) == i && Seq#Index(Seq#Drop(s,n), Seq#Sub(i,n)) == Seq#Index(s, i)); // i = j + n, j = i - n + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// n <= 0 && 0 <= j && j < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j)); + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } +// n <= 0 && 0 <= i && i < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), i) == Seq#Index(s, i)); // i = j + n, j = i - n + +// ** AS: We dropped the weak trigger on this axiom. One option is to strengthen the triggers: +//axiom (forall s, t: Seq T :: +// // { Seq#Append(s, t) } +// {Seq#Take(Seq#Append(s, t), Seq#Length(s))}{Seq#Drop(Seq#Append(s, t), Seq#Length(s))} +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s && +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// ** AS: another option is to split the axiom (for some reason, this seems in some cases to perform slightly less well (but this could be random): +//axiom (forall s, t: Seq T :: +// { Seq#Take(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s); + +//axiom (forall s, t: Seq T :: +// { Seq#Drop(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// (diff 6b: remove these?) +/* Removed: at present, Carbon doesn't generate Seq#Update (but desugars via take/drop/append) +// Commutability of Take and Drop with Update. +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= n && n <= i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); + 0 <= i && n <=i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); +*/ + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Take(s,n)} // diff 16: temporarily dropped general case of these + 0 < n && n <= Seq#Length(s) ==> Seq#Take(Seq#Append(s,t),n) == Seq#Take(s,n)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Take(Seq#Append(s,t),n) == Seq#Append(s,Seq#Take(t,Seq#Sub(n,Seq#Length(s))))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,Seq#Take(t,m)) } //{Seq#Append(s,t), Seq#Take(t,m)} // diff 16: temporarily dropped general case of these // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Take(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Append(s,Seq#Take(t,m))); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Drop(s,n)} // diff 16: temporarily dropped general case of these + 0 Seq#Drop(Seq#Append(s,t),n) == Seq#Append(Seq#Drop(s,n),t)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Drop(Seq#Append(s,t),n) == Seq#Drop(t,Seq#Sub(n,Seq#Length(s)))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,t),Seq#Drop(t,m) } // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Drop(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Drop(t,m)); + +// Additional axioms about common things +axiom (forall s: Seq T, n: int :: { Seq#Drop(s, n) } // ** NEW + n <= 0 ==> Seq#Drop(s, n) == s); // (diff 1: try changing n==0 to n<=0 (should be ok)) +axiom (forall s: Seq T, n: int :: { Seq#Take(s, n) } // ** NEW + n <= 0 ==> Seq#Take(s, n) == Seq#Empty()); // (diff 1: try changing n==0 to n<=0 (should be ok)) +// diff 13: remove this? +//axiom (forall s: Seq T, m, n: int :: { Seq#Drop(Seq#Drop(s, m), n) } // ** NEW - AS: could have bad triggering behaviour? +// 0 <= m && 0 <= n && m+n <= Seq#Length(s) ==> +// Seq#Sub(Seq#Add(m,n),n) == m && Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, Seq#Add(m,n))); + +// END TAKE/DROP + +// START CONTAINS +// diff 8: skolemisation (old) +function Seq#Contains(Seq T, T): bool; +function Seq#ContainsTrigger(Seq T, T): bool; // usages of Contains inside quantifier triggers are replaced with this +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains // (diff 8: added) +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> + (0 <= Seq#Skolem(s,x) && Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x)); // (diff 8: skolem function) +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } // only trigger if interested in the Contains term + (0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x))); +axiom (forall s: Seq T, i:int :: { Seq#Index(s,i) } + (0 <= i && i < Seq#Length(s) ==> Seq#ContainsTrigger(s,Seq#Index(s,i)))); +// ** AS: made one change here - changed type of x from ref to T +/*axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); +*/ +// diff 8: skolemisation (new) +/* +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains +function Seq#SkolemContainsDrop(Seq T, int, T) : int; // skolem function for Seq#Contains over drop +function Seq#SkolemContainsTake(Seq T, int, T) : int; // skolem function for Seq#Contains over take + +function Seq#Contains(Seq T, T): bool; +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> s != Seq#Empty() && Seq#Length(s) > 0 && 0 <= Seq#Skolem(s,x) && + Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x); + +// AS: note: this is an unusual axiom, but is basically the original +// Consider writing a version without the (precise) first trigger? Also see later versions +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x)); + +// ** AS: made one change here - changed type of x from ref to T +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +// AS: Consider dropping this axiom? +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } { Seq#Contains(s0,x), Seq#Append(s0,s1)} { Seq#Contains(s1,x), Seq#Append(s0,s1)} // AS: added triggers + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) ==> + (Seq#Take(s, n) != Seq#Empty() && Seq#Length(Seq#Take(s, n)) > 0 && + 0 <= Seq#SkolemContainsTake(s, n, x) && Seq#SkolemContainsTake(s, n, x) < n && + Seq#SkolemContainsTake(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsTake(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Take(s, n), x), Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Take(s, n), x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) ==> + ( 0 <= Seq#SkolemContainsDrop(s, n, x) && n <= Seq#SkolemContainsDrop(s, n, x) && + Seq#SkolemContainsDrop(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsDrop(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Drop(s, n), x), Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Drop(s, n), x)); +*/ + +// END CONTAINS + +// START EQUALS + +// diff 9 : skolemise equals (old) +function Seq#Equal(Seq T, Seq T): bool; +/*axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) <==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); +*/ +// diff 9: skolemise equals (new) +// AS: split axiom +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) ==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +function Seq#SkolemDiff(Seq T, Seq T) : int; // skolem function for Seq#Equals + +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + (s0==s1 && Seq#Equal(s0,s1)) || (s0!=s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) != Seq#Length(s1)) || + (s0 != s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) == Seq#Length(s1) && Seq#SkolemDiff(s0,s1) == Seq#SkolemDiff(s1,s0) && 0 <= Seq#SkolemDiff(s0,s1) && Seq#SkolemDiff(s0,s1) < Seq#Length(s0) && + Seq#Index(s0,Seq#SkolemDiff(s0,s1)) != Seq#Index(s1,Seq#SkolemDiff(s0,s1)))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); + + +// END EQUALS + + +// START EXTRAS + +// extra stuff not in current Dafny Prelude + +// diff 10: variant of trigger (maybe drop these?) +// old: +axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) <==> x==y); +// new: +/*axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) ==> x==y); + +axiom (forall x: T :: + { Seq#Singleton(x) } + Seq#Contains(Seq#Singleton(x),x)); +*/ + +function Seq#Range(min: int, max: int) returns (Seq int); +axiom (forall min: int, max: int :: { Seq#Length(Seq#Range(min, max)) } (min < max ==> Seq#Length(Seq#Range(min, max)) == max-min) && (max <= min ==> Seq#Length(Seq#Range(min, max)) == 0)); +axiom (forall min: int, max: int, j: int :: { Seq#Index(Seq#Range(min, max), j) } 0<=j && j Seq#Index(Seq#Range(min, max), j) == min + j); + +axiom (forall min: int, max: int, v: int :: {Seq#Contains(Seq#Range(min, max),v)} + (Seq#Contains(Seq#Range(min, max),v) <==> min <= v && v < max)); + +// END EXTRAS + + +// ================================================== +// Translation of method example1_pkg_F +// ================================================== + +procedure example1_pkg_F(xs_pkg_V0: (Seq int)) returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var xs_pkg_V0_CN0: (Seq int); + var ys_pkg_V1: (Seq int); + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Checked inhaling of precondition + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: xs_pkg_V0_CN0 := Seq[Int]() -- seq-slice-simple1.gobra.vpr@8.3--8.30 + xs_pkg_V0_CN0 := (Seq#Empty(): Seq int); + assume state(Heap, Mask); + + // -- Translating statement: xs_pkg_V0_CN0 := xs_pkg_V0 -- seq-slice-simple1.gobra.vpr@12.3--12.29 + xs_pkg_V0_CN0 := xs_pkg_V0; + assume state(Heap, Mask); + + // -- Translating statement: ys_pkg_V1 := Seq[Int]() -- seq-slice-simple1.gobra.vpr@17.3--17.26 + ys_pkg_V1 := (Seq#Empty(): Seq int); + assume state(Heap, Mask); + + // -- Translating statement: ys_pkg_V1 := xs_pkg_V0_CN0[1..][..14 - 1] -- seq-slice-simple1.gobra.vpr@21.3--21.44 + ys_pkg_V1 := Seq#Take(Seq#Drop(xs_pkg_V0_CN0, 1), 13); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@22.3--22.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example2_pkg_F +// ================================================== + +procedure example2_pkg_F() returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert true && [0..10)[5..] == [5..10) -- seq-slice-simple1.gobra.vpr@36.3--36.41 + assert {:msg " Assert might fail. Assertion [0..10)[5..] == [5..10) might not hold. (seq-slice-simple1.gobra.vpr@36.10--36.41) [44]"} + Seq#Equal(Seq#Drop(Seq#Range(0, 10), 5), Seq#Range(5, 10)); + assume state(Heap, Mask); + + // -- Translating statement: assert true && [0..10)[..5] == [0..5) -- seq-slice-simple1.gobra.vpr@40.3--40.40 + assert {:msg " Assert might fail. Assertion [0..10)[..5] == [0..5) might not hold. (seq-slice-simple1.gobra.vpr@40.10--40.40) [46]"} + Seq#Equal(Seq#Take(Seq#Range(0, 10), 5), Seq#Range(0, 5)); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@41.3--41.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example3_pkg_F +// ================================================== + +procedure example3_pkg_F() returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert true && [0..10)[1..][2..][3..] == [6..10) -- seq-slice-simple1.gobra.vpr@55.3--55.51 + assert {:msg " Assert might fail. Assertion [0..10)[1..][2..][3..] == [6..10) might not hold. (seq-slice-simple1.gobra.vpr@55.10--55.51) [48]"} + Seq#Equal(Seq#Drop(Seq#Drop(Seq#Drop(Seq#Range(0, 10), 1), 2), 3), Seq#Range(6, 10)); + assume state(Heap, Mask); + + // -- Translating statement: assert true && [0..10)[..5][..3] == [0..3) -- seq-slice-simple1.gobra.vpr@59.3--59.45 + assert {:msg " Assert might fail. Assertion [0..10)[..5][..3] == [0..3) might not hold. (seq-slice-simple1.gobra.vpr@59.10--59.45) [50]"} + Seq#Equal(Seq#Take(Seq#Take(Seq#Range(0, 10), 5), 3), Seq#Range(0, 3)); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@60.3--60.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example4_pkg_F +// ================================================== + +procedure example4_pkg_F(xs_pkg_V2: (Seq int)) returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var xs_pkg_V2_CN1: (Seq int); + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Checked inhaling of precondition + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: xs_pkg_V2_CN1 := Seq[Int]() -- seq-slice-simple1.gobra.vpr@70.3--70.30 + xs_pkg_V2_CN1 := (Seq#Empty(): Seq int); + assume state(Heap, Mask); + + // -- Translating statement: xs_pkg_V2_CN1 := xs_pkg_V2 -- seq-slice-simple1.gobra.vpr@74.3--74.29 + xs_pkg_V2_CN1 := xs_pkg_V2; + assume state(Heap, Mask); + + // -- Translating statement: assert true && xs_pkg_V2_CN1[0..] == xs_pkg_V2_CN1 -- seq-slice-simple1.gobra.vpr@81.3--81.53 + assert {:msg " Assert might fail. Assertion xs_pkg_V2_CN1[0..] == xs_pkg_V2_CN1 might not hold. (seq-slice-simple1.gobra.vpr@81.10--81.53) [52]"} + Seq#Equal(Seq#Drop(xs_pkg_V2_CN1, 0), xs_pkg_V2_CN1); + assume state(Heap, Mask); + + // -- Translating statement: assert true && xs_pkg_V2_CN1[..|xs_pkg_V2_CN1|] == xs_pkg_V2_CN1 -- seq-slice-simple1.gobra.vpr@85.3--85.67 + assert {:msg " Assert might fail. Assertion xs_pkg_V2_CN1[..|xs_pkg_V2_CN1|] == xs_pkg_V2_CN1 might not hold. (seq-slice-simple1.gobra.vpr@85.10--85.67) [54]"} + Seq#Equal(Seq#Take(xs_pkg_V2_CN1, Seq#Length(xs_pkg_V2_CN1)), xs_pkg_V2_CN1); + assume state(Heap, Mask); + + // -- Translating statement: assert true && xs_pkg_V2_CN1 == xs_pkg_V2_CN1 -- seq-slice-simple1.gobra.vpr@89.3--89.48 + assert {:msg " Assert might fail. Assertion xs_pkg_V2_CN1 == xs_pkg_V2_CN1 might not hold. (seq-slice-simple1.gobra.vpr@89.10--89.48) [56]"} + Seq#Equal(xs_pkg_V2_CN1, xs_pkg_V2_CN1); + assume state(Heap, Mask); + + // -- Translating statement: assert true && xs_pkg_V2_CN1[0..][..|xs_pkg_V2_CN1| - 0] == xs_pkg_V2_CN1 -- seq-slice-simple1.gobra.vpr@93.3--93.76 + assert {:msg " Assert might fail. Assertion xs_pkg_V2_CN1[0..][..|xs_pkg_V2_CN1| - 0] == xs_pkg_V2_CN1 might not hold. (seq-slice-simple1.gobra.vpr@93.10--93.76) [58]"} + Seq#Equal(Seq#Take(Seq#Drop(xs_pkg_V2_CN1, 0), Seq#Length(xs_pkg_V2_CN1) - 0), xs_pkg_V2_CN1); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@94.3--94.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example5_pkg_F +// ================================================== + +procedure example5_pkg_F() returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert true && Seq(1, 2, 4, 8)[2..] == Seq(4, 8) -- seq-slice-simple1.gobra.vpr@108.3--108.51 + assert {:msg " Assert might fail. Assertion Seq(1, 2, 4, 8)[2..] == Seq(4, 8) might not hold. (seq-slice-simple1.gobra.vpr@108.10--108.51) [60]"} + Seq#Equal(Seq#Drop(Seq#Append(Seq#Append(Seq#Append(Seq#Singleton(1), Seq#Singleton(2)), Seq#Singleton(4)), Seq#Singleton(8)), 2), Seq#Append(Seq#Singleton(4), Seq#Singleton(8))); + assume state(Heap, Mask); + + // -- Translating statement: assert true && Seq(1, 2, 4, 8)[..2] == Seq(1, 2) -- seq-slice-simple1.gobra.vpr@112.3--112.51 + assert {:msg " Assert might fail. Assertion Seq(1, 2, 4, 8)[..2] == Seq(1, 2) might not hold. (seq-slice-simple1.gobra.vpr@112.10--112.51) [62]"} + Seq#Equal(Seq#Take(Seq#Append(Seq#Append(Seq#Append(Seq#Singleton(1), Seq#Singleton(2)), Seq#Singleton(4)), Seq#Singleton(8)), 2), Seq#Append(Seq#Singleton(1), Seq#Singleton(2))); + assume state(Heap, Mask); + + // -- Translating statement: assert true && Seq(1, 2, 4, 8)[1..][..3 - 1] == Seq(2, 4) -- seq-slice-simple1.gobra.vpr@116.3--116.60 + assert {:msg " Assert might fail. Assertion Seq(1, 2, 4, 8)[1..][..3 - 1] == Seq(2, 4) might not hold. (seq-slice-simple1.gobra.vpr@116.10--116.60) [64]"} + Seq#Equal(Seq#Take(Seq#Drop(Seq#Append(Seq#Append(Seq#Append(Seq#Singleton(1), Seq#Singleton(2)), Seq#Singleton(4)), Seq#Singleton(8)), 1), 2), Seq#Append(Seq#Singleton(2), Seq#Singleton(4))); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@117.3--117.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example6_pkg_F +// ================================================== + +procedure example6_pkg_F() returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert true && [0..9)[0 - 10..] == [0..9) -- seq-slice-simple1.gobra.vpr@131.3--131.44 + assert {:msg " Assert might fail. Assertion [0..9)[0 - 10..] == [0..9) might not hold. (seq-slice-simple1.gobra.vpr@131.10--131.44) [66]"} + Seq#Equal(Seq#Drop(Seq#Range(0, 9), -10), Seq#Range(0, 9)); + assume state(Heap, Mask); + + // -- Translating statement: assert true && [0..9)[..1000] == [0..9) -- seq-slice-simple1.gobra.vpr@135.3--135.42 + assert {:msg " Assert might fail. Assertion [0..9)[..1000] == [0..9) might not hold. (seq-slice-simple1.gobra.vpr@135.10--135.42) [68]"} + Seq#Equal(Seq#Take(Seq#Range(0, 9), 1000), Seq#Range(0, 9)); + assume state(Heap, Mask); + + // -- Translating statement: assert true && [0..9)[0 - 100..][..100 - (0 - 100)] == [0..9) -- seq-slice-simple1.gobra.vpr@139.3--139.64 + assert {:msg " Assert might fail. Assertion [0..9)[0 - 100..][..100 - (0 - 100)] == [0..9) might not hold. (seq-slice-simple1.gobra.vpr@139.10--139.64) [70]"} + Seq#Equal(Seq#Take(Seq#Drop(Seq#Range(0, 9), -100), 200), Seq#Range(0, 9)); + assume state(Heap, Mask); + + // -- Translating statement: assert true && [0..9)[100..][..0 - 100 - 100] == Seq[Int]() -- seq-slice-simple1.gobra.vpr@143.3--143.62 + assert {:msg " Assert might fail. Assertion [0..9)[100..][..0 - 100 - 100] == Seq[Int]() might not hold. (seq-slice-simple1.gobra.vpr@143.10--143.62) [72]"} + Seq#Equal(Seq#Take(Seq#Drop(Seq#Range(0, 9), 100), -200), (Seq#Empty(): Seq int)); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@144.3--144.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example7_pkg_F +// ================================================== + +procedure example7_pkg_F() returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: assert true && |[0..9)[5..]| == 4 -- seq-slice-simple1.gobra.vpr@158.3--158.36 + assert {:msg " Assert might fail. Assertion |[0..9)[5..]| == 4 might not hold. (seq-slice-simple1.gobra.vpr@158.10--158.36) [74]"} + Seq#Length(Seq#Drop(Seq#Range(0, 9), 5)) == 4; + assume state(Heap, Mask); + + // -- Translating statement: assert true && |[0..9)[..5]| == 5 -- seq-slice-simple1.gobra.vpr@162.3--162.36 + assert {:msg " Assert might fail. Assertion |[0..9)[..5]| == 5 might not hold. (seq-slice-simple1.gobra.vpr@162.10--162.36) [76]"} + Seq#Length(Seq#Take(Seq#Range(0, 9), 5)) == 5; + assume state(Heap, Mask); + + // -- Translating statement: assert true && |[0..9)[2..][..8 - 2]| == 6 -- seq-slice-simple1.gobra.vpr@166.3--166.45 + assert {:msg " Assert might fail. Assertion |[0..9)[2..][..8 - 2]| == 6 might not hold. (seq-slice-simple1.gobra.vpr@166.10--166.45) [78]"} + Seq#Length(Seq#Take(Seq#Drop(Seq#Range(0, 9), 2), 6)) == 6; + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@167.3--167.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example8_pkg_F +// ================================================== + +procedure example8_pkg_F(xs_pkg_V3: (Seq int), x_pkg_V3: int) returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var xs_pkg_V3_CN2: (Seq int); + var x_pkg_V3_CN3: int; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Checked inhaling of precondition + assume state(Heap, Mask); + assume state(Heap, Mask); + assume Seq#Contains(Seq#Drop(xs_pkg_V3, 4), x_pkg_V3); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: xs_pkg_V3_CN2 := Seq[Int]() -- seq-slice-simple1.gobra.vpr@180.3--180.30 + xs_pkg_V3_CN2 := (Seq#Empty(): Seq int); + assume state(Heap, Mask); + + // -- Translating statement: x_pkg_V3_CN3 := 0 -- seq-slice-simple1.gobra.vpr@181.3--181.20 + x_pkg_V3_CN3 := 0; + assume state(Heap, Mask); + + // -- Translating statement: xs_pkg_V3_CN2 := xs_pkg_V3 -- seq-slice-simple1.gobra.vpr@185.3--185.29 + xs_pkg_V3_CN2 := xs_pkg_V3; + assume state(Heap, Mask); + + // -- Translating statement: x_pkg_V3_CN3 := x_pkg_V3 -- seq-slice-simple1.gobra.vpr@189.3--189.27 + x_pkg_V3_CN3 := x_pkg_V3; + assume state(Heap, Mask); + + // -- Translating statement: assert (x_pkg_V3_CN3 in xs_pkg_V3_CN2) -- seq-slice-simple1.gobra.vpr@196.3--196.41 + assert {:msg " Assert might fail. Assertion (x_pkg_V3_CN3 in xs_pkg_V3_CN2) might not hold. (seq-slice-simple1.gobra.vpr@196.11--196.40) [79]"} + Seq#Contains(xs_pkg_V3_CN2, x_pkg_V3_CN3); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@197.3--197.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example9_pkg_F +// ================================================== + +procedure example9_pkg_F(xs_pkg_V4: (Seq int), x_pkg_V4: int) returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var xs_pkg_V4_CN4: (Seq int); + var x_pkg_V4_CN5: int; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Checked inhaling of precondition + assume state(Heap, Mask); + assume state(Heap, Mask); + assume Seq#Contains(Seq#Take(xs_pkg_V4, 7), x_pkg_V4); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: xs_pkg_V4_CN4 := Seq[Int]() -- seq-slice-simple1.gobra.vpr@210.3--210.30 + xs_pkg_V4_CN4 := (Seq#Empty(): Seq int); + assume state(Heap, Mask); + + // -- Translating statement: x_pkg_V4_CN5 := 0 -- seq-slice-simple1.gobra.vpr@211.3--211.20 + x_pkg_V4_CN5 := 0; + assume state(Heap, Mask); + + // -- Translating statement: xs_pkg_V4_CN4 := xs_pkg_V4 -- seq-slice-simple1.gobra.vpr@215.3--215.29 + xs_pkg_V4_CN4 := xs_pkg_V4; + assume state(Heap, Mask); + + // -- Translating statement: x_pkg_V4_CN5 := x_pkg_V4 -- seq-slice-simple1.gobra.vpr@219.3--219.27 + x_pkg_V4_CN5 := x_pkg_V4; + assume state(Heap, Mask); + + // -- Translating statement: assert (x_pkg_V4_CN5 in xs_pkg_V4_CN4) -- seq-slice-simple1.gobra.vpr@226.3--226.41 + assert {:msg " Assert might fail. Assertion (x_pkg_V4_CN5 in xs_pkg_V4_CN4) might not hold. (seq-slice-simple1.gobra.vpr@226.11--226.40) [80]"} + Seq#Contains(xs_pkg_V4_CN4, x_pkg_V4_CN5); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@227.3--227.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example10_pkg_F +// ================================================== + +procedure example10_pkg_F(xs_pkg_V5: (Seq int), x_pkg_V5: int) returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var xs_pkg_V5_CN6: (Seq int); + var x_pkg_V5_CN7: int; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Checked inhaling of precondition + assume state(Heap, Mask); + assume state(Heap, Mask); + assume !Seq#Contains(Seq#Drop(xs_pkg_V5, 5), x_pkg_V5); + assume state(Heap, Mask); + assume !Seq#Contains(Seq#Take(xs_pkg_V5, 5), x_pkg_V5); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: xs_pkg_V5_CN6 := Seq[Int]() -- seq-slice-simple1.gobra.vpr@241.3--241.30 + xs_pkg_V5_CN6 := (Seq#Empty(): Seq int); + assume state(Heap, Mask); + + // -- Translating statement: x_pkg_V5_CN7 := 0 -- seq-slice-simple1.gobra.vpr@242.3--242.20 + x_pkg_V5_CN7 := 0; + assume state(Heap, Mask); + + // -- Translating statement: xs_pkg_V5_CN6 := xs_pkg_V5 -- seq-slice-simple1.gobra.vpr@246.3--246.29 + xs_pkg_V5_CN6 := xs_pkg_V5; + assume state(Heap, Mask); + + // -- Translating statement: x_pkg_V5_CN7 := x_pkg_V5 -- seq-slice-simple1.gobra.vpr@250.3--250.27 + x_pkg_V5_CN7 := x_pkg_V5; + assume state(Heap, Mask); + + // -- Translating statement: assert !((x_pkg_V5_CN7 in xs_pkg_V5_CN6)) -- seq-slice-simple1.gobra.vpr@257.3--257.44 + assert {:msg " Assert might fail. Assertion !((x_pkg_V5_CN7 in xs_pkg_V5_CN6)) might not hold. (seq-slice-simple1.gobra.vpr@257.10--257.44) [81]"} + !Seq#Contains(xs_pkg_V5_CN6, x_pkg_V5_CN7); + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@258.3--258.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method example11_pkg_F +// ================================================== + +procedure example11_pkg_F(xs_pkg_V6: (Seq int), n_pkg_V6: int) returns () + modifies Heap, Mask; +{ + var returnLabel_lblGuard: bool; + var PostHeap: HeapType; + var PostMask: MaskType; + var xs_pkg_V6_CN8: (Seq int); + var n_pkg_V6_CN9: int; + var LabelreturnLabelMask: MaskType; + var LabelreturnLabelHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + returnLabel_lblGuard := false; + + // -- Checked inhaling of precondition + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + assume Seq#Equal(xs_pkg_V6, Seq#Append(Seq#Take(xs_pkg_V6, n_pkg_V6), Seq#Drop(xs_pkg_V6, n_pkg_V6))); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: xs_pkg_V6_CN8 := Seq[Int]() -- seq-slice-simple1.gobra.vpr@271.3--271.30 + xs_pkg_V6_CN8 := (Seq#Empty(): Seq int); + assume state(Heap, Mask); + + // -- Translating statement: n_pkg_V6_CN9 := 0 -- seq-slice-simple1.gobra.vpr@272.3--272.20 + n_pkg_V6_CN9 := 0; + assume state(Heap, Mask); + + // -- Translating statement: xs_pkg_V6_CN8 := xs_pkg_V6 -- seq-slice-simple1.gobra.vpr@276.3--276.29 + xs_pkg_V6_CN8 := xs_pkg_V6; + assume state(Heap, Mask); + + // -- Translating statement: n_pkg_V6_CN9 := n_pkg_V6 -- seq-slice-simple1.gobra.vpr@280.3--280.27 + n_pkg_V6_CN9 := n_pkg_V6; + assume state(Heap, Mask); + + // -- Translating statement: label returnLabel -- seq-slice-simple1.gobra.vpr@285.3--285.20 + returnLabel: + LabelreturnLabelMask := Mask; + LabelreturnLabelHeap := Heap; + returnLabel_lblGuard := true; + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of example11_pkg_F might not hold. Assertion xs_pkg_V6 == xs_pkg_V6[..n_pkg_V6] ++ xs_pkg_V6[n_pkg_V6..] might not hold. (seq-slice-simple1.gobra.vpr@264.11--264.78) [82]"} + Seq#Equal(xs_pkg_V6, Seq#Append(Seq#Take(xs_pkg_V6, n_pkg_V6), Seq#Drop(xs_pkg_V6, n_pkg_V6))); +} diff --git a/Test/monomorphize/viper/testZeroArray.bpl b/Test/monomorphize/viper/testZeroArray.bpl new file mode 100644 index 000000000..0bf01d8d0 --- /dev/null +++ b/Test/monomorphize/viper/testZeroArray.bpl @@ -0,0 +1,2574 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroMask[o_2, f_4] } + ZeroMask[o_2, f_4] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_2: Ref, f_4: (Field A B) :: + { ZeroPMask[o_2, f_4] } + !ZeroPMask[o_2, f_4] +); +function PredicateMaskField(f_5: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_5: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { GoodMask(Mask), Mask[o_2, f_4] } + GoodMask(Mask) ==> Mask[o_2, f_4] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_4)) && !IsWandField(f_4) ==> Mask[o_2, f_4] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_2: Ref, f_4: (Field A B)): bool; +axiom (forall Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { HasDirectPerm(Mask, o_2, f_4) } + HasDirectPerm(Mask, o_2, f_4) <==> Mask[o_2, f_4] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_2: Ref, f_4: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_2, f_4] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_2, f_4] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_2, f_4] == SummandMask1[o_2, f_4] + SummandMask2[o_2, f_4] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(k_8: int): bool; +function neverTriggered2(k_11: int): bool; +function neverTriggered3(k_8: int): bool; +function neverTriggered4(k_11: int): bool; +function neverTriggered5(k_8: int): bool; +function neverTriggered6(k_11: int): bool; +function neverTriggered7(k_8: int): bool; +function neverTriggered8(k_11: int): bool; +function neverTriggered9(i_1: int): bool; +function neverTriggered10(i_3: int): bool; +function neverTriggered11(i_6: int): bool; +function neverTriggered12(i_1: int): bool; +function neverTriggered13(i_3: int): bool; +function neverTriggered14(i_4: int): bool; +function neverTriggered15(i_5: int): bool; +function neverTriggered16(i_6: int): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(recv: Ref): int; +function invRecv2(recv: Ref): int; +function invRecv3(recv: Ref): int; +function invRecv4(recv: Ref): int; +function invRecv5(recv: Ref): int; +function invRecv6(recv: Ref): int; +function invRecv7(recv: Ref): int; +function invRecv8(recv: Ref): int; +function invRecv9(recv: Ref): int; +function invRecv10(recv: Ref): int; +function invRecv11(recv: Ref): int; +function invRecv12(recv: Ref): int; +function invRecv13(recv: Ref): int; +function invRecv14(recv: Ref): int; +function invRecv15(recv: Ref): int; +function invRecv16(recv: Ref): int; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(recv: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(recv: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(recv: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(recv: Ref): bool; +function qpRange8(recv: Ref): bool; +function qpRange9(recv: Ref): bool; +function qpRange10(recv: Ref): bool; +function qpRange11(recv: Ref): bool; +function qpRange12(recv: Ref): bool; +function qpRange13(recv: Ref): bool; +function qpRange14(recv: Ref): bool; +function qpRange15(recv: Ref): bool; +function qpRange16(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Function heights (higher height means its body is available earlier): +// - height 5: count_list +// - height 4: sum_square +// - height 3: sum_list +// - height 2: sum_array +// - height 1: count_square +// - height 0: count_array +const AssumeFunctionsAbove: int; +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_6: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_6: FrameType :: + { ConditionalFrame(p, f_6) } + ConditionalFrame(p, f_6) == (if p > 0.000000000 then f_6 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Sequence module. +// ================================================== + + // diff 0 implemented (no difference) + // diff 1 implemented (fixes test5 in sequences.sil) + // diff 2 implemented (fixes m01 and m03 in quantifiedpermissions/issues/issue_0064) + // diff 3 implemented (no difference) + // diff 4 implemented (no difference) + // diff 5 implemented (fixes colourings0 in sequence-incompletenesses test case) + // diff 6 implemented (no difference) + // diff 7 implemented + // diff 8 implemented (allows for contains triggering, without destroying performance of e.g. functions/linkedlists test case) + // diff 11 implemented + // diff 13 implemented, for now (may reduce completeness, but there's a known matching loop when the first drop amount is 0); another option would be to add !=0 as an explicit condition + // diff 14 implemented: eliminate index over take/drop for trivial cases (to avoid matching loops when e.g. s[i..] == s is known) + // diff 16 implemented: remove general cases of equality-learning between take/drop/append subsequences; only allow when take/drop are at top level (this affects linkedlists test case) +// START BASICS +type Seq T; + +function Seq#Length(Seq T): int; +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty(): Seq T; +axiom (forall :: Seq#Length(Seq#Empty(): Seq T) == 0); +axiom (forall s: Seq T :: { Seq#Length(s) } Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T): Seq T; +//axiom (forall t: T :: { Seq#Length(Seq#Singleton(t)) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2: changed trigger) + +function Seq#Append(Seq T, Seq T): Seq T; +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Length(Seq#Append(s0,s1)) } +s0 != Seq#Empty() && s1 != Seq#Empty() ==> //diff 11: consider removing constraints + Seq#Length(Seq#Append(s0,s1)) == Seq#Length(s0) + Seq#Length(s1)); + +//axiom (forall s: Seq T :: { Seq#Append(Seq#Empty(),s) } Seq#Append(Seq#Empty(),s) == s); // (diff 11: switched to double-quantified version) +//axiom (forall s: Seq T :: { Seq#Append(s,Seq#Empty()) } Seq#Append(s,Seq#Empty()) == s); // (diff 11: switched to double-quantified version) +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Append(s0,s1) } (s0 == Seq#Empty() ==> Seq#Append(s0,s1) == s1) && (s1 == Seq#Empty() ==> Seq#Append(s0,s1) == s0)); // diff 11: switched to double-quantified version + +function Seq#Index(Seq T, int): T; +//axiom (forall t: T :: { Seq#Index(Seq#Singleton(t), 0) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2: changed trigger) + +// END BASICS + +// START INDEX-APPEND-UPDATE + +// extra addition function used to force equalities into the e-graph +function Seq#Add(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Add(i,j)} Seq#Add(i,j) == i + j); +function Seq#Sub(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Sub(i,j)} Seq#Sub(i,j) == i - j); + +// (diff 3 (old)) +//axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // {:weight 25} // AS: dropped weight +// s0 != Seq#Empty() && s1 != Seq#Empty() ==> +// ((n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n)) && +// (Seq#Length(s0) <= n ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, n - Seq#Length(s0))))); + +// (diff 3: split axiom, added constraints, replace arithmetic) // diff 11: consider removing constraints +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } { Seq#Index(s0, n), Seq#Append(s0,s1) } // AS: added alternative trigger + (s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= n && n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n))); +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // term below breaks loops + s0 != Seq#Empty() && s1 != Seq#Empty() && Seq#Length(s0) <= n && n < Seq#Length(Seq#Append(s0,s1)) ==> Seq#Add(Seq#Sub(n,Seq#Length(s0)),Seq#Length(s0)) == n && Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, Seq#Sub(n,Seq#Length(s0)))); +// AS: added "reverse triggering" versions of the axioms +axiom (forall s0: Seq T, s1: Seq T, m: int :: { Seq#Index(s1, m), Seq#Append(s0,s1)} // m == n-|s0|, n == m + |s0| + s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= m && m < Seq#Length(s1) ==> Seq#Sub(Seq#Add(m,Seq#Length(s0)),Seq#Length(s0)) == m && Seq#Index(Seq#Append(s0,s1), Seq#Add(m,Seq#Length(s0))) == Seq#Index(s1, m)); + +function Seq#Update(Seq T, int, T): Seq T; +axiom (forall s: Seq T, i: int, v: T :: { Seq#Length(Seq#Update(s,i,v)) } {Seq#Length(s),Seq#Update(s,i,v)} // (diff 4: added trigger) + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s,i,v)) == Seq#Length(s)); +axiom (forall s: Seq T, i: int, v: T, n: int :: { Seq#Index(Seq#Update(s,i,v),n) } { Seq#Index(s,n), Seq#Update(s,i,v) } // (diff 4: added trigger) + 0 <= n && n < Seq#Length(s) ==> + (i == n ==> Seq#Index(Seq#Update(s,i,v),n) == v) && + (i != n ==> Seq#Index(Seq#Update(s,i,v),n) == Seq#Index(s,n))); + +// END INDEX-APPEND-UPDATE + +// START TAKE/DROP + +function Seq#Take(s: Seq T, howMany: int): Seq T; +// AS: added triggers +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Take(s,n)) } { Seq#Take(s,n), Seq#Length(s)} // (diff 7: add trigger) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s,n)) == n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Take(s,n)) == Seq#Length(s))) + && + (n < 0 ==> Seq#Length(Seq#Take(s,n)) == 0)); // (diff 7: added case for n < 0) + +// ** AS: 2nd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Take(s,n), j) } {Seq#Index(s,j), Seq#Take(s,n)} // (diff 0: (was already done)) : add trigger // {:weight 25} // AS: dropped weight + 0 <= j && j < n && j < Seq#Length(s) ==> + Seq#Index(Seq#Take(s,n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int): Seq T; +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Drop(s,n)) } {Seq#Length(s), Seq#Drop(s,n)} // (diff 5: added trigger, exchange arithmetic) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s) - n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Drop(s,n)) == 0)) + && + (n < 0 ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s)) // (diff 7: added cases for n < 0) + ); + +// ** AS: 3rd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +// diff 5 (old) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// 0 <= n && 0 <= j && j < Seq#Length(s)-n ==> +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j+n)); +// +// diff already added // diff -1: try removing this axiom and checking effect +//axiom (forall s: Seq T, n: int, k: int :: { Seq#Drop(s,n), Seq#Index(s,k) } // AS: alternative triggering for above axiom +// 0 <= n && n <= k && k < Seq#Length(s) ==> +// Seq#Index(Seq#Drop(s,n), k-n) == Seq#Index(s, k)); + +// diff 5: split axiom, added triggering case, exhanged arithmetic + +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight + 0 < n && 0 <= j && j < Seq#Length(s)-n ==> // diff 14: change 0 <= n to 0 < n + Seq#Sub(Seq#Add(j,n),n) == j && Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, Seq#Add(j,n))); + +axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } + 0 < n && n <= i && i < Seq#Length(s) ==> // diff 14: change 0 <= n to 0 < n + Seq#Add(Seq#Sub(i,n),n) == i && Seq#Index(Seq#Drop(s,n), Seq#Sub(i,n)) == Seq#Index(s, i)); // i = j + n, j = i - n + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// n <= 0 && 0 <= j && j < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j)); + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } +// n <= 0 && 0 <= i && i < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), i) == Seq#Index(s, i)); // i = j + n, j = i - n + +// ** AS: We dropped the weak trigger on this axiom. One option is to strengthen the triggers: +//axiom (forall s, t: Seq T :: +// // { Seq#Append(s, t) } +// {Seq#Take(Seq#Append(s, t), Seq#Length(s))}{Seq#Drop(Seq#Append(s, t), Seq#Length(s))} +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s && +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// ** AS: another option is to split the axiom (for some reason, this seems in some cases to perform slightly less well (but this could be random): +//axiom (forall s, t: Seq T :: +// { Seq#Take(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s); + +//axiom (forall s, t: Seq T :: +// { Seq#Drop(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// (diff 6b: remove these?) +/* Removed: at present, Carbon doesn't generate Seq#Update (but desugars via take/drop/append) +// Commutability of Take and Drop with Update. +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= n && n <= i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); + 0 <= i && n <=i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); +*/ + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Take(s,n)} // diff 16: temporarily dropped general case of these + 0 < n && n <= Seq#Length(s) ==> Seq#Take(Seq#Append(s,t),n) == Seq#Take(s,n)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Take(Seq#Append(s,t),n) == Seq#Append(s,Seq#Take(t,Seq#Sub(n,Seq#Length(s))))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,Seq#Take(t,m)) } //{Seq#Append(s,t), Seq#Take(t,m)} // diff 16: temporarily dropped general case of these // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Take(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Append(s,Seq#Take(t,m))); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Drop(s,n)} // diff 16: temporarily dropped general case of these + 0 Seq#Drop(Seq#Append(s,t),n) == Seq#Append(Seq#Drop(s,n),t)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Drop(Seq#Append(s,t),n) == Seq#Drop(t,Seq#Sub(n,Seq#Length(s)))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,t),Seq#Drop(t,m) } // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Drop(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Drop(t,m)); + +// Additional axioms about common things +axiom (forall s: Seq T, n: int :: { Seq#Drop(s, n) } // ** NEW + n <= 0 ==> Seq#Drop(s, n) == s); // (diff 1: try changing n==0 to n<=0 (should be ok)) +axiom (forall s: Seq T, n: int :: { Seq#Take(s, n) } // ** NEW + n <= 0 ==> Seq#Take(s, n) == Seq#Empty()); // (diff 1: try changing n==0 to n<=0 (should be ok)) +// diff 13: remove this? +//axiom (forall s: Seq T, m, n: int :: { Seq#Drop(Seq#Drop(s, m), n) } // ** NEW - AS: could have bad triggering behaviour? +// 0 <= m && 0 <= n && m+n <= Seq#Length(s) ==> +// Seq#Sub(Seq#Add(m,n),n) == m && Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, Seq#Add(m,n))); + +// END TAKE/DROP + +// START CONTAINS +// diff 8: skolemisation (old) +function Seq#Contains(Seq T, T): bool; +function Seq#ContainsTrigger(Seq T, T): bool; // usages of Contains inside quantifier triggers are replaced with this +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains // (diff 8: added) +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> + (0 <= Seq#Skolem(s,x) && Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x)); // (diff 8: skolem function) +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } // only trigger if interested in the Contains term + (0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x))); +axiom (forall s: Seq T, i:int :: { Seq#Index(s,i) } + (0 <= i && i < Seq#Length(s) ==> Seq#ContainsTrigger(s,Seq#Index(s,i)))); +// ** AS: made one change here - changed type of x from ref to T +/*axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); +*/ +// diff 8: skolemisation (new) +/* +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains +function Seq#SkolemContainsDrop(Seq T, int, T) : int; // skolem function for Seq#Contains over drop +function Seq#SkolemContainsTake(Seq T, int, T) : int; // skolem function for Seq#Contains over take + +function Seq#Contains(Seq T, T): bool; +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> s != Seq#Empty() && Seq#Length(s) > 0 && 0 <= Seq#Skolem(s,x) && + Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x); + +// AS: note: this is an unusual axiom, but is basically the original +// Consider writing a version without the (precise) first trigger? Also see later versions +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x)); + +// ** AS: made one change here - changed type of x from ref to T +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +// AS: Consider dropping this axiom? +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } { Seq#Contains(s0,x), Seq#Append(s0,s1)} { Seq#Contains(s1,x), Seq#Append(s0,s1)} // AS: added triggers + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) ==> + (Seq#Take(s, n) != Seq#Empty() && Seq#Length(Seq#Take(s, n)) > 0 && + 0 <= Seq#SkolemContainsTake(s, n, x) && Seq#SkolemContainsTake(s, n, x) < n && + Seq#SkolemContainsTake(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsTake(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Take(s, n), x), Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Take(s, n), x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) ==> + ( 0 <= Seq#SkolemContainsDrop(s, n, x) && n <= Seq#SkolemContainsDrop(s, n, x) && + Seq#SkolemContainsDrop(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsDrop(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Drop(s, n), x), Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Drop(s, n), x)); +*/ + +// END CONTAINS + +// START EQUALS + +// diff 9 : skolemise equals (old) +function Seq#Equal(Seq T, Seq T): bool; +/*axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) <==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); +*/ +// diff 9: skolemise equals (new) +// AS: split axiom +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) ==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +function Seq#SkolemDiff(Seq T, Seq T) : int; // skolem function for Seq#Equals + +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + (s0==s1 && Seq#Equal(s0,s1)) || (s0!=s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) != Seq#Length(s1)) || + (s0 != s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) == Seq#Length(s1) && Seq#SkolemDiff(s0,s1) == Seq#SkolemDiff(s1,s0) && 0 <= Seq#SkolemDiff(s0,s1) && Seq#SkolemDiff(s0,s1) < Seq#Length(s0) && + Seq#Index(s0,Seq#SkolemDiff(s0,s1)) != Seq#Index(s1,Seq#SkolemDiff(s0,s1)))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); + + +// END EQUALS + + +// START EXTRAS + +// extra stuff not in current Dafny Prelude + +// diff 10: variant of trigger (maybe drop these?) +// old: +axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) <==> x==y); +// new: +/*axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) ==> x==y); + +axiom (forall x: T :: + { Seq#Singleton(x) } + Seq#Contains(Seq#Singleton(x),x)); +*/ + +function Seq#Range(min: int, max: int) returns (Seq int); +axiom (forall min: int, max: int :: { Seq#Length(Seq#Range(min, max)) } (min < max ==> Seq#Length(Seq#Range(min, max)) == max-min) && (max <= min ==> Seq#Length(Seq#Range(min, max)) == 0)); +axiom (forall min: int, max: int, j: int :: { Seq#Index(Seq#Range(min, max), j) } 0<=j && j Seq#Index(Seq#Range(min, max), j) == min + j); + +axiom (forall min: int, max: int, v: int :: {Seq#Contains(Seq#Range(min, max),v)} + (Seq#Contains(Seq#Range(min, max),v) <==> min <= v && v < max)); + +// END EXTRAS + + +// ================================================== +// Translation of all fields +// ================================================== + +const unique Ref__Integer_value: Field NormalField int; +axiom !IsPredicateField(Ref__Integer_value); +axiom !IsWandField(Ref__Integer_value); + +// ================================================== +// Translation of function sum_list +// ================================================== + +// Uninterpreted function definitions +function sum_list(Heap: HeapType, i: int, hi: int, ar: (Seq int)): int; +function sum_list'(Heap: HeapType, i: int, hi: int, ar: (Seq int)): int; +axiom (forall Heap: HeapType, i: int, hi: int, ar: (Seq int) :: + { sum_list(Heap, i, hi, ar) } + sum_list(Heap, i, hi, ar) == sum_list'(Heap, i, hi, ar) && dummyFunction(sum_list#triggerStateless(i, hi, ar)) +); +axiom (forall Heap: HeapType, i: int, hi: int, ar: (Seq int) :: + { sum_list'(Heap, i, hi, ar) } + dummyFunction(sum_list#triggerStateless(i, hi, ar)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, i: int, hi: int, ar: (Seq int) :: + { state(Heap, Mask), sum_list(Heap, i, hi, ar) } + state(Heap, Mask) && AssumeFunctionsAbove < 3 ==> (0 <= i && i <= hi) && hi <= Seq#Length(ar) ==> sum_list(Heap, i, hi, ar) == (if i < hi then Seq#Index(ar, i) + sum_list'(Heap, i + 1, hi, ar) else 0) +); + +// Framing axioms +function sum_list#frame(frame: FrameType, i: int, hi: int, ar: (Seq int)): int; +axiom (forall Heap: HeapType, Mask: MaskType, i: int, hi: int, ar: (Seq int) :: + { state(Heap, Mask), sum_list'(Heap, i, hi, ar) } + state(Heap, Mask) ==> sum_list'(Heap, i, hi, ar) == sum_list#frame(EmptyFrame, i, hi, ar) +); + +// Trigger function (controlling recursive postconditions) +function sum_list#trigger(frame: FrameType, i: int, hi: int, ar: (Seq int)): bool; + +// State-independent trigger function +function sum_list#triggerStateless(i: int, hi: int, ar: (Seq int)): int; + +// Check contract well-formedness and postcondition +procedure sum_list#definedness(i: int, hi: int, ar: (Seq int)) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 3; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume 0 <= i; + assume i <= hi; + assume state(Heap, Mask); + assume hi <= Seq#Length(ar); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (i < hi ? ar[i] + sum_list(i + 1, hi, ar) : 0) + if (i < hi) { + assert {:msg " Function might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@6.1--11.2) [569]"} + i >= 0; + assert {:msg " Function might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@6.1--11.2) [570]"} + i < Seq#Length(ar); + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function sum_list might not hold. Assertion 0 <= i + 1 might not hold. (testZeroArray.vpr@10.21--10.44) [571]"} + 0 <= i + 1; + assert {:msg " Precondition of function sum_list might not hold. Assertion i + 1 <= hi might not hold. (testZeroArray.vpr@10.21--10.44) [572]"} + i + 1 <= hi; + assert {:msg " Precondition of function sum_list might not hold. Assertion hi <= |ar| might not hold. (testZeroArray.vpr@10.21--10.44) [573]"} + hi <= Seq#Length(ar); + // Stop execution + assume false; + } else { + // Enable postcondition for recursive call + assume sum_list#trigger(EmptyFrame, i + 1, hi, ar); + } + } + + // -- Translate function body + Result := (if i < hi then Seq#Index(ar, i) + sum_list(Heap, i + 1, hi, ar) else 0); +} + +// ================================================== +// Translation of function sum_array +// ================================================== + +// Uninterpreted function definitions +function sum_array(Heap: HeapType, i: int, lo: int, hi: int, ar: (Seq Ref)): int; +function sum_array'(Heap: HeapType, i: int, lo: int, hi: int, ar: (Seq Ref)): int; +axiom (forall Heap: HeapType, i: int, lo: int, hi: int, ar: (Seq Ref) :: + { sum_array(Heap, i, lo, hi, ar) } + sum_array(Heap, i, lo, hi, ar) == sum_array'(Heap, i, lo, hi, ar) && dummyFunction(sum_array#triggerStateless(i, lo, hi, ar)) +); +axiom (forall Heap: HeapType, i: int, lo: int, hi: int, ar: (Seq Ref) :: + { sum_array'(Heap, i, lo, hi, ar) } + dummyFunction(sum_array#triggerStateless(i, lo, hi, ar)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, i: int, lo: int, hi: int, ar: (Seq Ref) :: + { state(Heap, Mask), sum_array(Heap, i, lo, hi, ar) } + state(Heap, Mask) && AssumeFunctionsAbove < 2 ==> ((0 <= lo && (lo <= i && i <= hi)) && hi <= Seq#Length(ar)) && (forall j: int, k: int :: + { Seq#Index(ar, j), Seq#Index(ar, k) } + 0 <= j && (j < hi && (0 <= k && (k < hi && j != k))) ==> Seq#Index(ar, j) != Seq#Index(ar, k) + ) ==> sum_array(Heap, i, lo, hi, ar) == (if i < hi then Heap[Seq#Index(ar, i), Ref__Integer_value] + sum_array'(Heap, i + 1, lo, hi, ar) else 0) +); + +// Framing axioms +function sum_array#frame(frame: FrameType, i: int, lo: int, hi: int, ar: (Seq Ref)): int; +axiom (forall Heap: HeapType, Mask: MaskType, i: int, lo: int, hi: int, ar: (Seq Ref) :: + { state(Heap, Mask), sum_array'(Heap, i, lo, hi, ar) } + state(Heap, Mask) ==> sum_array'(Heap, i, lo, hi, ar) == sum_array#frame(FrameFragment(sum_array#condqp1(Heap, i, lo, hi, ar)), i, lo, hi, ar) +); +// ================================================== +// Function used for framing of quantified permission (forall k: Int :: { ar[k] } lo <= k && k < hi ==> acc(ar[k].Ref__Integer_value, wildcard)) in function sum_array +// ================================================== + +function sum_array#condqp1(Heap: HeapType, i_1_1: int, lo_1_1: int, hi_1_1: int, ar_1_1: (Seq Ref)): int; +axiom (forall Heap2Heap: HeapType, Heap1Heap: HeapType, i: int, lo: int, hi: int, ar: (Seq Ref) :: + { sum_array#condqp1(Heap2Heap, i, lo, hi, ar), sum_array#condqp1(Heap1Heap, i, lo, hi, ar), succHeapTrans(Heap2Heap, Heap1Heap) } + (forall k_2: int :: + + (lo <= k_2 && k_2 < hi <==> lo <= k_2 && k_2 < hi) && (lo <= k_2 && k_2 < hi ==> Heap2Heap[Seq#Index(ar, k_2), Ref__Integer_value] == Heap1Heap[Seq#Index(ar, k_2), Ref__Integer_value]) + ) ==> sum_array#condqp1(Heap2Heap, i, lo, hi, ar) == sum_array#condqp1(Heap1Heap, i, lo, hi, ar) +); + +// Trigger function (controlling recursive postconditions) +function sum_array#trigger(frame: FrameType, i: int, lo: int, hi: int, ar: (Seq Ref)): bool; + +// State-independent trigger function +function sum_array#triggerStateless(i: int, lo: int, hi: int, ar: (Seq Ref)): int; + +// Check contract well-formedness and postcondition +procedure sum_array#definedness(i: int, lo: int, hi: int, ar: (Seq Ref)) returns (Result: int) + modifies Heap, Mask; +{ + var j_1: int; + var k_1: int; + var k_3: int; + var QPMask: MaskType; + var wildcard: real where wildcard > 0.000000000; + var j_4: int; + var k_9: int; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 2; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume 0 <= lo; + assume lo <= i; + assume i <= hi; + assume state(Heap, Mask); + assume hi <= Seq#Length(ar); + assume state(Heap, Mask); + + // -- Check definedness of (forall j: Int, k: Int :: { ar[j], ar[k] } 0 <= j && (j < hi && (0 <= k && (k < hi && j != k))) ==> ar[j] != ar[k]) + if (*) { + if (0 <= j_1 && (j_1 < hi && (0 <= k_1 && (k_1 < hi && j_1 != k_1)))) { + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might be negative. (testZeroArray.vpr@16.12--16.102) [574]"} + j_1 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might exceed sequence length. (testZeroArray.vpr@16.12--16.102) [575]"} + j_1 < Seq#Length(ar); + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@16.12--16.102) [576]"} + k_1 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@16.12--16.102) [577]"} + k_1 < Seq#Length(ar); + } + assume false; + } + assume (forall j_3: int, k_6: int :: + { Seq#Index(ar, j_3), Seq#Index(ar, k_6) } + 0 <= j_3 && (j_3 < hi && (0 <= k_6 && (k_6 < hi && j_3 != k_6))) ==> Seq#Index(ar, j_3) != Seq#Index(ar, k_6) + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall k: Int :: { ar[k] } lo <= k && k < hi ==> acc(ar[k].Ref__Integer_value, wildcard)) + if (*) { + if (lo <= k_3 && k_3 < hi) { + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@17.13--17.95) [578]"} + k_3 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@17.13--17.95) [579]"} + k_3 < Seq#Length(ar); + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource ar[k].Ref__Integer_value might not be injective. (testZeroArray.vpr@17.13--17.95) [580]"} + (forall k_8: int, k_8_1: int :: + + (((k_8 != k_8_1 && (lo <= k_8 && k_8 < hi)) && (lo <= k_8_1 && k_8_1 < hi)) && NoPerm < wildcard) && NoPerm < wildcard ==> Seq#Index(ar, k_8) != Seq#Index(ar, k_8_1) + ); + + // -- Define Inverse Function + assume (forall k_8: int :: + { Seq#Index(ar, k_8) } { Seq#Index(ar, k_8) } + lo <= k_8 && k_8 < hi ==> qpRange1(Seq#Index(ar, k_8)) && invRecv1(Seq#Index(ar, k_8)) == k_8 + ); + assume (forall o_3: Ref :: + { invRecv1(o_3) } + (lo <= invRecv1(o_3) && invRecv1(o_3) < hi) && qpRange1(o_3) ==> Seq#Index(ar, invRecv1(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k_8: int :: + { Seq#Index(ar, k_8) } { Seq#Index(ar, k_8) } + lo <= k_8 && k_8 < hi ==> Seq#Index(ar, k_8) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((lo <= invRecv1(o_3) && invRecv1(o_3) < hi) && qpRange1(o_3) ==> Seq#Index(ar, invRecv1(o_3)) == o_3 && Mask[o_3, Ref__Integer_value] < QPMask[o_3, Ref__Integer_value]) && (!((lo <= invRecv1(o_3) && invRecv1(o_3) < hi) && qpRange1(o_3)) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (i < hi ? ar[i].Ref__Integer_value + sum_array(i + 1, lo, hi, ar) : 0) + if (i < hi) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@13.1--20.2) [581]"} + HasDirectPerm(Mask, Seq#Index(ar, i), Ref__Integer_value); + assert {:msg " Function might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@13.1--20.2) [582]"} + i >= 0; + assert {:msg " Function might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@13.1--20.2) [583]"} + i < Seq#Length(ar); + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function sum_array might not hold. Assertion 0 <= lo might not hold. (testZeroArray.vpr@19.40--19.68) [584]"} + 0 <= lo; + assert {:msg " Precondition of function sum_array might not hold. Assertion lo <= i + 1 might not hold. (testZeroArray.vpr@19.40--19.68) [585]"} + lo <= i + 1; + assert {:msg " Precondition of function sum_array might not hold. Assertion i + 1 <= hi might not hold. (testZeroArray.vpr@19.40--19.68) [586]"} + i + 1 <= hi; + assert {:msg " Precondition of function sum_array might not hold. Assertion hi <= |ar| might not hold. (testZeroArray.vpr@19.40--19.68) [587]"} + hi <= Seq#Length(ar); + if (*) { + if (0 <= j_4 && (j_4 < hi && (0 <= k_9 && (k_9 < hi && j_4 != k_9)))) { + assert {:msg " Precondition of function sum_array might not hold. Assertion ar[j] != ar[k] might not hold. (testZeroArray.vpr@19.40--19.68) [588]"} + Seq#Index(ar, j_4) != Seq#Index(ar, k_9); + } + assume false; + } + assume (forall j_5_1: int, k_10_1: int :: + { Seq#Index(ar, j_5_1), Seq#Index(ar, k_10_1) } + 0 <= j_5_1 && (j_5_1 < hi && (0 <= k_10_1 && (k_10_1 < hi && j_5_1 != k_10_1))) ==> Seq#Index(ar, j_5_1) != Seq#Index(ar, k_10_1) + ); + havoc QPMask; + // wild card assumptions + havoc wildcard; + assert {:msg " Precondition of function sum_array might not hold. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@19.40--19.68) [589]"} + (forall k_11: int :: + + lo <= k_11 && k_11 < hi ==> Mask[Seq#Index(ar, k_11), Ref__Integer_value] > NoPerm + ); + assume (forall k_11: int :: + + lo <= k_11 && k_11 < hi ==> wildcard < Mask[Seq#Index(ar, k_11), Ref__Integer_value] + ); + + // -- check that the permission amount is positive + assert {:msg " Precondition of function sum_array might not hold. Fraction wildcard might be negative. (testZeroArray.vpr@19.40--19.68) [590]"} + (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + (lo <= k_11 && k_11 < hi) && dummyFunction(Heap[Seq#Index(ar, k_11), Ref__Integer_value]) ==> wildcard >= NoPerm + ); + + // -- check if receiver ar[k] is injective + assert {:msg " Precondition of function sum_array might not hold. Quantified resource ar[k].Ref__Integer_value might not be injective. (testZeroArray.vpr@19.40--19.68) [591]"} + (forall k_11: int, k_11_1: int :: + { neverTriggered2(k_11), neverTriggered2(k_11_1) } + (((k_11 != k_11_1 && (lo <= k_11 && k_11 < hi)) && (lo <= k_11_1 && k_11_1 < hi)) && NoPerm < wildcard) && NoPerm < wildcard ==> Seq#Index(ar, k_11) != Seq#Index(ar, k_11_1) + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function sum_array might not hold. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@19.40--19.68) [592]"} + (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + lo <= k_11 && k_11 < hi ==> Mask[Seq#Index(ar, k_11), Ref__Integer_value] > NoPerm + ); + + // -- assumptions for inverse of receiver ar[k] + assume (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + (lo <= k_11 && k_11 < hi) && NoPerm < wildcard ==> qpRange2(Seq#Index(ar, k_11)) && invRecv2(Seq#Index(ar, k_11)) == k_11 + ); + assume (forall o_3: Ref :: + { invRecv2(o_3) } + (lo <= invRecv2(o_3) && invRecv2(o_3) < hi) && (NoPerm < wildcard && qpRange2(o_3)) ==> Seq#Index(ar, invRecv2(o_3)) == o_3 + ); + + // -- assume permission updates for field Ref__Integer_value + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((lo <= invRecv2(o_3) && invRecv2(o_3) < hi) && (NoPerm < wildcard && qpRange2(o_3)) ==> Seq#Index(ar, invRecv2(o_3)) == o_3 && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] - wildcard) && (!((lo <= invRecv2(o_3) && invRecv2(o_3) < hi) && (NoPerm < wildcard && qpRange2(o_3))) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } else { + // Enable postcondition for recursive call + assume sum_array#trigger(FrameFragment(sum_array#condqp1(Heap, i + 1, lo, hi, ar)), i + 1, lo, hi, ar); + } + } + + // -- Translate function body + Result := (if i < hi then Heap[Seq#Index(ar, i), Ref__Integer_value] + sum_array(Heap, i + 1, lo, hi, ar) else 0); +} + +// ================================================== +// Translation of function sum_square +// ================================================== + +// Uninterpreted function definitions +function sum_square(Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref)): int; +function sum_square'(Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref)): int; +axiom (forall Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref) :: + { sum_square(Heap, i, lo, hi, step, vmin, vmax, ar) } + sum_square(Heap, i, lo, hi, step, vmin, vmax, ar) == sum_square'(Heap, i, lo, hi, step, vmin, vmax, ar) && dummyFunction(sum_square#triggerStateless(i, lo, hi, step, vmin, vmax, ar)) +); +axiom (forall Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref) :: + { sum_square'(Heap, i, lo, hi, step, vmin, vmax, ar) } + dummyFunction(sum_square#triggerStateless(i, lo, hi, step, vmin, vmax, ar)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref) :: + { state(Heap, Mask), sum_square(Heap, i, lo, hi, step, vmin, vmax, ar) } + state(Heap, Mask) && AssumeFunctionsAbove < 4 ==> (((0 <= lo && (lo <= hi && (hi <= step && step > 0))) && (0 <= vmin && (vmin <= i && i <= vmax))) && vmax <= Seq#Length(ar)) && (forall j: int, k: int :: + { Seq#Index(ar, j), Seq#Index(ar, k) } + 0 <= j && (j < vmax && (0 <= k && (k < vmax && j != k))) ==> Seq#Index(ar, j) != Seq#Index(ar, k) + ) ==> sum_square(Heap, i, lo, hi, step, vmin, vmax, ar) == (if i < vmax then (if lo <= i mod step && i mod step < hi then Heap[Seq#Index(ar, i), Ref__Integer_value] else 0) + sum_square'(Heap, i + 1, lo, hi, step, vmin, vmax, ar) else 0) +); + +// Framing axioms +function sum_square#frame(frame: FrameType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref)): int; +axiom (forall Heap: HeapType, Mask: MaskType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref) :: + { state(Heap, Mask), sum_square'(Heap, i, lo, hi, step, vmin, vmax, ar) } + state(Heap, Mask) ==> sum_square'(Heap, i, lo, hi, step, vmin, vmax, ar) == sum_square#frame(FrameFragment(sum_square#condqp2(Heap, i, lo, hi, step, vmin, vmax, ar)), i, lo, hi, step, vmin, vmax, ar) +); +// ================================================== +// Function used for framing of quantified permission (forall k: Int :: { ar[k] } min <= k && (k < max && (lo <= k % step && k % step < hi)) ==> acc(ar[k].Ref__Integer_value, wildcard)) in function sum_square +// ================================================== + +function sum_square#condqp2(Heap: HeapType, i_1_1: int, lo_1_1: int, hi_1_1: int, step_1_1: int, vmin_1_1: int, vmax_1_1: int, ar_1_1: (Seq Ref)): int; +axiom (forall Heap2Heap: HeapType, Heap1Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref) :: + { sum_square#condqp2(Heap2Heap, i, lo, hi, step, vmin, vmax, ar), sum_square#condqp2(Heap1Heap, i, lo, hi, step, vmin, vmax, ar), succHeapTrans(Heap2Heap, Heap1Heap) } + (forall k_2: int :: + + (vmin <= k_2 && (k_2 < vmax && (lo <= k_2 mod step && k_2 mod step < hi)) <==> vmin <= k_2 && (k_2 < vmax && (lo <= k_2 mod step && k_2 mod step < hi))) && (vmin <= k_2 && (k_2 < vmax && (lo <= k_2 mod step && k_2 mod step < hi)) ==> Heap2Heap[Seq#Index(ar, k_2), Ref__Integer_value] == Heap1Heap[Seq#Index(ar, k_2), Ref__Integer_value]) + ) ==> sum_square#condqp2(Heap2Heap, i, lo, hi, step, vmin, vmax, ar) == sum_square#condqp2(Heap1Heap, i, lo, hi, step, vmin, vmax, ar) +); + +// Trigger function (controlling recursive postconditions) +function sum_square#trigger(frame: FrameType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref)): bool; + +// State-independent trigger function +function sum_square#triggerStateless(i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref)): int; + +// Check contract well-formedness and postcondition +procedure sum_square#definedness(i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref)) returns (Result: int) + modifies Heap, Mask; +{ + var j_2: int; + var k_4: int; + var k_5: int; + var QPMask: MaskType; + var wildcard: real where wildcard > 0.000000000; + var j_4: int; + var k_9: int; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 4; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume 0 <= lo; + assume lo <= hi; + assume hi <= step; + assume step > 0; + assume state(Heap, Mask); + assume 0 <= vmin; + assume vmin <= i; + assume i <= vmax; + assume state(Heap, Mask); + assume vmax <= Seq#Length(ar); + assume state(Heap, Mask); + + // -- Check definedness of (forall j: Int, k: Int :: { ar[j], ar[k] } 0 <= j && (j < max && (0 <= k && (k < max && j != k))) ==> ar[j] != ar[k]) + if (*) { + if (0 <= j_2 && (j_2 < vmax && (0 <= k_4 && (k_4 < vmax && j_2 != k_4)))) { + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might be negative. (testZeroArray.vpr@26.12--26.104) [593]"} + j_2 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might exceed sequence length. (testZeroArray.vpr@26.12--26.104) [594]"} + j_2 < Seq#Length(ar); + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@26.12--26.104) [595]"} + k_4 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@26.12--26.104) [596]"} + k_4 < Seq#Length(ar); + } + assume false; + } + assume (forall j_3: int, k_6: int :: + { Seq#Index(ar, j_3), Seq#Index(ar, k_6) } + 0 <= j_3 && (j_3 < vmax && (0 <= k_6 && (k_6 < vmax && j_3 != k_6))) ==> Seq#Index(ar, j_3) != Seq#Index(ar, k_6) + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall k: Int :: { ar[k] } min <= k && (k < max && (lo <= k % step && k % step < hi)) ==> acc(ar[k].Ref__Integer_value, wildcard)) + if (*) { + if (vmin <= k_5) { + if (k_5 < vmax) { + assert {:msg " Contract might not be well-formed. Divisor step might be zero. (testZeroArray.vpr@27.13--27.136) [597]"} + step != 0; + if (lo <= k_5 mod step) { + assert {:msg " Contract might not be well-formed. Divisor step might be zero. (testZeroArray.vpr@27.13--27.136) [598]"} + step != 0; + } + } + } + if (vmin <= k_5 && (k_5 < vmax && (lo <= k_5 mod step && k_5 mod step < hi))) { + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@27.13--27.136) [599]"} + k_5 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@27.13--27.136) [600]"} + k_5 < Seq#Length(ar); + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource ar[k].Ref__Integer_value might not be injective. (testZeroArray.vpr@27.13--27.136) [601]"} + (forall k_8: int, k_8_1: int :: + + (((k_8 != k_8_1 && (vmin <= k_8 && (k_8 < vmax && (lo <= k_8 mod step && k_8 mod step < hi)))) && (vmin <= k_8_1 && (k_8_1 < vmax && (lo <= k_8_1 mod step && k_8_1 mod step < hi)))) && NoPerm < wildcard) && NoPerm < wildcard ==> Seq#Index(ar, k_8) != Seq#Index(ar, k_8_1) + ); + + // -- Define Inverse Function + assume (forall k_8: int :: + { Seq#Index(ar, k_8) } { Seq#Index(ar, k_8) } + vmin <= k_8 && (k_8 < vmax && (lo <= k_8 mod step && k_8 mod step < hi)) ==> qpRange3(Seq#Index(ar, k_8)) && invRecv3(Seq#Index(ar, k_8)) == k_8 + ); + assume (forall o_3: Ref :: + { invRecv3(o_3) } + (vmin <= invRecv3(o_3) && (invRecv3(o_3) < vmax && (lo <= invRecv3(o_3) mod step && invRecv3(o_3) mod step < hi))) && qpRange3(o_3) ==> Seq#Index(ar, invRecv3(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k_8: int :: + { Seq#Index(ar, k_8) } { Seq#Index(ar, k_8) } + vmin <= k_8 && (k_8 < vmax && (lo <= k_8 mod step && k_8 mod step < hi)) ==> Seq#Index(ar, k_8) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((vmin <= invRecv3(o_3) && (invRecv3(o_3) < vmax && (lo <= invRecv3(o_3) mod step && invRecv3(o_3) mod step < hi))) && qpRange3(o_3) ==> Seq#Index(ar, invRecv3(o_3)) == o_3 && Mask[o_3, Ref__Integer_value] < QPMask[o_3, Ref__Integer_value]) && (!((vmin <= invRecv3(o_3) && (invRecv3(o_3) < vmax && (lo <= invRecv3(o_3) mod step && invRecv3(o_3) mod step < hi))) && qpRange3(o_3)) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (i < max ? (lo <= i % step && i % step < hi ? ar[i].Ref__Integer_value : 0) + sum_square(i + 1, lo, hi, step, min, max, ar) : 0) + if (i < vmax) { + assert {:msg " Function might not be well-formed. Divisor step might be zero. (testZeroArray.vpr@22.1--30.2) [602]"} + step != 0; + if (lo <= i mod step) { + assert {:msg " Function might not be well-formed. Divisor step might be zero. (testZeroArray.vpr@22.1--30.2) [603]"} + step != 0; + } + if (lo <= i mod step && i mod step < hi) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@22.1--30.2) [604]"} + HasDirectPerm(Mask, Seq#Index(ar, i), Ref__Integer_value); + assert {:msg " Function might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@22.1--30.2) [605]"} + i >= 0; + assert {:msg " Function might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@22.1--30.2) [606]"} + i < Seq#Length(ar); + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function sum_square might not hold. Assertion 0 <= lo might not hold. (testZeroArray.vpr@29.85--29.130) [607]"} + 0 <= lo; + assert {:msg " Precondition of function sum_square might not hold. Assertion lo <= hi might not hold. (testZeroArray.vpr@29.85--29.130) [608]"} + lo <= hi; + assert {:msg " Precondition of function sum_square might not hold. Assertion hi <= step might not hold. (testZeroArray.vpr@29.85--29.130) [609]"} + hi <= step; + assert {:msg " Precondition of function sum_square might not hold. Assertion step > 0 might not hold. (testZeroArray.vpr@29.85--29.130) [610]"} + step > 0; + assert {:msg " Precondition of function sum_square might not hold. Assertion 0 <= min might not hold. (testZeroArray.vpr@29.85--29.130) [611]"} + 0 <= vmin; + assert {:msg " Precondition of function sum_square might not hold. Assertion min <= i + 1 might not hold. (testZeroArray.vpr@29.85--29.130) [612]"} + vmin <= i + 1; + assert {:msg " Precondition of function sum_square might not hold. Assertion i + 1 <= max might not hold. (testZeroArray.vpr@29.85--29.130) [613]"} + i + 1 <= vmax; + assert {:msg " Precondition of function sum_square might not hold. Assertion max <= |ar| might not hold. (testZeroArray.vpr@29.85--29.130) [614]"} + vmax <= Seq#Length(ar); + if (*) { + if (0 <= j_4 && (j_4 < vmax && (0 <= k_9 && (k_9 < vmax && j_4 != k_9)))) { + assert {:msg " Precondition of function sum_square might not hold. Assertion ar[j] != ar[k] might not hold. (testZeroArray.vpr@29.85--29.130) [615]"} + Seq#Index(ar, j_4) != Seq#Index(ar, k_9); + } + assume false; + } + assume (forall j_5_1: int, k_10_1: int :: + { Seq#Index(ar, j_5_1), Seq#Index(ar, k_10_1) } + 0 <= j_5_1 && (j_5_1 < vmax && (0 <= k_10_1 && (k_10_1 < vmax && j_5_1 != k_10_1))) ==> Seq#Index(ar, j_5_1) != Seq#Index(ar, k_10_1) + ); + havoc QPMask; + // wild card assumptions + havoc wildcard; + assert {:msg " Precondition of function sum_square might not hold. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@29.85--29.130) [616]"} + (forall k_11: int :: + + vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi)) ==> Mask[Seq#Index(ar, k_11), Ref__Integer_value] > NoPerm + ); + assume (forall k_11: int :: + + vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi)) ==> wildcard < Mask[Seq#Index(ar, k_11), Ref__Integer_value] + ); + + // -- check that the permission amount is positive + assert {:msg " Precondition of function sum_square might not hold. Fraction wildcard might be negative. (testZeroArray.vpr@29.85--29.130) [617]"} + (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + (vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi))) && dummyFunction(Heap[Seq#Index(ar, k_11), Ref__Integer_value]) ==> wildcard >= NoPerm + ); + + // -- check if receiver ar[k] is injective + assert {:msg " Precondition of function sum_square might not hold. Quantified resource ar[k].Ref__Integer_value might not be injective. (testZeroArray.vpr@29.85--29.130) [618]"} + (forall k_11: int, k_11_1: int :: + { neverTriggered4(k_11), neverTriggered4(k_11_1) } + (((k_11 != k_11_1 && (vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi)))) && (vmin <= k_11_1 && (k_11_1 < vmax && (lo <= k_11_1 mod step && k_11_1 mod step < hi)))) && NoPerm < wildcard) && NoPerm < wildcard ==> Seq#Index(ar, k_11) != Seq#Index(ar, k_11_1) + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function sum_square might not hold. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@29.85--29.130) [619]"} + (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi)) ==> Mask[Seq#Index(ar, k_11), Ref__Integer_value] > NoPerm + ); + + // -- assumptions for inverse of receiver ar[k] + assume (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + (vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi))) && NoPerm < wildcard ==> qpRange4(Seq#Index(ar, k_11)) && invRecv4(Seq#Index(ar, k_11)) == k_11 + ); + assume (forall o_3: Ref :: + { invRecv4(o_3) } + (vmin <= invRecv4(o_3) && (invRecv4(o_3) < vmax && (lo <= invRecv4(o_3) mod step && invRecv4(o_3) mod step < hi))) && (NoPerm < wildcard && qpRange4(o_3)) ==> Seq#Index(ar, invRecv4(o_3)) == o_3 + ); + + // -- assume permission updates for field Ref__Integer_value + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((vmin <= invRecv4(o_3) && (invRecv4(o_3) < vmax && (lo <= invRecv4(o_3) mod step && invRecv4(o_3) mod step < hi))) && (NoPerm < wildcard && qpRange4(o_3)) ==> Seq#Index(ar, invRecv4(o_3)) == o_3 && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] - wildcard) && (!((vmin <= invRecv4(o_3) && (invRecv4(o_3) < vmax && (lo <= invRecv4(o_3) mod step && invRecv4(o_3) mod step < hi))) && (NoPerm < wildcard && qpRange4(o_3))) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } else { + // Enable postcondition for recursive call + assume sum_square#trigger(FrameFragment(sum_square#condqp2(Heap, i + 1, lo, hi, step, vmin, vmax, ar)), i + 1, lo, hi, step, vmin, vmax, ar); + } + } + + // -- Translate function body + Result := (if i < vmax then (if lo <= i mod step && i mod step < hi then Heap[Seq#Index(ar, i), Ref__Integer_value] else 0) + sum_square(Heap, i + 1, lo, hi, step, vmin, vmax, ar) else 0); +} + +// ================================================== +// Translation of function count_square +// ================================================== + +// Uninterpreted function definitions +function count_square(Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int): int; +function count_square'(Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int): int; +axiom (forall Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int :: + { count_square(Heap, i, lo, hi, step, vmin, vmax, ar, v_2) } + count_square(Heap, i, lo, hi, step, vmin, vmax, ar, v_2) == count_square'(Heap, i, lo, hi, step, vmin, vmax, ar, v_2) && dummyFunction(count_square#triggerStateless(i, lo, hi, step, vmin, vmax, ar, v_2)) +); +axiom (forall Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int :: + { count_square'(Heap, i, lo, hi, step, vmin, vmax, ar, v_2) } + dummyFunction(count_square#triggerStateless(i, lo, hi, step, vmin, vmax, ar, v_2)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int :: + { state(Heap, Mask), count_square(Heap, i, lo, hi, step, vmin, vmax, ar, v_2) } + state(Heap, Mask) && AssumeFunctionsAbove < 1 ==> (((0 <= lo && (lo <= hi && (hi <= step && step > 0))) && (0 <= vmin && (vmin <= i && i <= vmax))) && vmax <= Seq#Length(ar)) && (forall j: int, k: int :: + { Seq#Index(ar, j), Seq#Index(ar, k) } + 0 <= j && (j < vmax && (0 <= k && (k < vmax && j != k))) ==> Seq#Index(ar, j) != Seq#Index(ar, k) + ) ==> count_square(Heap, i, lo, hi, step, vmin, vmax, ar, v_2) == (if i < vmax then (if lo <= i mod step && (i mod step < hi && Heap[Seq#Index(ar, i), Ref__Integer_value] == v_2) then 1 else 0) + count_square'(Heap, i + 1, lo, hi, step, vmin, vmax, ar, v_2) else 0) +); + +// Framing axioms +function count_square#frame(frame: FrameType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int): int; +axiom (forall Heap: HeapType, Mask: MaskType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int :: + { state(Heap, Mask), count_square'(Heap, i, lo, hi, step, vmin, vmax, ar, v_2) } + state(Heap, Mask) ==> count_square'(Heap, i, lo, hi, step, vmin, vmax, ar, v_2) == count_square#frame(FrameFragment(count_square#condqp3(Heap, i, lo, hi, step, vmin, vmax, ar, v_2)), i, lo, hi, step, vmin, vmax, ar, v_2) +); +// ================================================== +// Function used for framing of quantified permission (forall k: Int :: { ar[k] } min <= k && (k < max && (lo <= k % step && k % step < hi)) ==> acc(ar[k].Ref__Integer_value, wildcard)) in function count_square +// ================================================== + +function count_square#condqp3(Heap: HeapType, i_1_1: int, lo_1_1: int, hi_1_1: int, step_1_1: int, vmin_1_1: int, vmax_1_1: int, ar_1_1: (Seq Ref), v_1_1: int): int; +axiom (forall Heap2Heap: HeapType, Heap1Heap: HeapType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int :: + { count_square#condqp3(Heap2Heap, i, lo, hi, step, vmin, vmax, ar, v_2), count_square#condqp3(Heap1Heap, i, lo, hi, step, vmin, vmax, ar, v_2), succHeapTrans(Heap2Heap, Heap1Heap) } + (forall k_2: int :: + + (vmin <= k_2 && (k_2 < vmax && (lo <= k_2 mod step && k_2 mod step < hi)) <==> vmin <= k_2 && (k_2 < vmax && (lo <= k_2 mod step && k_2 mod step < hi))) && (vmin <= k_2 && (k_2 < vmax && (lo <= k_2 mod step && k_2 mod step < hi)) ==> Heap2Heap[Seq#Index(ar, k_2), Ref__Integer_value] == Heap1Heap[Seq#Index(ar, k_2), Ref__Integer_value]) + ) ==> count_square#condqp3(Heap2Heap, i, lo, hi, step, vmin, vmax, ar, v_2) == count_square#condqp3(Heap1Heap, i, lo, hi, step, vmin, vmax, ar, v_2) +); + +// Trigger function (controlling recursive postconditions) +function count_square#trigger(frame: FrameType, i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int): bool; + +// State-independent trigger function +function count_square#triggerStateless(i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int): int; + +// Check contract well-formedness and postcondition +procedure count_square#definedness(i: int, lo: int, hi: int, step: int, vmin: int, vmax: int, ar: (Seq Ref), v_2: int) returns (Result: int) + modifies Heap, Mask; +{ + var j_5: int; + var k_7: int; + var k_10: int; + var QPMask: MaskType; + var wildcard: real where wildcard > 0.000000000; + var j_4: int; + var k_9: int; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 1; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume 0 <= lo; + assume lo <= hi; + assume hi <= step; + assume step > 0; + assume state(Heap, Mask); + assume 0 <= vmin; + assume vmin <= i; + assume i <= vmax; + assume state(Heap, Mask); + assume vmax <= Seq#Length(ar); + assume state(Heap, Mask); + + // -- Check definedness of (forall j: Int, k: Int :: { ar[j], ar[k] } 0 <= j && (j < max && (0 <= k && (k < max && j != k))) ==> ar[j] != ar[k]) + if (*) { + if (0 <= j_5 && (j_5 < vmax && (0 <= k_7 && (k_7 < vmax && j_5 != k_7)))) { + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might be negative. (testZeroArray.vpr@36.12--36.104) [620]"} + j_5 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might exceed sequence length. (testZeroArray.vpr@36.12--36.104) [621]"} + j_5 < Seq#Length(ar); + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@36.12--36.104) [622]"} + k_7 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@36.12--36.104) [623]"} + k_7 < Seq#Length(ar); + } + assume false; + } + assume (forall j_3: int, k_6: int :: + { Seq#Index(ar, j_3), Seq#Index(ar, k_6) } + 0 <= j_3 && (j_3 < vmax && (0 <= k_6 && (k_6 < vmax && j_3 != k_6))) ==> Seq#Index(ar, j_3) != Seq#Index(ar, k_6) + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall k: Int :: { ar[k] } min <= k && (k < max && (lo <= k % step && k % step < hi)) ==> acc(ar[k].Ref__Integer_value, wildcard)) + if (*) { + if (vmin <= k_10) { + if (k_10 < vmax) { + assert {:msg " Contract might not be well-formed. Divisor step might be zero. (testZeroArray.vpr@37.13--37.136) [624]"} + step != 0; + if (lo <= k_10 mod step) { + assert {:msg " Contract might not be well-formed. Divisor step might be zero. (testZeroArray.vpr@37.13--37.136) [625]"} + step != 0; + } + } + } + if (vmin <= k_10 && (k_10 < vmax && (lo <= k_10 mod step && k_10 mod step < hi))) { + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@37.13--37.136) [626]"} + k_10 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@37.13--37.136) [627]"} + k_10 < Seq#Length(ar); + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource ar[k].Ref__Integer_value might not be injective. (testZeroArray.vpr@37.13--37.136) [628]"} + (forall k_8: int, k_8_1: int :: + + (((k_8 != k_8_1 && (vmin <= k_8 && (k_8 < vmax && (lo <= k_8 mod step && k_8 mod step < hi)))) && (vmin <= k_8_1 && (k_8_1 < vmax && (lo <= k_8_1 mod step && k_8_1 mod step < hi)))) && NoPerm < wildcard) && NoPerm < wildcard ==> Seq#Index(ar, k_8) != Seq#Index(ar, k_8_1) + ); + + // -- Define Inverse Function + assume (forall k_8: int :: + { Seq#Index(ar, k_8) } { Seq#Index(ar, k_8) } + vmin <= k_8 && (k_8 < vmax && (lo <= k_8 mod step && k_8 mod step < hi)) ==> qpRange5(Seq#Index(ar, k_8)) && invRecv5(Seq#Index(ar, k_8)) == k_8 + ); + assume (forall o_3: Ref :: + { invRecv5(o_3) } + (vmin <= invRecv5(o_3) && (invRecv5(o_3) < vmax && (lo <= invRecv5(o_3) mod step && invRecv5(o_3) mod step < hi))) && qpRange5(o_3) ==> Seq#Index(ar, invRecv5(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k_8: int :: + { Seq#Index(ar, k_8) } { Seq#Index(ar, k_8) } + vmin <= k_8 && (k_8 < vmax && (lo <= k_8 mod step && k_8 mod step < hi)) ==> Seq#Index(ar, k_8) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((vmin <= invRecv5(o_3) && (invRecv5(o_3) < vmax && (lo <= invRecv5(o_3) mod step && invRecv5(o_3) mod step < hi))) && qpRange5(o_3) ==> Seq#Index(ar, invRecv5(o_3)) == o_3 && Mask[o_3, Ref__Integer_value] < QPMask[o_3, Ref__Integer_value]) && (!((vmin <= invRecv5(o_3) && (invRecv5(o_3) < vmax && (lo <= invRecv5(o_3) mod step && invRecv5(o_3) mod step < hi))) && qpRange5(o_3)) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (i < max ? (lo <= i % step && (i % step < hi && ar[i].Ref__Integer_value == v) ? 1 : 0) + count_square(i + 1, lo, hi, step, min, max, ar, v) : 0) + if (i < vmax) { + assert {:msg " Function might not be well-formed. Divisor step might be zero. (testZeroArray.vpr@32.1--40.2) [629]"} + step != 0; + if (lo <= i mod step) { + assert {:msg " Function might not be well-formed. Divisor step might be zero. (testZeroArray.vpr@32.1--40.2) [630]"} + step != 0; + if (i mod step < hi) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@32.1--40.2) [631]"} + HasDirectPerm(Mask, Seq#Index(ar, i), Ref__Integer_value); + assert {:msg " Function might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@32.1--40.2) [632]"} + i >= 0; + assert {:msg " Function might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@32.1--40.2) [633]"} + i < Seq#Length(ar); + } + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function count_square might not hold. Assertion 0 <= lo might not hold. (testZeroArray.vpr@39.97--39.147) [634]"} + 0 <= lo; + assert {:msg " Precondition of function count_square might not hold. Assertion lo <= hi might not hold. (testZeroArray.vpr@39.97--39.147) [635]"} + lo <= hi; + assert {:msg " Precondition of function count_square might not hold. Assertion hi <= step might not hold. (testZeroArray.vpr@39.97--39.147) [636]"} + hi <= step; + assert {:msg " Precondition of function count_square might not hold. Assertion step > 0 might not hold. (testZeroArray.vpr@39.97--39.147) [637]"} + step > 0; + assert {:msg " Precondition of function count_square might not hold. Assertion 0 <= min might not hold. (testZeroArray.vpr@39.97--39.147) [638]"} + 0 <= vmin; + assert {:msg " Precondition of function count_square might not hold. Assertion min <= i + 1 might not hold. (testZeroArray.vpr@39.97--39.147) [639]"} + vmin <= i + 1; + assert {:msg " Precondition of function count_square might not hold. Assertion i + 1 <= max might not hold. (testZeroArray.vpr@39.97--39.147) [640]"} + i + 1 <= vmax; + assert {:msg " Precondition of function count_square might not hold. Assertion max <= |ar| might not hold. (testZeroArray.vpr@39.97--39.147) [641]"} + vmax <= Seq#Length(ar); + if (*) { + if (0 <= j_4 && (j_4 < vmax && (0 <= k_9 && (k_9 < vmax && j_4 != k_9)))) { + assert {:msg " Precondition of function count_square might not hold. Assertion ar[j] != ar[k] might not hold. (testZeroArray.vpr@39.97--39.147) [642]"} + Seq#Index(ar, j_4) != Seq#Index(ar, k_9); + } + assume false; + } + assume (forall j_5_1: int, k_10_1: int :: + { Seq#Index(ar, j_5_1), Seq#Index(ar, k_10_1) } + 0 <= j_5_1 && (j_5_1 < vmax && (0 <= k_10_1 && (k_10_1 < vmax && j_5_1 != k_10_1))) ==> Seq#Index(ar, j_5_1) != Seq#Index(ar, k_10_1) + ); + havoc QPMask; + // wild card assumptions + havoc wildcard; + assert {:msg " Precondition of function count_square might not hold. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@39.97--39.147) [643]"} + (forall k_11: int :: + + vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi)) ==> Mask[Seq#Index(ar, k_11), Ref__Integer_value] > NoPerm + ); + assume (forall k_11: int :: + + vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi)) ==> wildcard < Mask[Seq#Index(ar, k_11), Ref__Integer_value] + ); + + // -- check that the permission amount is positive + assert {:msg " Precondition of function count_square might not hold. Fraction wildcard might be negative. (testZeroArray.vpr@39.97--39.147) [644]"} + (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + (vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi))) && dummyFunction(Heap[Seq#Index(ar, k_11), Ref__Integer_value]) ==> wildcard >= NoPerm + ); + + // -- check if receiver ar[k] is injective + assert {:msg " Precondition of function count_square might not hold. Quantified resource ar[k].Ref__Integer_value might not be injective. (testZeroArray.vpr@39.97--39.147) [645]"} + (forall k_11: int, k_11_1: int :: + { neverTriggered6(k_11), neverTriggered6(k_11_1) } + (((k_11 != k_11_1 && (vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi)))) && (vmin <= k_11_1 && (k_11_1 < vmax && (lo <= k_11_1 mod step && k_11_1 mod step < hi)))) && NoPerm < wildcard) && NoPerm < wildcard ==> Seq#Index(ar, k_11) != Seq#Index(ar, k_11_1) + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function count_square might not hold. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@39.97--39.147) [646]"} + (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi)) ==> Mask[Seq#Index(ar, k_11), Ref__Integer_value] > NoPerm + ); + + // -- assumptions for inverse of receiver ar[k] + assume (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + (vmin <= k_11 && (k_11 < vmax && (lo <= k_11 mod step && k_11 mod step < hi))) && NoPerm < wildcard ==> qpRange6(Seq#Index(ar, k_11)) && invRecv6(Seq#Index(ar, k_11)) == k_11 + ); + assume (forall o_3: Ref :: + { invRecv6(o_3) } + (vmin <= invRecv6(o_3) && (invRecv6(o_3) < vmax && (lo <= invRecv6(o_3) mod step && invRecv6(o_3) mod step < hi))) && (NoPerm < wildcard && qpRange6(o_3)) ==> Seq#Index(ar, invRecv6(o_3)) == o_3 + ); + + // -- assume permission updates for field Ref__Integer_value + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((vmin <= invRecv6(o_3) && (invRecv6(o_3) < vmax && (lo <= invRecv6(o_3) mod step && invRecv6(o_3) mod step < hi))) && (NoPerm < wildcard && qpRange6(o_3)) ==> Seq#Index(ar, invRecv6(o_3)) == o_3 && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] - wildcard) && (!((vmin <= invRecv6(o_3) && (invRecv6(o_3) < vmax && (lo <= invRecv6(o_3) mod step && invRecv6(o_3) mod step < hi))) && (NoPerm < wildcard && qpRange6(o_3))) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } else { + // Enable postcondition for recursive call + assume count_square#trigger(FrameFragment(count_square#condqp3(Heap, i + 1, lo, hi, step, vmin, vmax, ar, v_2)), i + 1, lo, hi, step, vmin, vmax, ar, v_2); + } + } + + // -- Translate function body + Result := (if i < vmax then (if lo <= i mod step && (i mod step < hi && Heap[Seq#Index(ar, i), Ref__Integer_value] == v_2) then 1 else 0) + count_square(Heap, i + 1, lo, hi, step, vmin, vmax, ar, v_2) else 0); +} + +// ================================================== +// Translation of function count_list +// ================================================== + +// Uninterpreted function definitions +function count_list(Heap: HeapType, i: int, hi: int, ar: (Seq int), v_2: int): int; +function count_list'(Heap: HeapType, i: int, hi: int, ar: (Seq int), v_2: int): int; +axiom (forall Heap: HeapType, i: int, hi: int, ar: (Seq int), v_2: int :: + { count_list(Heap, i, hi, ar, v_2) } + count_list(Heap, i, hi, ar, v_2) == count_list'(Heap, i, hi, ar, v_2) && dummyFunction(count_list#triggerStateless(i, hi, ar, v_2)) +); +axiom (forall Heap: HeapType, i: int, hi: int, ar: (Seq int), v_2: int :: + { count_list'(Heap, i, hi, ar, v_2) } + dummyFunction(count_list#triggerStateless(i, hi, ar, v_2)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, i: int, hi: int, ar: (Seq int), v_2: int :: + { state(Heap, Mask), count_list(Heap, i, hi, ar, v_2) } + state(Heap, Mask) && AssumeFunctionsAbove < 5 ==> (0 <= i && i <= hi) && hi <= Seq#Length(ar) ==> count_list(Heap, i, hi, ar, v_2) == (if i < hi then (if Seq#Index(ar, i) == v_2 then 1 else 0) + count_list'(Heap, i + 1, hi, ar, v_2) else 0) +); + +// Framing axioms +function count_list#frame(frame: FrameType, i: int, hi: int, ar: (Seq int), v_2: int): int; +axiom (forall Heap: HeapType, Mask: MaskType, i: int, hi: int, ar: (Seq int), v_2: int :: + { state(Heap, Mask), count_list'(Heap, i, hi, ar, v_2) } + state(Heap, Mask) ==> count_list'(Heap, i, hi, ar, v_2) == count_list#frame(EmptyFrame, i, hi, ar, v_2) +); + +// Trigger function (controlling recursive postconditions) +function count_list#trigger(frame: FrameType, i: int, hi: int, ar: (Seq int), v_2: int): bool; + +// State-independent trigger function +function count_list#triggerStateless(i: int, hi: int, ar: (Seq int), v_2: int): int; + +// Check contract well-formedness and postcondition +procedure count_list#definedness(i: int, hi: int, ar: (Seq int), v_2: int) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 5; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume 0 <= i; + assume i <= hi; + assume state(Heap, Mask); + assume hi <= Seq#Length(ar); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (i < hi ? (ar[i] == v ? 1 : 0) + count_list(i + 1, hi, ar, v) : 0) + if (i < hi) { + assert {:msg " Function might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@42.1--47.2) [647]"} + i >= 0; + assert {:msg " Function might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@42.1--47.2) [648]"} + i < Seq#Length(ar); + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function count_list might not hold. Assertion 0 <= i + 1 might not hold. (testZeroArray.vpr@46.36--46.64) [649]"} + 0 <= i + 1; + assert {:msg " Precondition of function count_list might not hold. Assertion i + 1 <= hi might not hold. (testZeroArray.vpr@46.36--46.64) [650]"} + i + 1 <= hi; + assert {:msg " Precondition of function count_list might not hold. Assertion hi <= |ar| might not hold. (testZeroArray.vpr@46.36--46.64) [651]"} + hi <= Seq#Length(ar); + // Stop execution + assume false; + } else { + // Enable postcondition for recursive call + assume count_list#trigger(EmptyFrame, i + 1, hi, ar, v_2); + } + } + + // -- Translate function body + Result := (if i < hi then (if Seq#Index(ar, i) == v_2 then 1 else 0) + count_list(Heap, i + 1, hi, ar, v_2) else 0); +} + +// ================================================== +// Translation of function count_array +// ================================================== + +// Uninterpreted function definitions +function count_array(Heap: HeapType, i: int, hi: int, ar: (Seq Ref), v_2: int): int; +function count_array'(Heap: HeapType, i: int, hi: int, ar: (Seq Ref), v_2: int): int; +axiom (forall Heap: HeapType, i: int, hi: int, ar: (Seq Ref), v_2: int :: + { count_array(Heap, i, hi, ar, v_2) } + count_array(Heap, i, hi, ar, v_2) == count_array'(Heap, i, hi, ar, v_2) && dummyFunction(count_array#triggerStateless(i, hi, ar, v_2)) +); +axiom (forall Heap: HeapType, i: int, hi: int, ar: (Seq Ref), v_2: int :: + { count_array'(Heap, i, hi, ar, v_2) } + dummyFunction(count_array#triggerStateless(i, hi, ar, v_2)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, i: int, hi: int, ar: (Seq Ref), v_2: int :: + { state(Heap, Mask), count_array(Heap, i, hi, ar, v_2) } + state(Heap, Mask) && AssumeFunctionsAbove < 0 ==> ((0 <= i && i <= hi) && hi <= Seq#Length(ar)) && (forall j: int, k: int :: + { Seq#Index(ar, j), Seq#Index(ar, k) } + 0 <= j && (j < hi && (0 <= k && (k < hi && j != k))) ==> Seq#Index(ar, j) != Seq#Index(ar, k) + ) ==> count_array(Heap, i, hi, ar, v_2) == (if i < hi then (if Heap[Seq#Index(ar, i), Ref__Integer_value] == v_2 then 1 else 0) + count_array'(Heap, i + 1, hi, ar, v_2) else 0) +); + +// Framing axioms +function count_array#frame(frame: FrameType, i: int, hi: int, ar: (Seq Ref), v_2: int): int; +axiom (forall Heap: HeapType, Mask: MaskType, i: int, hi: int, ar: (Seq Ref), v_2: int :: + { state(Heap, Mask), count_array'(Heap, i, hi, ar, v_2) } + state(Heap, Mask) ==> count_array'(Heap, i, hi, ar, v_2) == count_array#frame(FrameFragment(count_array#condqp4(Heap, i, hi, ar, v_2)), i, hi, ar, v_2) +); +// ================================================== +// Function used for framing of quantified permission (forall k: Int :: { ar[k] } 0 <= k && k < hi ==> acc(ar[k].Ref__Integer_value, wildcard)) in function count_array +// ================================================== + +function count_array#condqp4(Heap: HeapType, i_1_1: int, hi_1_1: int, ar_1_1: (Seq Ref), v_1_1: int): int; +axiom (forall Heap2Heap: HeapType, Heap1Heap: HeapType, i: int, hi: int, ar: (Seq Ref), v_2: int :: + { count_array#condqp4(Heap2Heap, i, hi, ar, v_2), count_array#condqp4(Heap1Heap, i, hi, ar, v_2), succHeapTrans(Heap2Heap, Heap1Heap) } + (forall k_2: int :: + + (0 <= k_2 && k_2 < hi <==> 0 <= k_2 && k_2 < hi) && (0 <= k_2 && k_2 < hi ==> Heap2Heap[Seq#Index(ar, k_2), Ref__Integer_value] == Heap1Heap[Seq#Index(ar, k_2), Ref__Integer_value]) + ) ==> count_array#condqp4(Heap2Heap, i, hi, ar, v_2) == count_array#condqp4(Heap1Heap, i, hi, ar, v_2) +); + +// Trigger function (controlling recursive postconditions) +function count_array#trigger(frame: FrameType, i: int, hi: int, ar: (Seq Ref), v_2: int): bool; + +// State-independent trigger function +function count_array#triggerStateless(i: int, hi: int, ar: (Seq Ref), v_2: int): int; + +// Check contract well-formedness and postcondition +procedure count_array#definedness(i: int, hi: int, ar: (Seq Ref), v_2: int) returns (Result: int) + modifies Heap, Mask; +{ + var j_6: int; + var k_12: int; + var k_13: int; + var QPMask: MaskType; + var wildcard: real where wildcard > 0.000000000; + var j_4: int; + var k_9: int; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 0; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume 0 <= i; + assume i <= hi; + assume state(Heap, Mask); + assume hi <= Seq#Length(ar); + assume state(Heap, Mask); + + // -- Check definedness of (forall j: Int, k: Int :: { ar[j], ar[k] } 0 <= j && (j < hi && (0 <= k && (k < hi && j != k))) ==> ar[j] != ar[k]) + if (*) { + if (0 <= j_6 && (j_6 < hi && (0 <= k_12 && (k_12 < hi && j_6 != k_12)))) { + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might be negative. (testZeroArray.vpr@52.12--52.102) [652]"} + j_6 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might exceed sequence length. (testZeroArray.vpr@52.12--52.102) [653]"} + j_6 < Seq#Length(ar); + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@52.12--52.102) [654]"} + k_12 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@52.12--52.102) [655]"} + k_12 < Seq#Length(ar); + } + assume false; + } + assume (forall j_3: int, k_6: int :: + { Seq#Index(ar, j_3), Seq#Index(ar, k_6) } + 0 <= j_3 && (j_3 < hi && (0 <= k_6 && (k_6 < hi && j_3 != k_6))) ==> Seq#Index(ar, j_3) != Seq#Index(ar, k_6) + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall k: Int :: { ar[k] } 0 <= k && k < hi ==> acc(ar[k].Ref__Integer_value, wildcard)) + if (*) { + if (0 <= k_13 && k_13 < hi) { + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@53.13--53.94) [656]"} + k_13 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@53.13--53.94) [657]"} + k_13 < Seq#Length(ar); + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource ar[k].Ref__Integer_value might not be injective. (testZeroArray.vpr@53.13--53.94) [658]"} + (forall k_8: int, k_8_1: int :: + + (((k_8 != k_8_1 && (0 <= k_8 && k_8 < hi)) && (0 <= k_8_1 && k_8_1 < hi)) && NoPerm < wildcard) && NoPerm < wildcard ==> Seq#Index(ar, k_8) != Seq#Index(ar, k_8_1) + ); + + // -- Define Inverse Function + assume (forall k_8: int :: + { Seq#Index(ar, k_8) } { Seq#Index(ar, k_8) } + 0 <= k_8 && k_8 < hi ==> qpRange7(Seq#Index(ar, k_8)) && invRecv7(Seq#Index(ar, k_8)) == k_8 + ); + assume (forall o_3: Ref :: + { invRecv7(o_3) } + (0 <= invRecv7(o_3) && invRecv7(o_3) < hi) && qpRange7(o_3) ==> Seq#Index(ar, invRecv7(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall k_8: int :: + { Seq#Index(ar, k_8) } { Seq#Index(ar, k_8) } + 0 <= k_8 && k_8 < hi ==> Seq#Index(ar, k_8) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((0 <= invRecv7(o_3) && invRecv7(o_3) < hi) && qpRange7(o_3) ==> Seq#Index(ar, invRecv7(o_3)) == o_3 && Mask[o_3, Ref__Integer_value] < QPMask[o_3, Ref__Integer_value]) && (!((0 <= invRecv7(o_3) && invRecv7(o_3) < hi) && qpRange7(o_3)) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (i < hi ? (ar[i].Ref__Integer_value == v ? 1 : 0) + count_array(i + 1, hi, ar, v) : 0) + if (i < hi) { + assert {:msg " Function might not be well-formed. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@49.1--56.2) [659]"} + HasDirectPerm(Mask, Seq#Index(ar, i), Ref__Integer_value); + assert {:msg " Function might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@49.1--56.2) [660]"} + i >= 0; + assert {:msg " Function might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@49.1--56.2) [661]"} + i < Seq#Length(ar); + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function count_array might not hold. Assertion 0 <= i + 1 might not hold. (testZeroArray.vpr@55.55--55.84) [662]"} + 0 <= i + 1; + assert {:msg " Precondition of function count_array might not hold. Assertion i + 1 <= hi might not hold. (testZeroArray.vpr@55.55--55.84) [663]"} + i + 1 <= hi; + assert {:msg " Precondition of function count_array might not hold. Assertion hi <= |ar| might not hold. (testZeroArray.vpr@55.55--55.84) [664]"} + hi <= Seq#Length(ar); + if (*) { + if (0 <= j_4 && (j_4 < hi && (0 <= k_9 && (k_9 < hi && j_4 != k_9)))) { + assert {:msg " Precondition of function count_array might not hold. Assertion ar[j] != ar[k] might not hold. (testZeroArray.vpr@55.55--55.84) [665]"} + Seq#Index(ar, j_4) != Seq#Index(ar, k_9); + } + assume false; + } + assume (forall j_5_1: int, k_10_1: int :: + { Seq#Index(ar, j_5_1), Seq#Index(ar, k_10_1) } + 0 <= j_5_1 && (j_5_1 < hi && (0 <= k_10_1 && (k_10_1 < hi && j_5_1 != k_10_1))) ==> Seq#Index(ar, j_5_1) != Seq#Index(ar, k_10_1) + ); + havoc QPMask; + // wild card assumptions + havoc wildcard; + assert {:msg " Precondition of function count_array might not hold. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@55.55--55.84) [666]"} + (forall k_11: int :: + + 0 <= k_11 && k_11 < hi ==> Mask[Seq#Index(ar, k_11), Ref__Integer_value] > NoPerm + ); + assume (forall k_11: int :: + + 0 <= k_11 && k_11 < hi ==> wildcard < Mask[Seq#Index(ar, k_11), Ref__Integer_value] + ); + + // -- check that the permission amount is positive + assert {:msg " Precondition of function count_array might not hold. Fraction wildcard might be negative. (testZeroArray.vpr@55.55--55.84) [667]"} + (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + (0 <= k_11 && k_11 < hi) && dummyFunction(Heap[Seq#Index(ar, k_11), Ref__Integer_value]) ==> wildcard >= NoPerm + ); + + // -- check if receiver ar[k] is injective + assert {:msg " Precondition of function count_array might not hold. Quantified resource ar[k].Ref__Integer_value might not be injective. (testZeroArray.vpr@55.55--55.84) [668]"} + (forall k_11: int, k_11_1: int :: + { neverTriggered8(k_11), neverTriggered8(k_11_1) } + (((k_11 != k_11_1 && (0 <= k_11 && k_11 < hi)) && (0 <= k_11_1 && k_11_1 < hi)) && NoPerm < wildcard) && NoPerm < wildcard ==> Seq#Index(ar, k_11) != Seq#Index(ar, k_11_1) + ); + + // -- check if sufficient permission is held + assert {:msg " Precondition of function count_array might not hold. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@55.55--55.84) [669]"} + (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + 0 <= k_11 && k_11 < hi ==> Mask[Seq#Index(ar, k_11), Ref__Integer_value] > NoPerm + ); + + // -- assumptions for inverse of receiver ar[k] + assume (forall k_11: int :: + { Seq#Index(ar, k_11) } { Seq#Index(ar, k_11) } + (0 <= k_11 && k_11 < hi) && NoPerm < wildcard ==> qpRange8(Seq#Index(ar, k_11)) && invRecv8(Seq#Index(ar, k_11)) == k_11 + ); + assume (forall o_3: Ref :: + { invRecv8(o_3) } + (0 <= invRecv8(o_3) && invRecv8(o_3) < hi) && (NoPerm < wildcard && qpRange8(o_3)) ==> Seq#Index(ar, invRecv8(o_3)) == o_3 + ); + + // -- assume permission updates for field Ref__Integer_value + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((0 <= invRecv8(o_3) && invRecv8(o_3) < hi) && (NoPerm < wildcard && qpRange8(o_3)) ==> Seq#Index(ar, invRecv8(o_3)) == o_3 && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] - wildcard) && (!((0 <= invRecv8(o_3) && invRecv8(o_3) < hi) && (NoPerm < wildcard && qpRange8(o_3))) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } else { + // Enable postcondition for recursive call + assume count_array#trigger(FrameFragment(count_array#condqp4(Heap, i + 1, hi, ar, v_2)), i + 1, hi, ar, v_2); + } + } + + // -- Translate function body + Result := (if i < hi then (if Heap[Seq#Index(ar, i), Ref__Integer_value] == v_2 then 1 else 0) + count_array(Heap, i + 1, hi, ar, v_2) else 0); +} + +// ================================================== +// Translation of method Ref__loop_main_23 +// ================================================== + +procedure Ref__loop_main_23(diz: Ref, current_thread_id: int, len: int, ar: (Seq Ref)) returns () + modifies Heap, Mask; +{ + var j_7: int; + var k_14: int; + var i_2: int; + var QPMask: MaskType; + var PostHeap: HeapType; + var PostMask: MaskType; + var i_7: int; + var i_8: int; + var i_7_1: int; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[diz, $allocated]; + + // -- Checked inhaling of precondition + assume diz != null; + assume state(Heap, Mask); + assume current_thread_id >= 0; + assume state(Heap, Mask); + if (0 < len) { + assume Seq#Length(ar) == len; + } + assume state(Heap, Mask); + + // -- Check definedness of (forall j: Int, k: Int :: { ar[j], ar[k] } 0 <= j && (j < len && (0 <= k && (k < len && j != k))) ==> ar[j] != ar[k]) + if (*) { + if (0 <= j_7 && (j_7 < len && (0 <= k_14 && (k_14 < len && j_7 != k_14)))) { + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might be negative. (testZeroArray.vpr@62.12--62.104) [670]"} + j_7 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might exceed sequence length. (testZeroArray.vpr@62.12--62.104) [671]"} + j_7 < Seq#Length(ar); + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@62.12--62.104) [672]"} + k_14 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@62.12--62.104) [673]"} + k_14 < Seq#Length(ar); + } + assume false; + } + assume (forall j_1_1: int, k_1_1: int :: + { Seq#Index(ar, j_1_1), Seq#Index(ar, k_1_1) } + 0 <= j_1_1 && (j_1_1 < len && (0 <= k_1_1 && (k_1_1 < len && j_1_1 != k_1_1))) ==> Seq#Index(ar, j_1_1) != Seq#Index(ar, k_1_1) + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int :: { ar[i] } 0 <= i && i < len ==> acc(ar[i].Ref__Integer_value, write)) + if (*) { + if (0 <= i_2 && i_2 < len) { + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@63.13--63.92) [674]"} + i_2 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@63.13--63.92) [675]"} + i_2 < Seq#Length(ar); + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource ar[i].Ref__Integer_value might not be injective. (testZeroArray.vpr@63.13--63.92) [676]"} + (forall i_1: int, i_1_2: int :: + + (((i_1 != i_1_2 && (0 <= i_1 && i_1 < len)) && (0 <= i_1_2 && i_1_2 < len)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> Seq#Index(ar, i_1) != Seq#Index(ar, i_1_2) + ); + + // -- Define Inverse Function + assume (forall i_1: int :: + { Seq#Index(ar, i_1) } { Seq#Index(ar, i_1) } + (0 <= i_1 && i_1 < len) && NoPerm < FullPerm ==> qpRange9(Seq#Index(ar, i_1)) && invRecv9(Seq#Index(ar, i_1)) == i_1 + ); + assume (forall o_3: Ref :: + { invRecv9(o_3) } + ((0 <= invRecv9(o_3) && invRecv9(o_3) < len) && NoPerm < FullPerm) && qpRange9(o_3) ==> Seq#Index(ar, invRecv9(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i_1: int :: + { Seq#Index(ar, i_1) } { Seq#Index(ar, i_1) } + 0 <= i_1 && i_1 < len ==> Seq#Index(ar, i_1) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + (((0 <= invRecv9(o_3) && invRecv9(o_3) < len) && NoPerm < FullPerm) && qpRange9(o_3) ==> (NoPerm < FullPerm ==> Seq#Index(ar, invRecv9(o_3)) == o_3) && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] + FullPerm) && (!(((0 <= invRecv9(o_3) && invRecv9(o_3) < len) && NoPerm < FullPerm) && qpRange9(o_3)) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + if (0 < len) { + assume Seq#Length(ar) == len; + } + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall i: Int :: { ar[i] } 0 <= i && i < len ==> acc(ar[i].Ref__Integer_value, write)) + if (*) { + if (0 <= i_7 && i_7 < len) { + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@65.12--65.91) [677]"} + i_7 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@65.12--65.91) [678]"} + i_7 < Seq#Length(ar); + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource ar[i].Ref__Integer_value might not be injective. (testZeroArray.vpr@65.12--65.91) [679]"} + (forall i_3: int, i_3_1: int :: + + (((i_3 != i_3_1 && (0 <= i_3 && i_3 < len)) && (0 <= i_3_1 && i_3_1 < len)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> Seq#Index(ar, i_3) != Seq#Index(ar, i_3_1) + ); + + // -- Define Inverse Function + assume (forall i_3: int :: + { Seq#Index(ar, i_3) } { Seq#Index(ar, i_3) } + (0 <= i_3 && i_3 < len) && NoPerm < FullPerm ==> qpRange10(Seq#Index(ar, i_3)) && invRecv10(Seq#Index(ar, i_3)) == i_3 + ); + assume (forall o_3: Ref :: + { invRecv10(o_3) } + ((0 <= invRecv10(o_3) && invRecv10(o_3) < len) && NoPerm < FullPerm) && qpRange10(o_3) ==> Seq#Index(ar, invRecv10(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i_3: int :: + { Seq#Index(ar, i_3) } { Seq#Index(ar, i_3) } + 0 <= i_3 && i_3 < len ==> Seq#Index(ar, i_3) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + (((0 <= invRecv10(o_3) && invRecv10(o_3) < len) && NoPerm < FullPerm) && qpRange10(o_3) ==> (NoPerm < FullPerm ==> Seq#Index(ar, invRecv10(o_3)) == o_3) && QPMask[o_3, Ref__Integer_value] == PostMask[o_3, Ref__Integer_value] + FullPerm) && (!(((0 <= invRecv10(o_3) && invRecv10(o_3) < len) && NoPerm < FullPerm) && qpRange10(o_3)) ==> QPMask[o_3, Ref__Integer_value] == PostMask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall i: Int :: { ar[i] } 0 <= i && i < len ==> ar[i].Ref__Integer_value == 0) + if (*) { + if (0 <= i_8 && i_8 < len) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@66.12--66.86) [680]"} + HasDirectPerm(PostMask, Seq#Index(ar, i_8), Ref__Integer_value); + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@66.12--66.86) [681]"} + i_8 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@66.12--66.86) [682]"} + i_8 < Seq#Length(ar); + } + assume false; + } + assume (forall i_5: int :: + { Seq#Index(ar, i_5) } + 0 <= i_5 && i_5 < len ==> PostHeap[Seq#Index(ar, i_5), Ref__Integer_value] == 0 + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: inhale false -- testZeroArray.vpr@68.3--68.15 + assume false; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + if (0 < len) { + assert {:msg " Postcondition of Ref__loop_main_23 might not hold. Assertion |ar| == len might not hold. (testZeroArray.vpr@64.11--64.38) [683]"} + Seq#Length(ar) == len; + } + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver ar[i] is injective + assert {:msg " Contract might not be well-formed. Quantified resource ar[i].Ref__Integer_value might not be injective. (testZeroArray.vpr@65.12--65.91) [684]"} + (forall i_6: int, i_6_1: int :: + { neverTriggered11(i_6), neverTriggered11(i_6_1) } + (((i_6 != i_6_1 && (0 <= i_6 && i_6 < len)) && (0 <= i_6_1 && i_6_1 < len)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> Seq#Index(ar, i_6) != Seq#Index(ar, i_6_1) + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of Ref__loop_main_23 might not hold. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@65.12--65.91) [685]"} + (forall i_6: int :: + { Seq#Index(ar, i_6) } { Seq#Index(ar, i_6) } + 0 <= i_6 && i_6 < len ==> Mask[Seq#Index(ar, i_6), Ref__Integer_value] >= FullPerm + ); + + // -- assumptions for inverse of receiver ar[i] + assume (forall i_6: int :: + { Seq#Index(ar, i_6) } { Seq#Index(ar, i_6) } + (0 <= i_6 && i_6 < len) && NoPerm < FullPerm ==> qpRange11(Seq#Index(ar, i_6)) && invRecv11(Seq#Index(ar, i_6)) == i_6 + ); + assume (forall o_3: Ref :: + { invRecv11(o_3) } + (0 <= invRecv11(o_3) && invRecv11(o_3) < len) && (NoPerm < FullPerm && qpRange11(o_3)) ==> Seq#Index(ar, invRecv11(o_3)) == o_3 + ); + + // -- assume permission updates for field Ref__Integer_value + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((0 <= invRecv11(o_3) && invRecv11(o_3) < len) && (NoPerm < FullPerm && qpRange11(o_3)) ==> Seq#Index(ar, invRecv11(o_3)) == o_3 && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] - FullPerm) && (!((0 <= invRecv11(o_3) && invRecv11(o_3) < len) && (NoPerm < FullPerm && qpRange11(o_3))) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= i_7_1 && i_7_1 < len) { + assert {:msg " Postcondition of Ref__loop_main_23 might not hold. Assertion ar[i].Ref__Integer_value == 0 might not hold. (testZeroArray.vpr@66.12--66.86) [686]"} + Heap[Seq#Index(ar, i_7_1), Ref__Integer_value] == 0; + } + assume false; + } + assume (forall i_8_1: int :: + { Seq#Index(ar, i_8_1) } + 0 <= i_8_1 && i_8_1 < len ==> Heap[Seq#Index(ar, i_8_1), Ref__Integer_value] == 0 + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method Ref__loop_body_23 +// ================================================== + +procedure Ref__loop_body_23(diz: Ref, current_thread_id: int, len: int, ar: (Seq Ref), i: int) returns () + modifies Heap, Mask; +{ + var perm: Perm; + var PostHeap: HeapType; + var PostMask: MaskType; + var __flatten_2: Ref; + var __flatten_3: int; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[diz, $allocated]; + + // -- Checked inhaling of precondition + assume diz != null; + assume state(Heap, Mask); + assume current_thread_id >= 0; + assume state(Heap, Mask); + assume 0 <= i; + assume i < len; + assume state(Heap, Mask); + assume Seq#Length(ar) == len; + assume state(Heap, Mask); + + // -- Check definedness of acc(ar[i].Ref__Integer_value, write) + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@76.12--76.48) [687]"} + i >= 0; + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@76.12--76.48) [688]"} + i < Seq#Length(ar); + perm := FullPerm; + assume Seq#Index(ar, i) != null; + Mask[Seq#Index(ar, i), Ref__Integer_value] := Mask[Seq#Index(ar, i), Ref__Integer_value] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + assume 0 <= i; + assume i < len; + assume state(PostHeap, PostMask); + assume Seq#Length(ar) == len; + assume state(PostHeap, PostMask); + + // -- Check definedness of acc(ar[i].Ref__Integer_value, write) + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@79.11--79.47) [689]"} + i >= 0; + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@79.11--79.47) [690]"} + i < Seq#Length(ar); + perm := FullPerm; + assume Seq#Index(ar, i) != null; + PostMask[Seq#Index(ar, i), Ref__Integer_value] := PostMask[Seq#Index(ar, i), Ref__Integer_value] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of ar[i].Ref__Integer_value == 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@80.11--80.40) [691]"} + HasDirectPerm(PostMask, Seq#Index(ar, i), Ref__Integer_value); + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@80.11--80.40) [692]"} + i >= 0; + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@80.11--80.40) [693]"} + i < Seq#Length(ar); + assume PostHeap[Seq#Index(ar, i), Ref__Integer_value] == 0; + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Assumptions about local variables + assume Heap[__flatten_2, $allocated]; + + // -- Translating statement: __flatten_2 := ar[i] -- testZeroArray.vpr@84.3--84.23 + + // -- Check definedness of ar[i] + assert {:msg " Assignment might fail. Index ar[i] into ar might be negative. (testZeroArray.vpr@84.3--84.23) [694]"} + i >= 0; + assert {:msg " Assignment might fail. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@84.3--84.23) [695]"} + i < Seq#Length(ar); + __flatten_2 := Seq#Index(ar, i); + assume state(Heap, Mask); + + // -- Translating statement: __flatten_3 := 0 -- testZeroArray.vpr@85.3--85.19 + __flatten_3 := 0; + assume state(Heap, Mask); + + // -- Translating statement: __flatten_2.Ref__Integer_value := __flatten_3 -- testZeroArray.vpr@86.3--86.48 + assert {:msg " Assignment might fail. There might be insufficient permission to access __flatten_2.Ref__Integer_value (testZeroArray.vpr@86.3--86.48) [696]"} + FullPerm == Mask[__flatten_2, Ref__Integer_value]; + Heap[__flatten_2, Ref__Integer_value] := __flatten_3; + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of Ref__loop_body_23 might not hold. Assertion 0 <= i might not hold. (testZeroArray.vpr@77.11--77.32) [697]"} + 0 <= i; + assert {:msg " Postcondition of Ref__loop_body_23 might not hold. Assertion i < len might not hold. (testZeroArray.vpr@77.11--77.32) [698]"} + i < len; + assert {:msg " Postcondition of Ref__loop_body_23 might not hold. Assertion |ar| == len might not hold. (testZeroArray.vpr@78.11--78.22) [699]"} + Seq#Length(ar) == len; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of Ref__loop_body_23 might not hold. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@79.11--79.47) [700]"} + perm <= Mask[Seq#Index(ar, i), Ref__Integer_value]; + } + Mask[Seq#Index(ar, i), Ref__Integer_value] := Mask[Seq#Index(ar, i), Ref__Integer_value] - perm; + assert {:msg " Postcondition of Ref__loop_body_23 might not hold. Assertion ar[i].Ref__Integer_value == 0 might not hold. (testZeroArray.vpr@80.11--80.40) [701]"} + Heap[Seq#Index(ar, i), Ref__Integer_value] == 0; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method Ref__zero_array +// ================================================== + +procedure Ref__zero_array(diz: Ref, current_thread_id: int, ar: (Seq Ref), len: int) returns () + modifies Heap, Mask; +{ + var j_8: int; + var k_15: int; + var i_9: int; + var QPMask: MaskType; + var PostHeap: HeapType; + var PostMask: MaskType; + var i_10: int; + var k_16: int; + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var j_2_1: int; + var k_6: int; + var ExhaleHeap: HeapType; + var k_4_1: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[diz, $allocated]; + + // -- Checked inhaling of precondition + assume diz != null; + assume state(Heap, Mask); + assume current_thread_id >= 0; + assume state(Heap, Mask); + assume Seq#Length(ar) == len; + assume state(Heap, Mask); + + // -- Check definedness of (forall j: Int, k: Int :: { ar[j], ar[k] } 0 <= j && (j < len && (0 <= k && (k < len && j != k))) ==> ar[j] != ar[k]) + if (*) { + if (0 <= j_8 && (j_8 < len && (0 <= k_15 && (k_15 < len && j_8 != k_15)))) { + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might be negative. (testZeroArray.vpr@93.12--93.104) [702]"} + j_8 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[j] into ar might exceed sequence length. (testZeroArray.vpr@93.12--93.104) [703]"} + j_8 < Seq#Length(ar); + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@93.12--93.104) [704]"} + k_15 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@93.12--93.104) [705]"} + k_15 < Seq#Length(ar); + } + assume false; + } + assume (forall j_1_1: int, k_1_1: int :: + { Seq#Index(ar, j_1_1), Seq#Index(ar, k_1_1) } + 0 <= j_1_1 && (j_1_1 < len && (0 <= k_1_1 && (k_1_1 < len && j_1_1 != k_1_1))) ==> Seq#Index(ar, j_1_1) != Seq#Index(ar, k_1_1) + ); + assume state(Heap, Mask); + + // -- Check definedness of (forall i: Int :: { ar[i] } 0 <= i && i < len ==> acc(ar[i].Ref__Integer_value, write)) + if (*) { + if (0 <= i_9 && i_9 < len) { + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@94.13--94.92) [706]"} + i_9 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@94.13--94.92) [707]"} + i_9 < Seq#Length(ar); + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource ar[i].Ref__Integer_value might not be injective. (testZeroArray.vpr@94.13--94.92) [708]"} + (forall i_1: int, i_1_2: int :: + + (((i_1 != i_1_2 && (0 <= i_1 && i_1 < len)) && (0 <= i_1_2 && i_1_2 < len)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> Seq#Index(ar, i_1) != Seq#Index(ar, i_1_2) + ); + + // -- Define Inverse Function + assume (forall i_1: int :: + { Seq#Index(ar, i_1) } { Seq#Index(ar, i_1) } + (0 <= i_1 && i_1 < len) && NoPerm < FullPerm ==> qpRange12(Seq#Index(ar, i_1)) && invRecv12(Seq#Index(ar, i_1)) == i_1 + ); + assume (forall o_3: Ref :: + { invRecv12(o_3) } + ((0 <= invRecv12(o_3) && invRecv12(o_3) < len) && NoPerm < FullPerm) && qpRange12(o_3) ==> Seq#Index(ar, invRecv12(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i_1: int :: + { Seq#Index(ar, i_1) } { Seq#Index(ar, i_1) } + 0 <= i_1 && i_1 < len ==> Seq#Index(ar, i_1) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + (((0 <= invRecv12(o_3) && invRecv12(o_3) < len) && NoPerm < FullPerm) && qpRange12(o_3) ==> (NoPerm < FullPerm ==> Seq#Index(ar, invRecv12(o_3)) == o_3) && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] + FullPerm) && (!(((0 <= invRecv12(o_3) && invRecv12(o_3) < len) && NoPerm < FullPerm) && qpRange12(o_3)) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + assume Seq#Length(ar) == len; + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall i: Int :: { ar[i] } 0 <= i && i < len ==> acc(ar[i].Ref__Integer_value, write)) + if (*) { + if (0 <= i_10 && i_10 < len) { + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might be negative. (testZeroArray.vpr@96.12--96.91) [709]"} + i_10 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[i] into ar might exceed sequence length. (testZeroArray.vpr@96.12--96.91) [710]"} + i_10 < Seq#Length(ar); + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource ar[i].Ref__Integer_value might not be injective. (testZeroArray.vpr@96.12--96.91) [711]"} + (forall i_3: int, i_3_1: int :: + + (((i_3 != i_3_1 && (0 <= i_3 && i_3 < len)) && (0 <= i_3_1 && i_3_1 < len)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> Seq#Index(ar, i_3) != Seq#Index(ar, i_3_1) + ); + + // -- Define Inverse Function + assume (forall i_3: int :: + { Seq#Index(ar, i_3) } { Seq#Index(ar, i_3) } + (0 <= i_3 && i_3 < len) && NoPerm < FullPerm ==> qpRange13(Seq#Index(ar, i_3)) && invRecv13(Seq#Index(ar, i_3)) == i_3 + ); + assume (forall o_3: Ref :: + { invRecv13(o_3) } + ((0 <= invRecv13(o_3) && invRecv13(o_3) < len) && NoPerm < FullPerm) && qpRange13(o_3) ==> Seq#Index(ar, invRecv13(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i_3: int :: + { Seq#Index(ar, i_3) } { Seq#Index(ar, i_3) } + 0 <= i_3 && i_3 < len ==> Seq#Index(ar, i_3) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + (((0 <= invRecv13(o_3) && invRecv13(o_3) < len) && NoPerm < FullPerm) && qpRange13(o_3) ==> (NoPerm < FullPerm ==> Seq#Index(ar, invRecv13(o_3)) == o_3) && QPMask[o_3, Ref__Integer_value] == PostMask[o_3, Ref__Integer_value] + FullPerm) && (!(((0 <= invRecv13(o_3) && invRecv13(o_3) < len) && NoPerm < FullPerm) && qpRange13(o_3)) ==> QPMask[o_3, Ref__Integer_value] == PostMask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { PostMask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> PostMask[o_3, f_5] == QPMask[o_3, f_5] + ); + PostMask := QPMask; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall k: Int :: { ar[k] } 0 <= k && k < len ==> ar[k].Ref__Integer_value == 0) + if (*) { + if (0 <= k_16 && k_16 < len) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access ar[k].Ref__Integer_value (testZeroArray.vpr@97.12--97.86) [712]"} + HasDirectPerm(PostMask, Seq#Index(ar, k_16), Ref__Integer_value); + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might be negative. (testZeroArray.vpr@97.12--97.86) [713]"} + k_16 >= 0; + assert {:msg " Contract might not be well-formed. Index ar[k] into ar might exceed sequence length. (testZeroArray.vpr@97.12--97.86) [714]"} + k_16 < Seq#Length(ar); + } + assume false; + } + assume (forall k_3_1: int :: + { Seq#Index(ar, k_3_1) } + 0 <= k_3_1 && k_3_1 < len ==> PostHeap[Seq#Index(ar, k_3_1), Ref__Integer_value] == 0 + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: assert |ar| == len -- testZeroArray.vpr@99.3--99.21 + assert {:msg " Assert might fail. Assertion |ar| == len might not hold. (testZeroArray.vpr@99.10--99.21) [715]"} + Seq#Length(ar) == len; + assume state(Heap, Mask); + + // -- Translating statement: Ref__loop_main_23(diz, current_thread_id, len, ar) -- testZeroArray.vpr@100.3--100.53 + PreCallHeap := Heap; + PreCallMask := Mask; + + // -- Exhaling precondition + assert {:msg " The precondition of method Ref__loop_main_23 might not hold. Assertion diz != null might not hold. (testZeroArray.vpr@100.3--100.53) [716]"} + diz != null; + assert {:msg " The precondition of method Ref__loop_main_23 might not hold. Assertion current_thread_id >= 0 might not hold. (testZeroArray.vpr@100.3--100.53) [717]"} + current_thread_id >= 0; + if (0 < len) { + assert {:msg " The precondition of method Ref__loop_main_23 might not hold. Assertion |ar| == len might not hold. (testZeroArray.vpr@100.3--100.53) [718]"} + Seq#Length(ar) == len; + } + if (*) { + if (0 <= j_2_1 && (j_2_1 < len && (0 <= k_6 && (k_6 < len && j_2_1 != k_6)))) { + assert {:msg " The precondition of method Ref__loop_main_23 might not hold. Assertion ar[j] != ar[k] might not hold. (testZeroArray.vpr@100.3--100.53) [719]"} + Seq#Index(ar, j_2_1) != Seq#Index(ar, k_6); + } + assume false; + } + assume (forall j_3_1: int, k_7_1: int :: + { Seq#Index(ar, j_3_1), Seq#Index(ar, k_7_1) } + 0 <= j_3_1 && (j_3_1 < len && (0 <= k_7_1 && (k_7_1 < len && j_3_1 != k_7_1))) ==> Seq#Index(ar, j_3_1) != Seq#Index(ar, k_7_1) + ); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver ar[i] is injective + assert {:msg " The precondition of method Ref__loop_main_23 might not hold. Quantified resource ar[i].Ref__Integer_value might not be injective. (testZeroArray.vpr@100.3--100.53) [720]"} + (forall i_5: int, i_5_1: int :: + { neverTriggered15(i_5), neverTriggered15(i_5_1) } + (((i_5 != i_5_1 && (0 <= i_5 && i_5 < len)) && (0 <= i_5_1 && i_5_1 < len)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> Seq#Index(ar, i_5) != Seq#Index(ar, i_5_1) + ); + + // -- check if sufficient permission is held + assert {:msg " The precondition of method Ref__loop_main_23 might not hold. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@100.3--100.53) [721]"} + (forall i_5: int :: + { Seq#Index(ar, i_5) } { Seq#Index(ar, i_5) } + 0 <= i_5 && i_5 < len ==> Mask[Seq#Index(ar, i_5), Ref__Integer_value] >= FullPerm + ); + + // -- assumptions for inverse of receiver ar[i] + assume (forall i_5: int :: + { Seq#Index(ar, i_5) } { Seq#Index(ar, i_5) } + (0 <= i_5 && i_5 < len) && NoPerm < FullPerm ==> qpRange15(Seq#Index(ar, i_5)) && invRecv15(Seq#Index(ar, i_5)) == i_5 + ); + assume (forall o_3: Ref :: + { invRecv15(o_3) } + (0 <= invRecv15(o_3) && invRecv15(o_3) < len) && (NoPerm < FullPerm && qpRange15(o_3)) ==> Seq#Index(ar, invRecv15(o_3)) == o_3 + ); + + // -- assume permission updates for field Ref__Integer_value + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((0 <= invRecv15(o_3) && invRecv15(o_3) < len) && (NoPerm < FullPerm && qpRange15(o_3)) ==> Seq#Index(ar, invRecv15(o_3)) == o_3 && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] - FullPerm) && (!((0 <= invRecv15(o_3) && invRecv15(o_3) < len) && (NoPerm < FullPerm && qpRange15(o_3))) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + if (0 < len) { + assume Seq#Length(ar) == len; + } + havoc QPMask; + assert {:msg " Method call might fail. Quantified resource ar[i].Ref__Integer_value might not be injective. (testZeroArray.vpr@100.3--100.53) [722]"} + (forall i_6: int, i_6_1: int :: + + (((i_6 != i_6_1 && (0 <= i_6 && i_6 < len)) && (0 <= i_6_1 && i_6_1 < len)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> Seq#Index(ar, i_6) != Seq#Index(ar, i_6_1) + ); + + // -- Define Inverse Function + assume (forall i_6: int :: + { Seq#Index(ar, i_6) } { Seq#Index(ar, i_6) } + (0 <= i_6 && i_6 < len) && NoPerm < FullPerm ==> qpRange16(Seq#Index(ar, i_6)) && invRecv16(Seq#Index(ar, i_6)) == i_6 + ); + assume (forall o_3: Ref :: + { invRecv16(o_3) } + ((0 <= invRecv16(o_3) && invRecv16(o_3) < len) && NoPerm < FullPerm) && qpRange16(o_3) ==> Seq#Index(ar, invRecv16(o_3)) == o_3 + ); + + // -- Assume set of fields is nonNull + assume (forall i_6: int :: + { Seq#Index(ar, i_6) } { Seq#Index(ar, i_6) } + 0 <= i_6 && i_6 < len ==> Seq#Index(ar, i_6) != null + ); + + // -- Define permissions + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + (((0 <= invRecv16(o_3) && invRecv16(o_3) < len) && NoPerm < FullPerm) && qpRange16(o_3) ==> (NoPerm < FullPerm ==> Seq#Index(ar, invRecv16(o_3)) == o_3) && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] + FullPerm) && (!(((0 <= invRecv16(o_3) && invRecv16(o_3) < len) && NoPerm < FullPerm) && qpRange16(o_3)) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + assume (forall o_3: Ref, f_5: (Field A B) :: + { Mask[o_3, f_5] } { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume (forall i_7_1: int :: + { Seq#Index(ar, i_7_1) } + 0 <= i_7_1 && i_7_1 < len ==> Heap[Seq#Index(ar, i_7_1), Ref__Integer_value] == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of Ref__zero_array might not hold. Assertion |ar| == len might not hold. (testZeroArray.vpr@95.11--95.22) [723]"} + Seq#Length(ar) == len; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver ar[i] is injective + assert {:msg " Contract might not be well-formed. Quantified resource ar[i].Ref__Integer_value might not be injective. (testZeroArray.vpr@96.12--96.91) [724]"} + (forall i_4: int, i_4_1: int :: + { neverTriggered14(i_4), neverTriggered14(i_4_1) } + (((i_4 != i_4_1 && (0 <= i_4 && i_4 < len)) && (0 <= i_4_1 && i_4_1 < len)) && NoPerm < FullPerm) && NoPerm < FullPerm ==> Seq#Index(ar, i_4) != Seq#Index(ar, i_4_1) + ); + + // -- check if sufficient permission is held + assert {:msg " Postcondition of Ref__zero_array might not hold. There might be insufficient permission to access ar[i].Ref__Integer_value (testZeroArray.vpr@96.12--96.91) [725]"} + (forall i_4: int :: + { Seq#Index(ar, i_4) } { Seq#Index(ar, i_4) } + 0 <= i_4 && i_4 < len ==> Mask[Seq#Index(ar, i_4), Ref__Integer_value] >= FullPerm + ); + + // -- assumptions for inverse of receiver ar[i] + assume (forall i_4: int :: + { Seq#Index(ar, i_4) } { Seq#Index(ar, i_4) } + (0 <= i_4 && i_4 < len) && NoPerm < FullPerm ==> qpRange14(Seq#Index(ar, i_4)) && invRecv14(Seq#Index(ar, i_4)) == i_4 + ); + assume (forall o_3: Ref :: + { invRecv14(o_3) } + (0 <= invRecv14(o_3) && invRecv14(o_3) < len) && (NoPerm < FullPerm && qpRange14(o_3)) ==> Seq#Index(ar, invRecv14(o_3)) == o_3 + ); + + // -- assume permission updates for field Ref__Integer_value + assume (forall o_3: Ref :: + { QPMask[o_3, Ref__Integer_value] } + ((0 <= invRecv14(o_3) && invRecv14(o_3) < len) && (NoPerm < FullPerm && qpRange14(o_3)) ==> Seq#Index(ar, invRecv14(o_3)) == o_3 && QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value] - FullPerm) && (!((0 <= invRecv14(o_3) && invRecv14(o_3) < len) && (NoPerm < FullPerm && qpRange14(o_3))) ==> QPMask[o_3, Ref__Integer_value] == Mask[o_3, Ref__Integer_value]) + ); + + // -- assume permission updates for independent locations + assume (forall o_3: Ref, f_5: (Field A B) :: + { QPMask[o_3, f_5] } + f_5 != Ref__Integer_value ==> Mask[o_3, f_5] == QPMask[o_3, f_5] + ); + Mask := QPMask; + if (*) { + if (0 <= k_4_1 && k_4_1 < len) { + assert {:msg " Postcondition of Ref__zero_array might not hold. Assertion ar[k].Ref__Integer_value == 0 might not hold. (testZeroArray.vpr@97.12--97.86) [726]"} + Heap[Seq#Index(ar, k_4_1), Ref__Integer_value] == 0; + } + assume false; + } + assume (forall k_5_1: int :: + { Seq#Index(ar, k_5_1) } + 0 <= k_5_1 && k_5_1 < len ==> Heap[Seq#Index(ar, k_5_1), Ref__Integer_value] == 0 + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} diff --git a/Test/monomorphize/viper/testsfunctionalverificationexamplescav_example.bpl b/Test/monomorphize/viper/testsfunctionalverificationexamplescav_example.bpl new file mode 100644 index 000000000..3f440e970 --- /dev/null +++ b/Test/monomorphize/viper/testsfunctionalverificationexamplescav_example.bpl @@ -0,0 +1,10428 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IdenticalOnKnownLocationsLiberal(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +function SumHeap(Heap: HeapType, Heap1: HeapType, mask1: MaskType, Heap2: HeapType, mask2: MaskType): bool; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// IdenticalOnKnownLiberalLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), ExhaleHeap[o_2, f_4] } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_2, f_4) ==> Heap[o_2, f_4] == ExhaleHeap[o_2, f_4] +); +// Frame all predicate mask locations of predicates with direct permission. But don't propagate information of locations that are not known-folded to allow for equating with multiple different (but compatible) heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f_1: (Field C FrameType) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f_1), ExhaleHeap[null, PredicateMaskField(pm_f_1)] } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f_1) && IsPredicateField(pm_f_1) ==> (forall o2_1: Ref, f_4: (Field A B) :: + { ExhaleHeap[null, PredicateMaskField(pm_f_1)][o2_1, f_4] } + Heap[null, PredicateMaskField(pm_f_1)][o2_1, f_4] ==> ExhaleHeap[null, PredicateMaskField(pm_f_1)][o2_1, f_4] + ) +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f_1: (Field C FrameType) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f_1) } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f_1) && IsPredicateField(pm_f_1) ==> (forall o2_1: Ref, f_4: (Field A B) :: + { ExhaleHeap[o2_1, f_4] } + Heap[null, PredicateMaskField(pm_f_1)][o2_1, f_4] ==> Heap[o2_1, f_4] == ExhaleHeap[o2_1, f_4] + ) +); +// Frame all wand mask locations of wands with direct permission (but don't propagate information about locations that are not known-folded) +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f_1: (Field C FrameType) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), IsWandField(pm_f_1), ExhaleHeap[null, WandMaskField(pm_f_1)] } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f_1) && IsWandField(pm_f_1) ==> (forall o2_1: Ref, f_4: (Field A B) :: + { ExhaleHeap[null, WandMaskField(pm_f_1)][o2_1, f_4] } + Heap[null, WandMaskField(pm_f_1)][o2_1, f_4] ==> ExhaleHeap[null, WandMaskField(pm_f_1)][o2_1, f_4] + ) +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f_1: (Field C FrameType) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), IsWandField(pm_f_1) } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f_1) && IsWandField(pm_f_1) ==> (forall o2_1: Ref, f_4: (Field A B) :: + { ExhaleHeap[o2_1, f_4] } + Heap[null, WandMaskField(pm_f_1)][o2_1, f_4] ==> Heap[o2_1, f_4] == ExhaleHeap[o2_1, f_4] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_2: Ref :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), ExhaleHeap[o_2, $allocated] } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> Heap[o_2, $allocated] ==> ExhaleHeap[o_2, $allocated] +); +// ================================================== +// Sum of heaps +// ================================================== + +axiom (forall Heap: HeapType, Heap1: HeapType, Mask1: MaskType, Heap2: HeapType, Mask2: MaskType :: + { SumHeap(Heap, Heap1, Mask1, Heap2, Mask2) } + SumHeap(Heap, Heap1, Mask1, Heap2, Mask2) <==> IdenticalOnKnownLocationsLiberal(Heap1, Heap, Mask1) && IdenticalOnKnownLocationsLiberal(Heap2, Heap, Mask2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_3: Ref, f_5: (Field A B) :: + { ZeroMask[o_3, f_5] } + ZeroMask[o_3, f_5] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_3: Ref, f_5: (Field A B) :: + { ZeroPMask[o_3, f_5] } + !ZeroPMask[o_3, f_5] +); +function PredicateMaskField(f_6: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_6: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_3: Ref, f_5: (Field A B) :: + { GoodMask(Mask), Mask[o_3, f_5] } + GoodMask(Mask) ==> Mask[o_3, f_5] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_5)) && !IsWandField(f_5) ==> Mask[o_3, f_5] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_3: Ref, f_5: (Field A B)): bool; +axiom (forall Mask: MaskType, o_3: Ref, f_5: (Field A B) :: + { HasDirectPerm(Mask, o_3, f_5) } + HasDirectPerm(Mask, o_3, f_5) <==> Mask[o_3, f_5] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_3: Ref, f_5: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_3, f_5] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_3, f_5] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_3, f_5] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_3, f_5] == SummandMask1[o_3, f_5] + SummandMask2[o_3, f_5] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered1(lambda46_30$t: Ref): bool; +function neverTriggered2(lambda46_30$t_1: Ref): bool; +function neverTriggered3(lambda46_30$t_5: Ref): bool; +function neverTriggered4(lambda46_30$t_8: Ref): bool; +function neverTriggered5(lambda46_30$t_11: Ref): bool; +function neverTriggered6(lambda46_30$t_13: Ref): bool; +function neverTriggered7(lambda46_30$t_15: Ref): bool; +function neverTriggered8(lambda46_30$t_16: Ref): bool; +function neverTriggered9(lambda46_30$t_19: Ref): bool; +function neverTriggered10(lambda46_30$t_21: Ref): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1(self_1: Ref): Ref; +function invRecv2(recv: Ref): Ref; +function invRecv3(self_1_1: Ref): Ref; +function invRecv4(recv: Ref): Ref; +function invRecv5(self_1_2: Ref): Ref; +function invRecv6(recv: Ref): Ref; +function invRecv7(self_1_3: Ref): Ref; +function invRecv8(recv: Ref): Ref; +function invRecv9(self_1_4: Ref): Ref; +function invRecv10(recv: Ref): Ref; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange1(self_1: Ref): bool; +function qpRange2(recv: Ref): bool; +function qpRange3(self_1_1: Ref): bool; +function qpRange4(recv: Ref): bool; +function qpRange5(self_1_2: Ref): bool; +function qpRange6(recv: Ref): bool; +function qpRange7(self_1_3: Ref): bool; +function qpRange8(recv: Ref): bool; +function qpRange9(self_1_4: Ref): bool; +function qpRange10(recv: Ref): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Function heights (higher height means its body is available earlier): +// - height 22: tuple___val__ +// - height 21: tuple___len__ +// - height 20: str___val__ +// - height 19: str___len__ +// - height 18: _isDefined +// - height 17: PSeq___sil_seq__ +// - height 16: tuple___getitem__ +// - height 15: __prim__bool___box__, bool___unbox__, __prim__int___box__, int___unbox__ +// - height 14: Level +// - height 13: str___create__ +// - height 12: list___len__ +// - height 11: list___sil_seq__ +// - height 10: __file__ +// - height 9: _checkDefined +// - height 8: PSeq___create__ +// - height 7: tuple___create2__ +// - height 6: Measure$check +// - height 5: str___eq__ +// - height 4: int___gt__ +// - height 3: int___sub__ +// - height 2: PSeq___len__ +// - height 1: int___eq__ +// - height 0: __name__ +const AssumeFunctionsAbove: int; +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_7: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_7: FrameType :: + { ConditionalFrame(p, f_7) } + ConditionalFrame(p, f_7) == (if p > 0.000000000 then f_7 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Sequence module. +// ================================================== + + // diff 0 implemented (no difference) + // diff 1 implemented (fixes test5 in sequences.sil) + // diff 2 implemented (fixes m01 and m03 in quantifiedpermissions/issues/issue_0064) + // diff 3 implemented (no difference) + // diff 4 implemented (no difference) + // diff 5 implemented (fixes colourings0 in sequence-incompletenesses test case) + // diff 6 implemented (no difference) + // diff 7 implemented + // diff 8 implemented (allows for contains triggering, without destroying performance of e.g. functions/linkedlists test case) + // diff 11 implemented + // diff 13 implemented, for now (may reduce completeness, but there's a known matching loop when the first drop amount is 0); another option would be to add !=0 as an explicit condition + // diff 14 implemented: eliminate index over take/drop for trivial cases (to avoid matching loops when e.g. s[i..] == s is known) + // diff 16 implemented: remove general cases of equality-learning between take/drop/append subsequences; only allow when take/drop are at top level (this affects linkedlists test case) +// START BASICS +type Seq T; + +function Seq#Length(Seq T): int; +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty(): Seq T; +axiom (forall :: Seq#Length(Seq#Empty(): Seq T) == 0); +axiom (forall s: Seq T :: { Seq#Length(s) } Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T): Seq T; +//axiom (forall t: T :: { Seq#Length(Seq#Singleton(t)) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2: changed trigger) + +function Seq#Append(Seq T, Seq T): Seq T; +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Length(Seq#Append(s0,s1)) } +s0 != Seq#Empty() && s1 != Seq#Empty() ==> //diff 11: consider removing constraints + Seq#Length(Seq#Append(s0,s1)) == Seq#Length(s0) + Seq#Length(s1)); + +//axiom (forall s: Seq T :: { Seq#Append(Seq#Empty(),s) } Seq#Append(Seq#Empty(),s) == s); // (diff 11: switched to double-quantified version) +//axiom (forall s: Seq T :: { Seq#Append(s,Seq#Empty()) } Seq#Append(s,Seq#Empty()) == s); // (diff 11: switched to double-quantified version) +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Append(s0,s1) } (s0 == Seq#Empty() ==> Seq#Append(s0,s1) == s1) && (s1 == Seq#Empty() ==> Seq#Append(s0,s1) == s0)); // diff 11: switched to double-quantified version + +function Seq#Index(Seq T, int): T; +//axiom (forall t: T :: { Seq#Index(Seq#Singleton(t), 0) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2: changed trigger) + +// END BASICS + +// START INDEX-APPEND-UPDATE + +// extra addition function used to force equalities into the e-graph +function Seq#Add(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Add(i,j)} Seq#Add(i,j) == i + j); +function Seq#Sub(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Sub(i,j)} Seq#Sub(i,j) == i - j); + +// (diff 3 (old)) +//axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // {:weight 25} // AS: dropped weight +// s0 != Seq#Empty() && s1 != Seq#Empty() ==> +// ((n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n)) && +// (Seq#Length(s0) <= n ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, n - Seq#Length(s0))))); + +// (diff 3: split axiom, added constraints, replace arithmetic) // diff 11: consider removing constraints +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } { Seq#Index(s0, n), Seq#Append(s0,s1) } // AS: added alternative trigger + (s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= n && n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n))); +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // term below breaks loops + s0 != Seq#Empty() && s1 != Seq#Empty() && Seq#Length(s0) <= n && n < Seq#Length(Seq#Append(s0,s1)) ==> Seq#Add(Seq#Sub(n,Seq#Length(s0)),Seq#Length(s0)) == n && Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, Seq#Sub(n,Seq#Length(s0)))); +// AS: added "reverse triggering" versions of the axioms +axiom (forall s0: Seq T, s1: Seq T, m: int :: { Seq#Index(s1, m), Seq#Append(s0,s1)} // m == n-|s0|, n == m + |s0| + s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= m && m < Seq#Length(s1) ==> Seq#Sub(Seq#Add(m,Seq#Length(s0)),Seq#Length(s0)) == m && Seq#Index(Seq#Append(s0,s1), Seq#Add(m,Seq#Length(s0))) == Seq#Index(s1, m)); + +function Seq#Update(Seq T, int, T): Seq T; +axiom (forall s: Seq T, i: int, v: T :: { Seq#Length(Seq#Update(s,i,v)) } {Seq#Length(s),Seq#Update(s,i,v)} // (diff 4: added trigger) + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s,i,v)) == Seq#Length(s)); +axiom (forall s: Seq T, i: int, v: T, n: int :: { Seq#Index(Seq#Update(s,i,v),n) } { Seq#Index(s,n), Seq#Update(s,i,v) } // (diff 4: added trigger) + 0 <= n && n < Seq#Length(s) ==> + (i == n ==> Seq#Index(Seq#Update(s,i,v),n) == v) && + (i != n ==> Seq#Index(Seq#Update(s,i,v),n) == Seq#Index(s,n))); + +// END INDEX-APPEND-UPDATE + +// START TAKE/DROP + +function Seq#Take(s: Seq T, howMany: int): Seq T; +// AS: added triggers +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Take(s,n)) } { Seq#Take(s,n), Seq#Length(s)} // (diff 7: add trigger) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s,n)) == n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Take(s,n)) == Seq#Length(s))) + && + (n < 0 ==> Seq#Length(Seq#Take(s,n)) == 0)); // (diff 7: added case for n < 0) + +// ** AS: 2nd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Take(s,n), j) } {Seq#Index(s,j), Seq#Take(s,n)} // (diff 0: (was already done)) : add trigger // {:weight 25} // AS: dropped weight + 0 <= j && j < n && j < Seq#Length(s) ==> + Seq#Index(Seq#Take(s,n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int): Seq T; +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Drop(s,n)) } {Seq#Length(s), Seq#Drop(s,n)} // (diff 5: added trigger, exchange arithmetic) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s) - n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Drop(s,n)) == 0)) + && + (n < 0 ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s)) // (diff 7: added cases for n < 0) + ); + +// ** AS: 3rd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +// diff 5 (old) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// 0 <= n && 0 <= j && j < Seq#Length(s)-n ==> +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j+n)); +// +// diff already added // diff -1: try removing this axiom and checking effect +//axiom (forall s: Seq T, n: int, k: int :: { Seq#Drop(s,n), Seq#Index(s,k) } // AS: alternative triggering for above axiom +// 0 <= n && n <= k && k < Seq#Length(s) ==> +// Seq#Index(Seq#Drop(s,n), k-n) == Seq#Index(s, k)); + +// diff 5: split axiom, added triggering case, exhanged arithmetic + +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight + 0 < n && 0 <= j && j < Seq#Length(s)-n ==> // diff 14: change 0 <= n to 0 < n + Seq#Sub(Seq#Add(j,n),n) == j && Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, Seq#Add(j,n))); + +axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } + 0 < n && n <= i && i < Seq#Length(s) ==> // diff 14: change 0 <= n to 0 < n + Seq#Add(Seq#Sub(i,n),n) == i && Seq#Index(Seq#Drop(s,n), Seq#Sub(i,n)) == Seq#Index(s, i)); // i = j + n, j = i - n + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// n <= 0 && 0 <= j && j < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j)); + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } +// n <= 0 && 0 <= i && i < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), i) == Seq#Index(s, i)); // i = j + n, j = i - n + +// ** AS: We dropped the weak trigger on this axiom. One option is to strengthen the triggers: +//axiom (forall s, t: Seq T :: +// // { Seq#Append(s, t) } +// {Seq#Take(Seq#Append(s, t), Seq#Length(s))}{Seq#Drop(Seq#Append(s, t), Seq#Length(s))} +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s && +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// ** AS: another option is to split the axiom (for some reason, this seems in some cases to perform slightly less well (but this could be random): +//axiom (forall s, t: Seq T :: +// { Seq#Take(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s); + +//axiom (forall s, t: Seq T :: +// { Seq#Drop(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// (diff 6b: remove these?) +/* Removed: at present, Carbon doesn't generate Seq#Update (but desugars via take/drop/append) +// Commutability of Take and Drop with Update. +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= n && n <= i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); + 0 <= i && n <=i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); +*/ + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Take(s,n)} // diff 16: temporarily dropped general case of these + 0 < n && n <= Seq#Length(s) ==> Seq#Take(Seq#Append(s,t),n) == Seq#Take(s,n)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Take(Seq#Append(s,t),n) == Seq#Append(s,Seq#Take(t,Seq#Sub(n,Seq#Length(s))))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,Seq#Take(t,m)) } //{Seq#Append(s,t), Seq#Take(t,m)} // diff 16: temporarily dropped general case of these // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Take(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Append(s,Seq#Take(t,m))); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Drop(s,n)} // diff 16: temporarily dropped general case of these + 0 Seq#Drop(Seq#Append(s,t),n) == Seq#Append(Seq#Drop(s,n),t)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Drop(Seq#Append(s,t),n) == Seq#Drop(t,Seq#Sub(n,Seq#Length(s)))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,t),Seq#Drop(t,m) } // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Drop(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Drop(t,m)); + +// Additional axioms about common things +axiom (forall s: Seq T, n: int :: { Seq#Drop(s, n) } // ** NEW + n <= 0 ==> Seq#Drop(s, n) == s); // (diff 1: try changing n==0 to n<=0 (should be ok)) +axiom (forall s: Seq T, n: int :: { Seq#Take(s, n) } // ** NEW + n <= 0 ==> Seq#Take(s, n) == Seq#Empty()); // (diff 1: try changing n==0 to n<=0 (should be ok)) +// diff 13: remove this? +//axiom (forall s: Seq T, m, n: int :: { Seq#Drop(Seq#Drop(s, m), n) } // ** NEW - AS: could have bad triggering behaviour? +// 0 <= m && 0 <= n && m+n <= Seq#Length(s) ==> +// Seq#Sub(Seq#Add(m,n),n) == m && Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, Seq#Add(m,n))); + +// END TAKE/DROP + +// START CONTAINS +// diff 8: skolemisation (old) +function Seq#Contains(Seq T, T): bool; +function Seq#ContainsTrigger(Seq T, T): bool; // usages of Contains inside quantifier triggers are replaced with this +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains // (diff 8: added) +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> + (0 <= Seq#Skolem(s,x) && Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x)); // (diff 8: skolem function) +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } // only trigger if interested in the Contains term + (0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x))); +axiom (forall s: Seq T, i:int :: { Seq#Index(s,i) } + (0 <= i && i < Seq#Length(s) ==> Seq#ContainsTrigger(s,Seq#Index(s,i)))); +// ** AS: made one change here - changed type of x from ref to T +/*axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); +*/ +// diff 8: skolemisation (new) +/* +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains +function Seq#SkolemContainsDrop(Seq T, int, T) : int; // skolem function for Seq#Contains over drop +function Seq#SkolemContainsTake(Seq T, int, T) : int; // skolem function for Seq#Contains over take + +function Seq#Contains(Seq T, T): bool; +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> s != Seq#Empty() && Seq#Length(s) > 0 && 0 <= Seq#Skolem(s,x) && + Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x); + +// AS: note: this is an unusual axiom, but is basically the original +// Consider writing a version without the (precise) first trigger? Also see later versions +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x)); + +// ** AS: made one change here - changed type of x from ref to T +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +// AS: Consider dropping this axiom? +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } { Seq#Contains(s0,x), Seq#Append(s0,s1)} { Seq#Contains(s1,x), Seq#Append(s0,s1)} // AS: added triggers + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) ==> + (Seq#Take(s, n) != Seq#Empty() && Seq#Length(Seq#Take(s, n)) > 0 && + 0 <= Seq#SkolemContainsTake(s, n, x) && Seq#SkolemContainsTake(s, n, x) < n && + Seq#SkolemContainsTake(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsTake(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Take(s, n), x), Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Take(s, n), x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) ==> + ( 0 <= Seq#SkolemContainsDrop(s, n, x) && n <= Seq#SkolemContainsDrop(s, n, x) && + Seq#SkolemContainsDrop(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsDrop(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Drop(s, n), x), Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Drop(s, n), x)); +*/ + +// END CONTAINS + +// START EQUALS + +// diff 9 : skolemise equals (old) +function Seq#Equal(Seq T, Seq T): bool; +/*axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) <==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); +*/ +// diff 9: skolemise equals (new) +// AS: split axiom +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) ==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +function Seq#SkolemDiff(Seq T, Seq T) : int; // skolem function for Seq#Equals + +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + (s0==s1 && Seq#Equal(s0,s1)) || (s0!=s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) != Seq#Length(s1)) || + (s0 != s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) == Seq#Length(s1) && Seq#SkolemDiff(s0,s1) == Seq#SkolemDiff(s1,s0) && 0 <= Seq#SkolemDiff(s0,s1) && Seq#SkolemDiff(s0,s1) < Seq#Length(s0) && + Seq#Index(s0,Seq#SkolemDiff(s0,s1)) != Seq#Index(s1,Seq#SkolemDiff(s0,s1)))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); + + +// END EQUALS + + +// START EXTRAS + +// extra stuff not in current Dafny Prelude + +// diff 10: variant of trigger (maybe drop these?) +// old: +axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) <==> x==y); +// new: +/*axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) ==> x==y); + +axiom (forall x: T :: + { Seq#Singleton(x) } + Seq#Contains(Seq#Singleton(x),x)); +*/ + +function Seq#Range(min: int, max: int) returns (Seq int); +axiom (forall min: int, max: int :: { Seq#Length(Seq#Range(min, max)) } (min < max ==> Seq#Length(Seq#Range(min, max)) == max-min) && (max <= min ==> Seq#Length(Seq#Range(min, max)) == 0)); +axiom (forall min: int, max: int, j: int :: { Seq#Index(Seq#Range(min, max), j) } 0<=j && j Seq#Index(Seq#Range(min, max), j) == min + j); + +axiom (forall min: int, max: int, v: int :: {Seq#Contains(Seq#Range(min, max),v)} + (Seq#Contains(Seq#Range(min, max),v) <==> min <= v && v < max)); + +// END EXTRAS + + +// ================================================== +// Preamble of Set module. +// ================================================== + + +type Set T = [T]bool; + +function Set#Card(Set T): int; +axiom (forall s: Set T :: { Set#Card(s) } 0 <= Set#Card(s)); + +function Set#Empty(): Set T; +axiom (forall o: T :: { Set#Empty()[o] } !Set#Empty()[o]); +axiom (forall s: Set T :: { Set#Card(s) } + (Set#Card(s) == 0 <==> s == Set#Empty()) && + (Set#Card(s) != 0 ==> (exists x: T :: s[x]))); + +function Set#Singleton(T): Set T; +axiom (forall r: T :: { Set#Singleton(r) } Set#Singleton(r)[r]); +axiom (forall r: T, o: T :: { Set#Singleton(r)[o] } Set#Singleton(r)[o] <==> r == o); +axiom (forall r: T :: { Set#Card(Set#Singleton(r)) } Set#Card(Set#Singleton(r)) == 1); + +function Set#UnionOne(Set T, T): Set T; +axiom (forall a: Set T, x: T, o: T :: { Set#UnionOne(a,x)[o] } + Set#UnionOne(a,x)[o] <==> o == x || a[o]); +axiom (forall a: Set T, x: T :: { Set#UnionOne(a, x) } + Set#UnionOne(a, x)[x]); +axiom (forall a: Set T, x: T, y: T :: { Set#UnionOne(a, x), a[y] } + a[y] ==> Set#UnionOne(a, x)[y]); +axiom (forall a: Set T, x: T :: { Set#Card(Set#UnionOne(a, x)) } + a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a)); +axiom (forall a: Set T, x: T :: { Set#Card(Set#UnionOne(a, x)) } + !a[x] ==> Set#Card(Set#UnionOne(a, x)) == Set#Card(a) + 1); + +function Set#Union(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Union(a,b)[o] } + Set#Union(a,b)[o] <==> a[o] || b[o]); +axiom (forall a, b: Set T, y: T :: { Set#Union(a, b), a[y] } + a[y] ==> Set#Union(a, b)[y]); +axiom (forall a, b: Set T, y: T :: { Set#Union(a, b), b[y] } + b[y] ==> Set#Union(a, b)[y]); +//axiom (forall a, b: Set T :: { Set#Union(a, b) } +// Set#Disjoint(a, b) ==> +// Set#Difference(Set#Union(a, b), a) == b && +// Set#Difference(Set#Union(a, b), b) == a); + +function Set#Intersection(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Intersection(a,b)[o] } {Set#Intersection(a,b), a[o]} {Set#Intersection(a,b), b[o]} // AS: added alternative triggers 20/06/19 + Set#Intersection(a,b)[o] <==> a[o] && b[o]); + +axiom (forall a, b: Set T :: { Set#Union(Set#Union(a, b), b) } + Set#Union(Set#Union(a, b), b) == Set#Union(a, b)); +axiom (forall a, b: Set T :: { Set#Union(a, Set#Union(a, b)) } + Set#Union(a, Set#Union(a, b)) == Set#Union(a, b)); +axiom (forall a, b: Set T :: { Set#Intersection(Set#Intersection(a, b), b) } + Set#Intersection(Set#Intersection(a, b), b) == Set#Intersection(a, b)); +axiom (forall a, b: Set T :: { Set#Intersection(a, Set#Intersection(a, b)) } + Set#Intersection(a, Set#Intersection(a, b)) == Set#Intersection(a, b)); +axiom (forall a, b: Set T :: { Set#Card(Set#Union(a, b)) }{ Set#Card(Set#Intersection(a, b)) } + Set#Card(Set#Union(a, b)) + Set#Card(Set#Intersection(a, b)) == Set#Card(a) + Set#Card(b)); + +function Set#Difference(Set T, Set T): Set T; +axiom (forall a: Set T, b: Set T, o: T :: { Set#Difference(a,b)[o] } { Set#Difference(a,b), a[o] } + Set#Difference(a,b)[o] <==> a[o] && !b[o]); +axiom (forall a, b: Set T, y: T :: { Set#Difference(a, b), b[y] } + b[y] ==> !Set#Difference(a, b)[y] ); +axiom (forall a, b: Set T :: + { Set#Card(Set#Difference(a, b)) } + Set#Card(Set#Difference(a, b)) + Set#Card(Set#Difference(b, a)) + + Set#Card(Set#Intersection(a, b)) + == Set#Card(Set#Union(a, b)) && + Set#Card(Set#Difference(a, b)) == Set#Card(a) - Set#Card(Set#Intersection(a, b))); + +function Set#Subset(Set T, Set T): bool; +axiom(forall a: Set T, b: Set T :: { Set#Subset(a,b) } + Set#Subset(a,b) <==> (forall o: T :: {a[o]} {b[o]} a[o] ==> b[o])); +// axiom(forall a: Set T, b: Set T :: +// { Set#Subset(a,b), Set#Card(a), Set#Card(b) } // very restrictive trigger +// Set#Subset(a,b) ==> Set#Card(a) <= Set#Card(b)); + + +function Set#Equal(Set T, Set T): bool; +axiom(forall a: Set T, b: Set T :: { Set#Equal(a,b) } + Set#Equal(a,b) <==> (forall o: T :: {a[o]} {b[o]} a[o] <==> b[o])); +axiom(forall a: Set T, b: Set T :: { Set#Equal(a,b) } // extensionality axiom for sets + Set#Equal(a,b) ==> a == b); + +//function Set#Disjoint(Set T, Set T): bool; +//axiom (forall a: Set T, b: Set T :: { Set#Disjoint(a,b) } +// Set#Disjoint(a,b) <==> (forall o: T :: {a[o]} {b[o]} !a[o] || !b[o])); + +// --------------------------------------------------------------- +// -- Axiomatization of multisets -------------------------------- +// --------------------------------------------------------------- + +function Math#min(a: int, b: int): int; +axiom (forall a: int, b: int :: { Math#min(a, b) } a <= b <==> Math#min(a, b) == a); +axiom (forall a: int, b: int :: { Math#min(a, b) } b <= a <==> Math#min(a, b) == b); +axiom (forall a: int, b: int :: { Math#min(a, b) } Math#min(a, b) == a || Math#min(a, b) == b); + +function Math#clip(a: int): int; +axiom (forall a: int :: { Math#clip(a) } 0 <= a ==> Math#clip(a) == a); +axiom (forall a: int :: { Math#clip(a) } a < 0 ==> Math#clip(a) == 0); + +type MultiSet T; // = [T]int; + +function MultiSet#Select(ms: MultiSet T, x:T): int; + +//function $IsGoodMultiSet(ms: MultiSet T): bool; +// ints are non-negative, used after havocing, and for conversion from sequences to multisets. +//axiom (forall ms: MultiSet T :: { $IsGoodMultiSet(ms) } +// $IsGoodMultiSet(ms) <==> +// (forall bx: T :: { ms[bx] } 0 <= ms[bx] && ms[bx] <= MultiSet#Card(ms))); + +axiom (forall ms: MultiSet T, x: T :: {MultiSet#Select(ms,x)} MultiSet#Select(ms,x) >= 0); // NEW + +function MultiSet#Card(MultiSet T): int; +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } 0 <= MultiSet#Card(s)); +//axiom (forall s: MultiSet T, x: T, n: int :: { MultiSet#Card(s[x := n]) } +// 0 <= n ==> MultiSet#Card(s[x := n]) == MultiSet#Card(s) - s[x] + n); +// +function MultiSet#Empty(): MultiSet T; +axiom (forall o: T :: { MultiSet#Select(MultiSet#Empty(),o) } MultiSet#Select(MultiSet#Empty(),o) == 0); +axiom (forall s: MultiSet T :: { MultiSet#Card(s) } + (MultiSet#Card(s) == 0 <==> s == MultiSet#Empty()) && + (MultiSet#Card(s) != 0 ==> (exists x: T :: 0 < MultiSet#Select(s,x)))); + +function MultiSet#Singleton(T): MultiSet T; +axiom (forall r: T, o: T :: { MultiSet#Select(MultiSet#Singleton(r),o) } (MultiSet#Select(MultiSet#Singleton(r),o) == 1 <==> r == o) && + (MultiSet#Select(MultiSet#Singleton(r),o) == 0 <==> r != o)); +axiom (forall r: T :: { MultiSet#Singleton(r) } MultiSet#Card(MultiSet#Singleton(r)) == 1 && MultiSet#Select(MultiSet#Singleton(r),r) == 1); // AS: added +axiom (forall r: T :: { MultiSet#Singleton(r) } MultiSet#Singleton(r) == MultiSet#UnionOne(MultiSet#Empty(), r)); // AS: remove this? + +function MultiSet#UnionOne(MultiSet T, T): MultiSet T; +// union-ing increases count by one for x, not for others +axiom (forall a: MultiSet T, x: T, o: T :: { MultiSet#Select(MultiSet#UnionOne(a,x),o) } { MultiSet#UnionOne(a, x), MultiSet#Select(a,o) } // AS: added back this trigger (used on a similar axiom before) + MultiSet#Select(MultiSet#UnionOne(a, x),o) == (if x==o then MultiSet#Select(a,o) + 1 else MultiSet#Select(a,o))); +// non-decreasing +axiom (forall a: MultiSet T, x: T :: { MultiSet#Card(MultiSet#UnionOne(a, x)) } {MultiSet#UnionOne(a, x), MultiSet#Card(a)} // AS: added alternative trigger + MultiSet#Card(MultiSet#UnionOne(a, x)) == MultiSet#Card(a) + 1); +// AS: added - concrete knowledge of element added +axiom (forall a: MultiSet T, x: T :: { MultiSet#UnionOne(a,x)} + MultiSet#Select(MultiSet#UnionOne(a, x),x) > 0 && MultiSet#Card(MultiSet#UnionOne(a, x)) > 0); + +function MultiSet#Union(MultiSet T, MultiSet T): MultiSet T; +// union-ing is the sum of the contents +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Union(a,b),o) } {MultiSet#Union(a,b), MultiSet#Select(a,o), MultiSet#Select(b,o)}// AS: added triggers + MultiSet#Select(MultiSet#Union(a,b),o) == MultiSet#Select(a,o) + MultiSet#Select(b,o)); +axiom (forall a: MultiSet T, b: MultiSet T :: { MultiSet#Card(MultiSet#Union(a,b)) } {MultiSet#Card(a), MultiSet#Union(a,b)} {MultiSet#Card(b), MultiSet#Union(a,b)} + MultiSet#Card(MultiSet#Union(a,b)) == MultiSet#Card(a) + MultiSet#Card(b)); + +function MultiSet#Intersection(MultiSet T, MultiSet T): MultiSet T; +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Intersection(a,b),o) } + MultiSet#Select(MultiSet#Intersection(a,b),o) == Math#min(MultiSet#Select(a,o), MultiSet#Select(b,o))); + +// left and right pseudo-idempotence +axiom (forall a, b: MultiSet T :: { MultiSet#Intersection(MultiSet#Intersection(a, b), b) } + MultiSet#Intersection(MultiSet#Intersection(a, b), b) == MultiSet#Intersection(a, b)); +axiom (forall a, b: MultiSet T :: { MultiSet#Intersection(a, MultiSet#Intersection(a, b)) } + MultiSet#Intersection(a, MultiSet#Intersection(a, b)) == MultiSet#Intersection(a, b)); + +// multiset difference, a - b. clip() makes it positive. +function MultiSet#Difference(MultiSet T, MultiSet T): MultiSet T; +axiom (forall a: MultiSet T, b: MultiSet T, o: T :: { MultiSet#Select(MultiSet#Difference(a,b),o) } + MultiSet#Select(MultiSet#Difference(a,b),o) == Math#clip(MultiSet#Select(a,o) - MultiSet#Select(b,o))); +axiom (forall a, b: MultiSet T, y: T :: { MultiSet#Difference(a, b), MultiSet#Select(b,y), MultiSet#Select(a,y) } + MultiSet#Select(a,y) <= MultiSet#Select(b,y) ==> MultiSet#Select(MultiSet#Difference(a, b),y) == 0 ); +axiom (forall a, b: MultiSet T :: + { MultiSet#Card(MultiSet#Difference(a, b)) } + MultiSet#Card(MultiSet#Difference(a, b)) + MultiSet#Card(MultiSet#Difference(b, a)) + + 2 * MultiSet#Card(MultiSet#Intersection(a, b)) + == MultiSet#Card(MultiSet#Union(a, b)) && + MultiSet#Card(MultiSet#Difference(a, b)) == MultiSet#Card(a) - MultiSet#Card(MultiSet#Intersection(a, b))); + +// multiset subset means a must have at most as many of each element as b +function MultiSet#Subset(MultiSet T, MultiSet T): bool; +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Subset(a,b) } + MultiSet#Subset(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) <= MultiSet#Select(b,o))); + +function MultiSet#Equal(MultiSet T, MultiSet T): bool; +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Equal(a,b) } + MultiSet#Equal(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) == MultiSet#Select(b,o))); +// extensionality axiom for multisets +axiom(forall a: MultiSet T, b: MultiSet T :: { MultiSet#Equal(a,b) } + MultiSet#Equal(a,b) ==> a == b); + +function MultiSet#Disjoint(MultiSet T, MultiSet T): bool; +axiom (forall a: MultiSet T, b: MultiSet T :: { MultiSet#Disjoint(a,b) } + MultiSet#Disjoint(a,b) <==> (forall o: T :: {MultiSet#Select(a,o)} {MultiSet#Select(b,o)} MultiSet#Select(a,o) == 0 || MultiSet#Select(b,o) == 0)); + + + +// ================================================== +// Translation of domain PyType +// ================================================== + +// The type for domain PyType +type PyTypeDomainType; + +// Translation of domain function extends_ +function extends_(sub: PyTypeDomainType, super: PyTypeDomainType): bool; + +// Translation of domain function issubtype +function issubtype(sub: PyTypeDomainType, super: PyTypeDomainType): bool; + +// Translation of domain function isnotsubtype +function isnotsubtype(sub: PyTypeDomainType, super: PyTypeDomainType): bool; + +// Translation of domain function tuple_args +function tuple_args(t_1: PyTypeDomainType): Seq PyTypeDomainType; + +// Translation of domain function typeof +function typeof(obj: Ref): PyTypeDomainType; + +// Translation of domain function get_basic +function get_basic(t_1: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function union_type_1 +function union_type_1(arg_1: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function union_type_2 +function union_type_2(arg_1: PyTypeDomainType, arg_2: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function union_type_3 +function union_type_3(arg_1: PyTypeDomainType, arg_2: PyTypeDomainType, arg_3: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function union_type_4 +function union_type_4(arg_1: PyTypeDomainType, arg_2: PyTypeDomainType, arg_3: PyTypeDomainType, arg_4: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain unique function object +const unique object: PyTypeDomainType; + +// Translation of domain unique function list_basic +const unique list_basic: PyTypeDomainType; + +// Translation of domain function list +function list(arg0: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function list_arg +function list_arg(typ: PyTypeDomainType, index: int): PyTypeDomainType; + +// Translation of domain unique function set_basic +const unique set_basic: PyTypeDomainType; + +// Translation of domain function set +function set(arg0: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function set_arg +function set_arg(typ: PyTypeDomainType, index: int): PyTypeDomainType; + +// Translation of domain unique function dict_basic +const unique dict_basic: PyTypeDomainType; + +// Translation of domain function dict +function dict(arg0: PyTypeDomainType, arg1: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function dict_arg +function dict_arg(typ: PyTypeDomainType, index: int): PyTypeDomainType; + +// Translation of domain unique function int +const unique vint: PyTypeDomainType; + +// Translation of domain unique function float +const unique float: PyTypeDomainType; + +// Translation of domain unique function bool +const unique vbool: PyTypeDomainType; + +// Translation of domain unique function NoneType +const unique NoneType: PyTypeDomainType; + +// Translation of domain unique function Exception +const unique Exception: PyTypeDomainType; + +// Translation of domain unique function ConnectionRefusedError +const unique ConnectionRefusedError: PyTypeDomainType; + +// Translation of domain unique function traceback +const unique traceback: PyTypeDomainType; + +// Translation of domain unique function str +const unique str: PyTypeDomainType; + +// Translation of domain unique function bytes +const unique bytes: PyTypeDomainType; + +// Translation of domain unique function tuple_basic +const unique tuple_basic: PyTypeDomainType; + +// Translation of domain function tuple +function tuple(args: (Seq PyTypeDomainType)): PyTypeDomainType; + +// Translation of domain function tuple_arg +function tuple_arg(typ: PyTypeDomainType, index: int): PyTypeDomainType; + +// Translation of domain unique function PSeq_basic +const unique PSeq_basic: PyTypeDomainType; + +// Translation of domain function PSeq +function PSeq(arg0: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function PSeq_arg +function PSeq_arg(typ: PyTypeDomainType, index: int): PyTypeDomainType; + +// Translation of domain unique function PSet_basic +const unique PSet_basic: PyTypeDomainType; + +// Translation of domain function PSet +function PSet(arg0: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function PSet_arg +function PSet_arg(typ: PyTypeDomainType, index: int): PyTypeDomainType; + +// Translation of domain unique function PMultiset_basic +const unique PMultiset_basic: PyTypeDomainType; + +// Translation of domain function PMultiset +function PMultiset(arg0: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function PMultiset_arg +function PMultiset_arg(typ: PyTypeDomainType, index: int): PyTypeDomainType; + +// Translation of domain unique function slice +const unique slice: PyTypeDomainType; + +// Translation of domain unique function py_range +const unique py_range: PyTypeDomainType; + +// Translation of domain unique function Iterator_basic +const unique Iterator_basic: PyTypeDomainType; + +// Translation of domain function Iterator +function Iterator(arg0: PyTypeDomainType): PyTypeDomainType; + +// Translation of domain function Iterator_arg +function Iterator_arg(typ: PyTypeDomainType, index: int): PyTypeDomainType; + +// Translation of domain unique function Thread_0 +const unique Thread_0: PyTypeDomainType; + +// Translation of domain unique function LevelType +const unique LevelType: PyTypeDomainType; + +// Translation of domain unique function type +const unique vtype: PyTypeDomainType; + +// Translation of domain unique function Place +const unique Place: PyTypeDomainType; + +// Translation of domain unique function __prim__Seq_type +const unique __prim__Seq_type: PyTypeDomainType; + +// Translation of domain unique function SoldoutException +const unique SoldoutException: PyTypeDomainType; + +// Translation of domain unique function Ticket +const unique Ticket: PyTypeDomainType; + +// Translation of domain axiom issubtype_transitivity +axiom (forall sub_1: PyTypeDomainType, middle: PyTypeDomainType, super_1: PyTypeDomainType :: + { (issubtype(sub_1, middle): bool), (issubtype(middle, super_1): bool) } + (issubtype(sub_1, middle): bool) && (issubtype(middle, super_1): bool) ==> (issubtype(sub_1, super_1): bool) +); + +// Translation of domain axiom issubtype_reflexivity +axiom (forall type_: PyTypeDomainType :: + { (issubtype(type_, type_): bool) } + (issubtype(type_, type_): bool) +); + +// Translation of domain axiom extends_implies_subtype +axiom (forall sub_1: PyTypeDomainType, sub2: PyTypeDomainType :: + { (extends_(sub_1, sub2): bool) } + (extends_(sub_1, sub2): bool) ==> (issubtype(sub_1, sub2): bool) +); + +// Translation of domain axiom null_nonetype +axiom (forall r_1: Ref :: + { (typeof(r_1): PyTypeDomainType) } + (issubtype((typeof(r_1): PyTypeDomainType), NoneType): bool) == (r_1 == null) +); + +// Translation of domain axiom issubtype_object +axiom (forall type_: PyTypeDomainType :: + { (issubtype(type_, object): bool) } + (issubtype(type_, object): bool) +); + +// Translation of domain axiom issubtype_exclusion +axiom (forall sub_1: PyTypeDomainType, sub2: PyTypeDomainType, super_1: PyTypeDomainType :: + { (extends_(sub_1, super_1): bool), (extends_(sub2, super_1): bool) } + (extends_(sub_1, super_1): bool) && ((extends_(sub2, super_1): bool) && sub_1 != sub2) ==> (isnotsubtype(sub_1, sub2): bool) && (isnotsubtype(sub2, sub_1): bool) +); + +// Translation of domain axiom issubtype_exclusion_2 +axiom (forall sub_1: PyTypeDomainType, super_1: PyTypeDomainType :: + { (issubtype(sub_1, super_1): bool) } { (issubtype(super_1, sub_1): bool) } + (issubtype(sub_1, super_1): bool) && sub_1 != super_1 ==> !(issubtype(super_1, sub_1): bool) +); + +// Translation of domain axiom issubtype_exclusion_propagation +axiom (forall sub_1: PyTypeDomainType, middle: PyTypeDomainType, super_1: PyTypeDomainType :: + { (issubtype(sub_1, middle): bool), (isnotsubtype(middle, super_1): bool) } + (issubtype(sub_1, middle): bool) && (isnotsubtype(middle, super_1): bool) ==> !(issubtype(sub_1, super_1): bool) +); + +// Translation of domain axiom tuple_arg_def +axiom (forall seq: (Seq PyTypeDomainType), i: int, Z: PyTypeDomainType :: + { (tuple(seq): PyTypeDomainType), (tuple_arg(Z, i): PyTypeDomainType) } + (issubtype(Z, (tuple(seq): PyTypeDomainType)): bool) ==> (issubtype((tuple_arg(Z, i): PyTypeDomainType), Seq#Index(seq, i)): bool) +); + +// Translation of domain axiom tuple_args_def +axiom (forall seq: (Seq PyTypeDomainType), Z: PyTypeDomainType :: + { (issubtype(Z, (tuple(seq): PyTypeDomainType)): bool) } + (issubtype(Z, (tuple(seq): PyTypeDomainType)): bool) ==> Seq#Length((tuple_args(Z): Seq PyTypeDomainType)) == Seq#Length(seq) +); + +// Translation of domain axiom tuple_self_subtype +axiom (forall seq1: (Seq PyTypeDomainType), seq2: (Seq PyTypeDomainType) :: + { Seq#Length(seq1), Seq#Length(seq2) } { Seq#Length(seq1), (tuple(seq2): PyTypeDomainType) } { Seq#Length(seq1), (issubtype((tuple(seq1): PyTypeDomainType), (tuple(seq2): PyTypeDomainType)): bool) } { Seq#Length(seq2), Seq#Length(seq1) } { Seq#Length(seq2), (tuple(seq1): PyTypeDomainType) } { Seq#Length(seq2), (issubtype((tuple(seq1): PyTypeDomainType), (tuple(seq2): PyTypeDomainType)): bool) } { (issubtype((tuple(seq1): PyTypeDomainType), (tuple(seq2): PyTypeDomainType)): bool) } + !Seq#Equal(seq1, seq2) && (Seq#Length(seq1) == Seq#Length(seq2) && (forall i: int :: + { (issubtype(Seq#Index(seq1, i), Seq#Index(seq2, i)): bool) } + i >= 0 && i < Seq#Length(seq1) ==> (issubtype(Seq#Index(seq1, i), Seq#Index(seq2, i)): bool) + )) ==> (issubtype((tuple(seq1): PyTypeDomainType), (tuple(seq2): PyTypeDomainType)): bool) +); + +// Translation of domain axiom union_subtype_1 +axiom (forall arg_1_1: PyTypeDomainType, X: PyTypeDomainType :: + { (issubtype(X, (union_type_1(arg_1_1): PyTypeDomainType)): bool) } + (issubtype(X, (union_type_1(arg_1_1): PyTypeDomainType)): bool) == (issubtype(X, arg_1_1): bool) +); + +// Translation of domain axiom union_subtype_2 +axiom (forall arg_1_1: PyTypeDomainType, arg_2_1: PyTypeDomainType, X: PyTypeDomainType :: + { (issubtype(X, (union_type_2(arg_1_1, arg_2_1): PyTypeDomainType)): bool) } + (issubtype(X, (union_type_2(arg_1_1, arg_2_1): PyTypeDomainType)): bool) == ((issubtype(X, arg_1_1): bool) || (issubtype(X, arg_2_1): bool)) +); + +// Translation of domain axiom union_subtype_3 +axiom (forall arg_1_1: PyTypeDomainType, arg_2_1: PyTypeDomainType, arg_3_1: PyTypeDomainType, X: PyTypeDomainType :: + { (issubtype(X, (union_type_3(arg_1_1, arg_2_1, arg_3_1): PyTypeDomainType)): bool) } + (issubtype(X, (union_type_3(arg_1_1, arg_2_1, arg_3_1): PyTypeDomainType)): bool) == ((issubtype(X, arg_1_1): bool) || ((issubtype(X, arg_2_1): bool) || (issubtype(X, arg_3_1): bool))) +); + +// Translation of domain axiom union_subtype_4 +axiom (forall arg_1_1: PyTypeDomainType, arg_2_1: PyTypeDomainType, arg_3_1: PyTypeDomainType, arg_4_1: PyTypeDomainType, X: PyTypeDomainType :: + { (issubtype(X, (union_type_4(arg_1_1, arg_2_1, arg_3_1, arg_4_1): PyTypeDomainType)): bool) } + (issubtype(X, (union_type_4(arg_1_1, arg_2_1, arg_3_1, arg_4_1): PyTypeDomainType)): bool) == ((issubtype(X, arg_1_1): bool) || ((issubtype(X, arg_2_1): bool) || ((issubtype(X, arg_3_1): bool) || (issubtype(X, arg_4_1): bool)))) +); + +// Translation of domain axiom subtype_union_1 +axiom (forall arg_1_1: PyTypeDomainType, X: PyTypeDomainType :: + { (issubtype((union_type_1(arg_1_1): PyTypeDomainType), X): bool) } + (issubtype((union_type_1(arg_1_1): PyTypeDomainType), X): bool) == (issubtype(arg_1_1, X): bool) +); + +// Translation of domain axiom subtype_union_2 +axiom (forall arg_1_1: PyTypeDomainType, arg_2_1: PyTypeDomainType, X: PyTypeDomainType :: + { (issubtype((union_type_2(arg_1_1, arg_2_1): PyTypeDomainType), X): bool) } + (issubtype((union_type_2(arg_1_1, arg_2_1): PyTypeDomainType), X): bool) == ((issubtype(arg_1_1, X): bool) && (issubtype(arg_2_1, X): bool)) +); + +// Translation of domain axiom subtype_union_3 +axiom (forall arg_1_1: PyTypeDomainType, arg_2_1: PyTypeDomainType, arg_3_1: PyTypeDomainType, X: PyTypeDomainType :: + { (issubtype((union_type_3(arg_1_1, arg_2_1, arg_3_1): PyTypeDomainType), X): bool) } + (issubtype((union_type_3(arg_1_1, arg_2_1, arg_3_1): PyTypeDomainType), X): bool) == ((issubtype(arg_1_1, X): bool) && ((issubtype(arg_2_1, X): bool) && (issubtype(arg_3_1, X): bool))) +); + +// Translation of domain axiom subtype_union_4 +axiom (forall arg_1_1: PyTypeDomainType, arg_2_1: PyTypeDomainType, arg_3_1: PyTypeDomainType, arg_4_1: PyTypeDomainType, X: PyTypeDomainType :: + { (issubtype((union_type_4(arg_1_1, arg_2_1, arg_3_1, arg_4_1): PyTypeDomainType), X): bool) } + (issubtype((union_type_4(arg_1_1, arg_2_1, arg_3_1, arg_4_1): PyTypeDomainType), X): bool) == ((issubtype(arg_1_1, X): bool) && ((issubtype(arg_2_1, X): bool) && ((issubtype(arg_3_1, X): bool) && (issubtype(arg_4_1, X): bool)))) +); + +// Translation of domain axiom subtype_list +axiom (forall var0: PyTypeDomainType :: + { (list(var0): PyTypeDomainType) } + (extends_((list(var0): PyTypeDomainType), object): bool) && (get_basic((list(var0): PyTypeDomainType)): PyTypeDomainType) == list_basic +); + +// Translation of domain axiom list_args0 +axiom (forall Z: PyTypeDomainType, arg0_1: PyTypeDomainType :: + { (list(arg0_1): PyTypeDomainType), (list_arg(Z, 0): PyTypeDomainType) } + (issubtype(Z, (list(arg0_1): PyTypeDomainType)): bool) ==> (list_arg(Z, 0): PyTypeDomainType) == arg0_1 +); + +// Translation of domain axiom subtype_set +axiom (forall var0: PyTypeDomainType :: + { (set(var0): PyTypeDomainType) } + (extends_((set(var0): PyTypeDomainType), object): bool) && (get_basic((set(var0): PyTypeDomainType)): PyTypeDomainType) == set_basic +); + +// Translation of domain axiom set_args0 +axiom (forall Z: PyTypeDomainType, arg0_1: PyTypeDomainType :: + { (set(arg0_1): PyTypeDomainType), (set_arg(Z, 0): PyTypeDomainType) } + (issubtype(Z, (set(arg0_1): PyTypeDomainType)): bool) ==> (set_arg(Z, 0): PyTypeDomainType) == arg0_1 +); + +// Translation of domain axiom subtype_dict +axiom (forall var0: PyTypeDomainType, var1: PyTypeDomainType :: + { (dict(var0, var1): PyTypeDomainType) } + (extends_((dict(var0, var1): PyTypeDomainType), object): bool) && (get_basic((dict(var0, var1): PyTypeDomainType)): PyTypeDomainType) == dict_basic +); + +// Translation of domain axiom dict_args0 +axiom (forall Z: PyTypeDomainType, arg0_1: PyTypeDomainType, arg1_1: PyTypeDomainType :: + { (dict(arg0_1, arg1_1): PyTypeDomainType), (dict_arg(Z, 0): PyTypeDomainType) } + (issubtype(Z, (dict(arg0_1, arg1_1): PyTypeDomainType)): bool) ==> (dict_arg(Z, 0): PyTypeDomainType) == arg0_1 +); + +// Translation of domain axiom dict_args1 +axiom (forall Z: PyTypeDomainType, arg0_1: PyTypeDomainType, arg1_1: PyTypeDomainType :: + { (dict(arg0_1, arg1_1): PyTypeDomainType), (dict_arg(Z, 1): PyTypeDomainType) } + (issubtype(Z, (dict(arg0_1, arg1_1): PyTypeDomainType)): bool) ==> (dict_arg(Z, 1): PyTypeDomainType) == arg1_1 +); + +// Translation of domain axiom subtype_int +axiom (extends_(vint, float): bool) && (get_basic(vint): PyTypeDomainType) == vint; + +// Translation of domain axiom subtype_float +axiom (extends_(float, object): bool) && (get_basic(float): PyTypeDomainType) == float; + +// Translation of domain axiom subtype_bool +axiom (extends_(vbool, vint): bool) && (get_basic(vbool): PyTypeDomainType) == vbool; + +// Translation of domain axiom subtype_NoneType +axiom (extends_(NoneType, object): bool) && (get_basic(NoneType): PyTypeDomainType) == NoneType; + +// Translation of domain axiom subtype_Exception +axiom (extends_(Exception, object): bool) && (get_basic(Exception): PyTypeDomainType) == Exception; + +// Translation of domain axiom subtype_ConnectionRefusedError +axiom (extends_(ConnectionRefusedError, Exception): bool) && (get_basic(ConnectionRefusedError): PyTypeDomainType) == ConnectionRefusedError; + +// Translation of domain axiom subtype_traceback +axiom (extends_(traceback, object): bool) && (get_basic(traceback): PyTypeDomainType) == traceback; + +// Translation of domain axiom subtype_str +axiom (extends_(str, object): bool) && (get_basic(str): PyTypeDomainType) == str; + +// Translation of domain axiom subtype_bytes +axiom (extends_(bytes, object): bool) && (get_basic(bytes): PyTypeDomainType) == bytes; + +// Translation of domain axiom subtype_tuple +axiom (forall args_1: (Seq PyTypeDomainType) :: + { (tuple(args_1): PyTypeDomainType) } + ((forall e: PyTypeDomainType :: + { Seq#ContainsTrigger(args_1, e) } { Seq#Contains(args_1, e) } + Seq#Contains(args_1, e) ==> e == object + ) ==> (extends_((tuple(args_1): PyTypeDomainType), object): bool)) && (get_basic((tuple(args_1): PyTypeDomainType)): PyTypeDomainType) == tuple_basic +); + +// Translation of domain axiom subtype_PSeq +axiom (forall var0: PyTypeDomainType :: + { (PSeq(var0): PyTypeDomainType) } + (extends_((PSeq(var0): PyTypeDomainType), object): bool) && (get_basic((PSeq(var0): PyTypeDomainType)): PyTypeDomainType) == PSeq_basic +); + +// Translation of domain axiom PSeq_args0 +axiom (forall Z: PyTypeDomainType, arg0_1: PyTypeDomainType :: + { (PSeq(arg0_1): PyTypeDomainType), (PSeq_arg(Z, 0): PyTypeDomainType) } + (issubtype(Z, (PSeq(arg0_1): PyTypeDomainType)): bool) ==> (PSeq_arg(Z, 0): PyTypeDomainType) == arg0_1 +); + +// Translation of domain axiom subtype_PSet +axiom (forall var0: PyTypeDomainType :: + { (PSet(var0): PyTypeDomainType) } + (extends_((PSet(var0): PyTypeDomainType), object): bool) && (get_basic((PSet(var0): PyTypeDomainType)): PyTypeDomainType) == PSet_basic +); + +// Translation of domain axiom PSet_args0 +axiom (forall Z: PyTypeDomainType, arg0_1: PyTypeDomainType :: + { (PSet(arg0_1): PyTypeDomainType), (PSet_arg(Z, 0): PyTypeDomainType) } + (issubtype(Z, (PSet(arg0_1): PyTypeDomainType)): bool) ==> (PSet_arg(Z, 0): PyTypeDomainType) == arg0_1 +); + +// Translation of domain axiom subtype_PMultiset +axiom (forall var0: PyTypeDomainType :: + { (PMultiset(var0): PyTypeDomainType) } + (extends_((PMultiset(var0): PyTypeDomainType), object): bool) && (get_basic((PMultiset(var0): PyTypeDomainType)): PyTypeDomainType) == PMultiset_basic +); + +// Translation of domain axiom PMultiset_args0 +axiom (forall Z: PyTypeDomainType, arg0_1: PyTypeDomainType :: + { (PMultiset(arg0_1): PyTypeDomainType), (PMultiset_arg(Z, 0): PyTypeDomainType) } + (issubtype(Z, (PMultiset(arg0_1): PyTypeDomainType)): bool) ==> (PMultiset_arg(Z, 0): PyTypeDomainType) == arg0_1 +); + +// Translation of domain axiom subtype_slice +axiom (extends_(slice, object): bool) && (get_basic(slice): PyTypeDomainType) == slice; + +// Translation of domain axiom subtype_py_range +axiom (extends_(py_range, object): bool) && (get_basic(py_range): PyTypeDomainType) == py_range; + +// Translation of domain axiom subtype_Iterator +axiom (forall var0: PyTypeDomainType :: + { (Iterator(var0): PyTypeDomainType) } + (extends_((Iterator(var0): PyTypeDomainType), object): bool) && (get_basic((Iterator(var0): PyTypeDomainType)): PyTypeDomainType) == Iterator_basic +); + +// Translation of domain axiom Iterator_args0 +axiom (forall Z: PyTypeDomainType, arg0_1: PyTypeDomainType :: + { (Iterator(arg0_1): PyTypeDomainType), (Iterator_arg(Z, 0): PyTypeDomainType) } + (issubtype(Z, (Iterator(arg0_1): PyTypeDomainType)): bool) ==> (Iterator_arg(Z, 0): PyTypeDomainType) == arg0_1 +); + +// Translation of domain axiom subtype_Thread_0 +axiom (extends_(Thread_0, object): bool) && (get_basic(Thread_0): PyTypeDomainType) == Thread_0; + +// Translation of domain axiom subtype_LevelType +axiom (extends_(LevelType, object): bool) && (get_basic(LevelType): PyTypeDomainType) == LevelType; + +// Translation of domain axiom subtype_type +axiom (extends_(vtype, object): bool) && (get_basic(vtype): PyTypeDomainType) == vtype; + +// Translation of domain axiom subtype_Place +axiom (extends_(Place, object): bool) && (get_basic(Place): PyTypeDomainType) == Place; + +// Translation of domain axiom subtype___prim__Seq_type +axiom (extends_(__prim__Seq_type, object): bool) && (get_basic(__prim__Seq_type): PyTypeDomainType) == __prim__Seq_type; + +// Translation of domain axiom subtype_SoldoutException +axiom (extends_(SoldoutException, Exception): bool) && (get_basic(SoldoutException): PyTypeDomainType) == SoldoutException; + +// Translation of domain axiom subtype_Ticket +axiom (extends_(Ticket, object): bool) && (get_basic(Ticket): PyTypeDomainType) == Ticket; + +// ================================================== +// Translation of domain SIFDomain +// ================================================== + +// The type for domain SIFDomain +type SIFDomainDomainType T; + +// Translation of domain function Low +function Low(x: T): bool; + +// Translation of domain axiom low_true +axiom (forall x_1: T :: + { (Low(x_1): bool) } + (Low(x_1): bool) +); + +// ================================================== +// Translation of domain _list_ce_helper +// ================================================== + +// The type for domain _list_ce_helper +type _list_ce_helperDomainType; + +// Translation of domain function seq_ref_length +function seq_ref_length(___s: (Seq Ref)): int; + +// Translation of domain function seq_ref_index +function seq_ref_index(___s: (Seq Ref), i_1: int): Ref; + +// Translation of domain axiom relate_length +axiom (forall ___s_1: (Seq Ref) :: + { Seq#Length(___s_1) } + Seq#Length(___s_1) == (seq_ref_length(___s_1): int) +); + +// Translation of domain axiom relate_index +axiom (forall ___s_1: (Seq Ref), ___i: int :: + { Seq#Index(___s_1, ___i) } + Seq#Index(___s_1, ___i) == (seq_ref_index(___s_1, ___i): Ref) +); + +// ================================================== +// Translation of domain Measure$ +// ================================================== + +// The type for domain Measure$ +type Measure$DomainType; + +// Translation of domain function Measure$create +function Measure$create(guard: bool, key: Ref, value: int): Measure$DomainType; + +// Translation of domain function Measure$guard +function Measure$guard(m: Measure$DomainType): bool; + +// Translation of domain function Measure$key +function Measure$key(m: Measure$DomainType): Ref; + +// Translation of domain function Measure$value +function Measure$value(m: Measure$DomainType): int; + +// Translation of domain axiom Measure$A0 +axiom (forall g: bool, k: Ref, v_2: int :: + { (Measure$guard((Measure$create(g, k, v_2): Measure$DomainType)): bool) } + (Measure$guard((Measure$create(g, k, v_2): Measure$DomainType)): bool) == g +); + +// Translation of domain axiom Measure$A1 +axiom (forall g: bool, k: Ref, v_2: int :: + { (Measure$key((Measure$create(g, k, v_2): Measure$DomainType)): Ref) } + (Measure$key((Measure$create(g, k, v_2): Measure$DomainType)): Ref) == k +); + +// Translation of domain axiom Measure$A2 +axiom (forall g: bool, k: Ref, v_2: int :: + { (Measure$value((Measure$create(g, k, v_2): Measure$DomainType)): int) } + (Measure$value((Measure$create(g, k, v_2): Measure$DomainType)): int) == v_2 +); + +// ================================================== +// Translation of domain _dict_ce_helper +// ================================================== + +// The type for domain _dict_ce_helper +type _dict_ce_helperDomainType; + +// Translation of domain function dict_get_helper +function dict_get_helper(___s: (Set Ref), ___s2: Ref, ___s3: Ref): Ref; + +// ================================================== +// Translation of domain _Name +// ================================================== + +// The type for domain _Name +type _NameDomainType; + +// Translation of domain function _combine +function _combine(n1: _NameDomainType, n2: _NameDomainType): _NameDomainType; + +// Translation of domain function _single +function _single(n: int): _NameDomainType; + +// Translation of domain function _get_combined_prefix +function _get_combined_prefix(n: _NameDomainType): _NameDomainType; + +// Translation of domain function _get_combined_name +function _get_combined_name(n: _NameDomainType): _NameDomainType; + +// Translation of domain function _get_value +function _get_value(n: _NameDomainType): int; + +// Translation of domain function _name_type +function _name_type(n: _NameDomainType): bool; + +// Translation of domain function _is_single +function _is_single(n: _NameDomainType): bool; + +// Translation of domain function _is_combined +function _is_combined(n: _NameDomainType): bool; + +// Translation of domain axiom decompose_single +axiom (forall i: int :: + { (_single(i): _NameDomainType) } + (_get_value((_single(i): _NameDomainType)): int) == i +); + +// Translation of domain axiom compose_single +axiom (forall n_1: _NameDomainType :: + { (_get_value(n_1): int) } + (_is_single(n_1): bool) ==> n_1 == (_single((_get_value(n_1): int)): _NameDomainType) +); + +// Translation of domain axiom type_of_single +axiom (forall i: int :: + { (_single(i): _NameDomainType) } + (_name_type((_single(i): _NameDomainType)): bool) +); + +// Translation of domain axiom decompose_combined +axiom (forall n1_1: _NameDomainType, n2_1: _NameDomainType :: + { (_combine(n1_1, n2_1): _NameDomainType) } + (_get_combined_prefix((_combine(n1_1, n2_1): _NameDomainType)): _NameDomainType) == n1_1 && (_get_combined_name((_combine(n1_1, n2_1): _NameDomainType)): _NameDomainType) == n2_1 +); + +// Translation of domain axiom compose_combined +axiom (forall n_1: _NameDomainType :: + { (_get_combined_prefix(n_1): _NameDomainType) } { (_get_combined_name(n_1): _NameDomainType) } + (_is_combined(n_1): bool) ==> n_1 == (_combine((_get_combined_prefix(n_1): _NameDomainType), (_get_combined_name(n_1): _NameDomainType)): _NameDomainType) +); + +// Translation of domain axiom type_of_composed +axiom (forall n1_1: _NameDomainType, n2_1: _NameDomainType :: + { (_combine(n1_1, n2_1): _NameDomainType) } + !(_name_type((_combine(n1_1, n2_1): _NameDomainType)): bool) +); + +// Translation of domain axiom type_is_single +axiom (forall n_1: _NameDomainType :: + { (_name_type(n_1): bool) } + (_name_type(n_1): bool) == (_is_single(n_1): bool) +); + +// Translation of domain axiom type_is_combined +axiom (forall n_1: _NameDomainType :: + { (_name_type(n_1): bool) } + !(_name_type(n_1): bool) == (_is_combined(n_1): bool) +); + +// ================================================== +// Translation of all fields +// ================================================== + +const unique _val: Field NormalField Ref; +axiom !IsPredicateField(_val); +axiom !IsWandField(_val); +const unique __container: Field NormalField Ref; +axiom !IsPredicateField(__container); +axiom !IsWandField(__container); +const unique __iter_index: Field NormalField int; +axiom !IsPredicateField(__iter_index); +axiom !IsWandField(__iter_index); +const unique __previous: Field NormalField (Seq Ref); +axiom !IsPredicateField(__previous); +axiom !IsWandField(__previous); +const unique list_acc: Field NormalField (Seq Ref); +axiom !IsPredicateField(list_acc); +axiom !IsWandField(list_acc); +const unique set_acc: Field NormalField (Set Ref); +axiom !IsPredicateField(set_acc); +axiom !IsWandField(set_acc); +const unique dict_acc: Field NormalField (Set Ref); +axiom !IsPredicateField(dict_acc); +axiom !IsWandField(dict_acc); +const unique dict_acc2: Field NormalField Ref; +axiom !IsPredicateField(dict_acc2); +axiom !IsWandField(dict_acc2); +const unique Measure$acc: Field NormalField (Seq Ref); +axiom !IsPredicateField(Measure$acc); +axiom !IsWandField(Measure$acc); +const unique MustReleaseBounded: Field NormalField int; +axiom !IsPredicateField(MustReleaseBounded); +axiom !IsWandField(MustReleaseBounded); +const unique MustReleaseUnbounded: Field NormalField int; +axiom !IsPredicateField(MustReleaseUnbounded); +axiom !IsWandField(MustReleaseUnbounded); +const unique Ticket_show_id: Field NormalField Ref; +axiom !IsPredicateField(Ticket_show_id); +axiom !IsWandField(Ticket_show_id); +const unique Ticket_row: Field NormalField Ref; +axiom !IsPredicateField(Ticket_row); +axiom !IsWandField(Ticket_row); +const unique Ticket_seat: Field NormalField Ref; +axiom !IsPredicateField(Ticket_seat); +axiom !IsWandField(Ticket_seat); +const unique Ticket_discount_code: Field NormalField Ref; +axiom !IsPredicateField(Ticket_discount_code); +axiom !IsWandField(Ticket_discount_code); + +// ================================================== +// Translation of function _isDefined +// ================================================== + +// Uninterpreted function definitions +function _isDefined(Heap: HeapType, id: int): bool; +function _isDefined'(Heap: HeapType, id: int): bool; +axiom (forall Heap: HeapType, id: int :: + { _isDefined(Heap, id) } + _isDefined(Heap, id) == _isDefined'(Heap, id) && dummyFunction(_isDefined#triggerStateless(id)) +); +axiom (forall Heap: HeapType, id: int :: + { _isDefined'(Heap, id) } + dummyFunction(_isDefined#triggerStateless(id)) +); + +// Framing axioms +function _isDefined#frame(frame: FrameType, id: int): bool; +axiom (forall Heap: HeapType, Mask: MaskType, id: int :: + { state(Heap, Mask), _isDefined'(Heap, id) } + state(Heap, Mask) ==> _isDefined'(Heap, id) == _isDefined#frame(EmptyFrame, id) +); + +// Trigger function (controlling recursive postconditions) +function _isDefined#trigger(frame: FrameType, id: int): bool; + +// State-independent trigger function +function _isDefined#triggerStateless(id: int): bool; + +// Check contract well-formedness and postcondition +procedure _isDefined#definedness(id: int) returns (Result: bool) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 18; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); +} + +// ================================================== +// Translation of function _checkDefined +// ================================================== + +// Uninterpreted function definitions +function _checkDefined(Heap: HeapType, val: Ref, id: int): Ref; +function _checkDefined'(Heap: HeapType, val: Ref, id: int): Ref; +axiom (forall Heap: HeapType, val: Ref, id: int :: + { _checkDefined(Heap, val, id) } + _checkDefined(Heap, val, id) == _checkDefined'(Heap, val, id) && dummyFunction(_checkDefined#triggerStateless(val, id)) +); +axiom (forall Heap: HeapType, val: Ref, id: int :: + { _checkDefined'(Heap, val, id) } + dummyFunction(_checkDefined#triggerStateless(val, id)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, val: Ref, id: int :: + { state(Heap, Mask), _checkDefined(Heap, val, id) } + state(Heap, Mask) && AssumeFunctionsAbove < 9 ==> _isDefined(Heap, id) ==> _checkDefined(Heap, val, id) == val +); + +// Framing axioms +function _checkDefined#frame(frame: FrameType, val: Ref, id: int): Ref; +axiom (forall Heap: HeapType, Mask: MaskType, val: Ref, id: int :: + { state(Heap, Mask), _checkDefined'(Heap, val, id) } + state(Heap, Mask) ==> _checkDefined'(Heap, val, id) == _checkDefined#frame(EmptyFrame, val, id) +); + +// Trigger function (controlling recursive postconditions) +function _checkDefined#trigger(frame: FrameType, val: Ref, id: int): bool; + +// State-independent trigger function +function _checkDefined#triggerStateless(val: Ref, id: int): Ref; + +// Check contract well-formedness and postcondition +procedure _checkDefined#definedness(val: Ref, id: int) returns (Result: Ref) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[val, $allocated]; + assume AssumeFunctionsAbove == 9; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(id) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, id); + assume state(Heap, Mask); + + // -- Translate function body + Result := val; +} + +// ================================================== +// Translation of function __file__ +// ================================================== + +// Uninterpreted function definitions +function __file__(Heap: HeapType): Ref; +function __file__'(Heap: HeapType): Ref; +axiom (forall Heap: HeapType :: + { __file__(Heap) } + __file__(Heap) == __file__'(Heap) && dummyFunction(__file__#triggerStateless()) +); +axiom (forall Heap: HeapType :: + { __file__'(Heap) } + dummyFunction(__file__#triggerStateless()) +); + +// Framing axioms +function __file__#frame(frame: FrameType): Ref; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask), __file__'(Heap) } + state(Heap, Mask) ==> __file__'(Heap) == __file__#frame(EmptyFrame) +); + +// Trigger function (controlling recursive postconditions) +function __file__#trigger(frame: FrameType): bool; + +// State-independent trigger function +function __file__#triggerStateless(): Ref; + +// Check contract well-formedness and postcondition +procedure __file__#definedness() returns (Result: Ref) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 10; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); +} + +// ================================================== +// Translation of function __name__ +// ================================================== + +// Uninterpreted function definitions +function __name__(Heap: HeapType): Ref; +function __name__'(Heap: HeapType): Ref; +axiom (forall Heap: HeapType :: + { __name__(Heap) } + __name__(Heap) == __name__'(Heap) && dummyFunction(__name__#triggerStateless()) +); +axiom (forall Heap: HeapType :: + { __name__'(Heap) } + dummyFunction(__name__#triggerStateless()) +); + +// Framing axioms +function __name__#frame(frame: FrameType): Ref; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask), __name__'(Heap) } + state(Heap, Mask) ==> __name__'(Heap) == __name__#frame(EmptyFrame) +); + +// Trigger function (controlling recursive postconditions) +function __name__#trigger(frame: FrameType): bool; + +// State-independent trigger function +function __name__#triggerStateless(): Ref; + +// Check contract well-formedness and postcondition +procedure __name__#definedness() returns (Result: Ref) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 0; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); +} + +// ================================================== +// Translation of function __prim__int___box__ +// ================================================== + +// Uninterpreted function definitions +function __prim__int___box__(Heap: HeapType, prim: int): Ref; +function __prim__int___box__'(Heap: HeapType, prim: int): Ref; +axiom (forall Heap: HeapType, prim: int :: + { __prim__int___box__(Heap, prim) } + __prim__int___box__(Heap, prim) == __prim__int___box__'(Heap, prim) && dummyFunction(__prim__int___box__#triggerStateless(prim)) +); +axiom (forall Heap: HeapType, prim: int :: + { __prim__int___box__'(Heap, prim) } + dummyFunction(__prim__int___box__#triggerStateless(prim)) +); + +// Framing axioms +function __prim__int___box__#frame(frame: FrameType, prim: int): Ref; +axiom (forall Heap: HeapType, Mask: MaskType, prim: int :: + { state(Heap, Mask), __prim__int___box__'(Heap, prim) } + state(Heap, Mask) ==> __prim__int___box__'(Heap, prim) == __prim__int___box__#frame(EmptyFrame, prim) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, prim: int :: + { state(Heap, Mask), __prim__int___box__'(Heap, prim) } + state(Heap, Mask) && (AssumeFunctionsAbove < 15 || __prim__int___box__#trigger(EmptyFrame, prim)) ==> (typeof(__prim__int___box__'(Heap, prim)): PyTypeDomainType) == vint +); +axiom (forall Heap: HeapType, Mask: MaskType, prim: int :: + { state(Heap, Mask), __prim__int___box__'(Heap, prim) } + state(Heap, Mask) && (AssumeFunctionsAbove < 15 || __prim__int___box__#trigger(EmptyFrame, prim)) ==> int___unbox__'(Heap, __prim__int___box__'(Heap, prim)) == prim +); + +// Trigger function (controlling recursive postconditions) +function __prim__int___box__#trigger(frame: FrameType, prim: int): bool; + +// State-independent trigger function +function __prim__int___box__#triggerStateless(prim: int): Ref; + +// Check contract well-formedness and postcondition +procedure __prim__int___box__#definedness(prim: int) returns (Result: Ref) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 15; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Checking definedness of postcondition (no body) + assume (typeof(Result): PyTypeDomainType) == vint; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of int___unbox__(result) == prim + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___unbox__ might not hold. Assertion issubtype(typeof(result), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@472.11--472.32) [2234]"} + (issubtype((typeof(Result): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + assume int___unbox__(Heap, Result) == prim; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function int___unbox__ +// ================================================== + +// Uninterpreted function definitions +function int___unbox__(Heap: HeapType, box: Ref): int; +function int___unbox__'(Heap: HeapType, box: Ref): int; +axiom (forall Heap: HeapType, box: Ref :: + { int___unbox__(Heap, box) } + int___unbox__(Heap, box) == int___unbox__'(Heap, box) && dummyFunction(int___unbox__#triggerStateless(box)) +); +axiom (forall Heap: HeapType, box: Ref :: + { int___unbox__'(Heap, box) } + dummyFunction(int___unbox__#triggerStateless(box)) +); + +// Framing axioms +function int___unbox__#frame(frame: FrameType, box: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, box: Ref :: + { state(Heap, Mask), int___unbox__'(Heap, box) } + state(Heap, Mask) ==> int___unbox__'(Heap, box) == int___unbox__#frame(EmptyFrame, box) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, box: Ref :: + { state(Heap, Mask), int___unbox__'(Heap, box) } + state(Heap, Mask) && (AssumeFunctionsAbove < 15 || int___unbox__#trigger(EmptyFrame, box)) ==> (issubtype((typeof(box): PyTypeDomainType), vint): bool) ==> !(issubtype((typeof(box): PyTypeDomainType), vbool): bool) ==> __prim__int___box__'(Heap, int___unbox__'(Heap, box)) == box +); +axiom (forall Heap: HeapType, Mask: MaskType, box: Ref :: + { state(Heap, Mask), int___unbox__'(Heap, box) } + state(Heap, Mask) && (AssumeFunctionsAbove < 15 || int___unbox__#trigger(EmptyFrame, box)) ==> (issubtype((typeof(box): PyTypeDomainType), vint): bool) ==> (issubtype((typeof(box): PyTypeDomainType), vbool): bool) ==> __prim__bool___box__'(Heap, int___unbox__'(Heap, box) != 0) == box +); + +// Trigger function (controlling recursive postconditions) +function int___unbox__#trigger(frame: FrameType, box: Ref): bool; + +// State-independent trigger function +function int___unbox__#triggerStateless(box: Ref): int; + +// Check contract well-formedness and postcondition +procedure int___unbox__#definedness(box: Ref) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[box, $allocated]; + assume AssumeFunctionsAbove == 15; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume (issubtype((typeof(box): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + + // -- Checking definedness of postcondition (no body) + if (!(issubtype((typeof(box): PyTypeDomainType), vbool): bool)) { + assume state(Heap, Mask); + + // -- Check definedness of __prim__int___box__(result) == box + if (*) { + // Stop execution + assume false; + } + assume __prim__int___box__(Heap, Result) == box; + } + assume state(Heap, Mask); + if ((issubtype((typeof(box): PyTypeDomainType), vbool): bool)) { + assume state(Heap, Mask); + + // -- Check definedness of __prim__bool___box__(result != 0) == box + if (*) { + // Stop execution + assume false; + } + assume __prim__bool___box__(Heap, Result != 0) == box; + } + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function __prim__bool___box__ +// ================================================== + +// Uninterpreted function definitions +function __prim__bool___box__(Heap: HeapType, prim: bool): Ref; +function __prim__bool___box__'(Heap: HeapType, prim: bool): Ref; +axiom (forall Heap: HeapType, prim: bool :: + { __prim__bool___box__(Heap, prim) } + __prim__bool___box__(Heap, prim) == __prim__bool___box__'(Heap, prim) && dummyFunction(__prim__bool___box__#triggerStateless(prim)) +); +axiom (forall Heap: HeapType, prim: bool :: + { __prim__bool___box__'(Heap, prim) } + dummyFunction(__prim__bool___box__#triggerStateless(prim)) +); + +// Framing axioms +function __prim__bool___box__#frame(frame: FrameType, prim: bool): Ref; +axiom (forall Heap: HeapType, Mask: MaskType, prim: bool :: + { state(Heap, Mask), __prim__bool___box__'(Heap, prim) } + state(Heap, Mask) ==> __prim__bool___box__'(Heap, prim) == __prim__bool___box__#frame(EmptyFrame, prim) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, prim: bool :: + { state(Heap, Mask), __prim__bool___box__'(Heap, prim) } + state(Heap, Mask) && (AssumeFunctionsAbove < 15 || __prim__bool___box__#trigger(EmptyFrame, prim)) ==> (typeof(__prim__bool___box__'(Heap, prim)): PyTypeDomainType) == vbool +); +axiom (forall Heap: HeapType, Mask: MaskType, prim: bool :: + { state(Heap, Mask), __prim__bool___box__'(Heap, prim) } + state(Heap, Mask) && (AssumeFunctionsAbove < 15 || __prim__bool___box__#trigger(EmptyFrame, prim)) ==> bool___unbox__'(Heap, __prim__bool___box__'(Heap, prim)) == prim +); +axiom (forall Heap: HeapType, Mask: MaskType, prim: bool :: + { state(Heap, Mask), __prim__bool___box__'(Heap, prim) } + state(Heap, Mask) && (AssumeFunctionsAbove < 15 || __prim__bool___box__#trigger(EmptyFrame, prim)) ==> int___unbox__'(Heap, __prim__bool___box__'(Heap, prim)) == (if prim then 1 else 0) +); + +// Trigger function (controlling recursive postconditions) +function __prim__bool___box__#trigger(frame: FrameType, prim: bool): bool; + +// State-independent trigger function +function __prim__bool___box__#triggerStateless(prim: bool): Ref; + +// Check contract well-formedness and postcondition +procedure __prim__bool___box__#definedness(prim: bool) returns (Result: Ref) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 15; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Checking definedness of postcondition (no body) + assume (typeof(Result): PyTypeDomainType) == vbool; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of bool___unbox__(result) == prim + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function bool___unbox__ might not hold. Assertion issubtype(typeof(result), bool()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@483.11--483.33) [2235]"} + (issubtype((typeof(Result): PyTypeDomainType), vbool): bool); + // Stop execution + assume false; + } + assume bool___unbox__(Heap, Result) == prim; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of int___unbox__(result) == (prim ? 1 : 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___unbox__ might not hold. Assertion issubtype(typeof(result), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@484.11--484.32) [2236]"} + (issubtype((typeof(Result): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + assume int___unbox__(Heap, Result) == (if prim then 1 else 0); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function bool___unbox__ +// ================================================== + +// Uninterpreted function definitions +function bool___unbox__(Heap: HeapType, box: Ref): bool; +function bool___unbox__'(Heap: HeapType, box: Ref): bool; +axiom (forall Heap: HeapType, box: Ref :: + { bool___unbox__(Heap, box) } + bool___unbox__(Heap, box) == bool___unbox__'(Heap, box) && dummyFunction(bool___unbox__#triggerStateless(box)) +); +axiom (forall Heap: HeapType, box: Ref :: + { bool___unbox__'(Heap, box) } + dummyFunction(bool___unbox__#triggerStateless(box)) +); + +// Framing axioms +function bool___unbox__#frame(frame: FrameType, box: Ref): bool; +axiom (forall Heap: HeapType, Mask: MaskType, box: Ref :: + { state(Heap, Mask), bool___unbox__'(Heap, box) } + state(Heap, Mask) ==> bool___unbox__'(Heap, box) == bool___unbox__#frame(EmptyFrame, box) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, box: Ref :: + { state(Heap, Mask), bool___unbox__'(Heap, box) } + state(Heap, Mask) && (AssumeFunctionsAbove < 15 || bool___unbox__#trigger(EmptyFrame, box)) ==> (issubtype((typeof(box): PyTypeDomainType), vbool): bool) ==> __prim__bool___box__'(Heap, bool___unbox__'(Heap, box)) == box +); + +// Trigger function (controlling recursive postconditions) +function bool___unbox__#trigger(frame: FrameType, box: Ref): bool; + +// State-independent trigger function +function bool___unbox__#triggerStateless(box: Ref): bool; + +// Check contract well-formedness and postcondition +procedure bool___unbox__#definedness(box: Ref) returns (Result: bool) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[box, $allocated]; + assume AssumeFunctionsAbove == 15; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume (issubtype((typeof(box): PyTypeDomainType), vbool): bool); + assume state(Heap, Mask); + + // -- Checking definedness of postcondition (no body) + assume state(Heap, Mask); + + // -- Check definedness of __prim__bool___box__(result) == box + if (*) { + // Stop execution + assume false; + } + assume __prim__bool___box__(Heap, Result) == box; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function int___eq__ +// ================================================== + +// Uninterpreted function definitions +function int___eq__(Heap: HeapType, self: Ref, other: Ref): bool; +function int___eq__'(Heap: HeapType, self: Ref, other: Ref): bool; +axiom (forall Heap: HeapType, self: Ref, other: Ref :: + { int___eq__(Heap, self, other) } + int___eq__(Heap, self, other) == int___eq__'(Heap, self, other) && dummyFunction(int___eq__#triggerStateless(self, other)) +); +axiom (forall Heap: HeapType, self: Ref, other: Ref :: + { int___eq__'(Heap, self, other) } + dummyFunction(int___eq__#triggerStateless(self, other)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, other: Ref :: + { state(Heap, Mask), int___eq__(Heap, self, other) } + state(Heap, Mask) && AssumeFunctionsAbove < 1 ==> (issubtype((typeof(self): PyTypeDomainType), vint): bool) && (issubtype((typeof(other): PyTypeDomainType), vint): bool) ==> int___eq__(Heap, self, other) == (int___unbox__(Heap, self) == int___unbox__(Heap, other)) +); + +// Framing axioms +function int___eq__#frame(frame: FrameType, self: Ref, other: Ref): bool; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, other: Ref :: + { state(Heap, Mask), int___eq__'(Heap, self, other) } + state(Heap, Mask) ==> int___eq__'(Heap, self, other) == int___eq__#frame(EmptyFrame, self, other) +); + +// Trigger function (controlling recursive postconditions) +function int___eq__#trigger(frame: FrameType, self: Ref, other: Ref): bool; + +// State-independent trigger function +function int___eq__#triggerStateless(self: Ref, other: Ref): bool; + +// Check contract well-formedness and postcondition +procedure int___eq__#definedness(self: Ref, other: Ref) returns (Result: bool) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume Heap[other, $allocated]; + assume AssumeFunctionsAbove == 1; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume (issubtype((typeof(self): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(other): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of int___unbox__(self) == int___unbox__(other) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___unbox__ might not hold. Assertion issubtype(typeof(self), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@496.3--496.22) [2237]"} + (issubtype((typeof(self): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___unbox__ might not hold. Assertion issubtype(typeof(other), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@496.26--496.46) [2238]"} + (issubtype((typeof(other): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + + // -- Translate function body + Result := int___unbox__(Heap, self) == int___unbox__(Heap, other); +} + +// ================================================== +// Translation of function int___gt__ +// ================================================== + +// Uninterpreted function definitions +function int___gt__(Heap: HeapType, self: int, other: int): bool; +function int___gt__'(Heap: HeapType, self: int, other: int): bool; +axiom (forall Heap: HeapType, self: int, other: int :: + { int___gt__(Heap, self, other) } + int___gt__(Heap, self, other) == int___gt__'(Heap, self, other) && dummyFunction(int___gt__#triggerStateless(self, other)) +); +axiom (forall Heap: HeapType, self: int, other: int :: + { int___gt__'(Heap, self, other) } + dummyFunction(int___gt__#triggerStateless(self, other)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, self: int, other: int :: + { state(Heap, Mask), int___gt__(Heap, self, other) } + state(Heap, Mask) && AssumeFunctionsAbove < 4 ==> int___gt__(Heap, self, other) == (self > other) +); + +// Framing axioms +function int___gt__#frame(frame: FrameType, self: int, other: int): bool; +axiom (forall Heap: HeapType, Mask: MaskType, self: int, other: int :: + { state(Heap, Mask), int___gt__'(Heap, self, other) } + state(Heap, Mask) ==> int___gt__'(Heap, self, other) == int___gt__#frame(EmptyFrame, self, other) +); + +// Trigger function (controlling recursive postconditions) +function int___gt__#trigger(frame: FrameType, self: int, other: int): bool; + +// State-independent trigger function +function int___gt__#triggerStateless(self: int, other: int): bool; + +// Check contract well-formedness and postcondition +procedure int___gt__#definedness(self: int, other: int) returns (Result: bool) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 4; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translate function body + Result := self > other; +} + +// ================================================== +// Translation of function int___sub__ +// ================================================== + +// Uninterpreted function definitions +function int___sub__(Heap: HeapType, self: int, other: int): int; +function int___sub__'(Heap: HeapType, self: int, other: int): int; +axiom (forall Heap: HeapType, self: int, other: int :: + { int___sub__(Heap, self, other) } + int___sub__(Heap, self, other) == int___sub__'(Heap, self, other) && dummyFunction(int___sub__#triggerStateless(self, other)) +); +axiom (forall Heap: HeapType, self: int, other: int :: + { int___sub__'(Heap, self, other) } + dummyFunction(int___sub__#triggerStateless(self, other)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, self: int, other: int :: + { state(Heap, Mask), int___sub__(Heap, self, other) } + state(Heap, Mask) && AssumeFunctionsAbove < 3 ==> int___sub__(Heap, self, other) == self - other +); + +// Framing axioms +function int___sub__#frame(frame: FrameType, self: int, other: int): int; +axiom (forall Heap: HeapType, Mask: MaskType, self: int, other: int :: + { state(Heap, Mask), int___sub__'(Heap, self, other) } + state(Heap, Mask) ==> int___sub__'(Heap, self, other) == int___sub__#frame(EmptyFrame, self, other) +); + +// Trigger function (controlling recursive postconditions) +function int___sub__#trigger(frame: FrameType, self: int, other: int): bool; + +// State-independent trigger function +function int___sub__#triggerStateless(self: int, other: int): int; + +// Check contract well-formedness and postcondition +procedure int___sub__#definedness(self: int, other: int) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 3; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translate function body + Result := self - other; +} + +// ================================================== +// Translation of function list___len__ +// ================================================== + +// Uninterpreted function definitions +function list___len__(Heap: HeapType, self: Ref): int; +function list___len__'(Heap: HeapType, self: Ref): int; +axiom (forall Heap: HeapType, self: Ref :: + { list___len__(Heap, self) } + list___len__(Heap, self) == list___len__'(Heap, self) && dummyFunction(list___len__#triggerStateless(self)) +); +axiom (forall Heap: HeapType, self: Ref :: + { list___len__'(Heap, self) } + dummyFunction(list___len__#triggerStateless(self)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), list___len__(Heap, self) } + state(Heap, Mask) && AssumeFunctionsAbove < 12 ==> (issubtype((typeof(self): PyTypeDomainType), (list((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool) ==> list___len__(Heap, self) == Seq#Length(Heap[self, list_acc]) +); + +// Framing axioms +function list___len__#frame(frame: FrameType, self: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), list___len__'(Heap, self) } + state(Heap, Mask) ==> list___len__'(Heap, self) == list___len__#frame(FrameFragment(Heap[self, list_acc]), self) +); + +// Trigger function (controlling recursive postconditions) +function list___len__#trigger(frame: FrameType, self: Ref): bool; + +// State-independent trigger function +function list___len__#triggerStateless(self: Ref): int; + +// Check contract well-formedness and postcondition +procedure list___len__#definedness(self: Ref) returns (Result: int) + modifies Heap, Mask; +{ + var wildcard: real where wildcard > NoPerm; + var perm: Perm; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume AssumeFunctionsAbove == 12; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume (issubtype((typeof(self): PyTypeDomainType), (list((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(Heap, Mask); + havoc wildcard; + perm := wildcard; + assume self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of |self.list_acc| + assert {:msg " Function might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@509.1--514.2) [2239]"} + HasDirectPerm(Mask, self, list_acc); + + // -- Translate function body + Result := Seq#Length(Heap[self, list_acc]); +} + +// ================================================== +// Translation of function list___sil_seq__ +// ================================================== + +// Uninterpreted function definitions +function list___sil_seq__(Heap: HeapType, self: Ref): Seq Ref; +function list___sil_seq__'(Heap: HeapType, self: Ref): Seq Ref; +axiom (forall Heap: HeapType, self: Ref :: + { list___sil_seq__(Heap, self) } + list___sil_seq__(Heap, self) == list___sil_seq__'(Heap, self) && dummyFunction(list___sil_seq__#triggerStateless(self)) +); +axiom (forall Heap: HeapType, self: Ref :: + { list___sil_seq__'(Heap, self) } + dummyFunction(list___sil_seq__#triggerStateless(self)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), list___sil_seq__(Heap, self) } + state(Heap, Mask) && AssumeFunctionsAbove < 11 ==> list___sil_seq__(Heap, self) == Heap[self, list_acc] +); + +// Framing axioms +function list___sil_seq__#frame(frame: FrameType, self: Ref): Seq Ref; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), list___sil_seq__'(Heap, self) } + state(Heap, Mask) ==> list___sil_seq__'(Heap, self) == list___sil_seq__#frame(FrameFragment(Heap[self, list_acc]), self) +); + +// Trigger function (controlling recursive postconditions) +function list___sil_seq__#trigger(frame: FrameType, self: Ref): bool; + +// State-independent trigger function +function list___sil_seq__#triggerStateless(self: Ref): Seq Ref; + +// Check contract well-formedness and postcondition +procedure list___sil_seq__#definedness(self: Ref) returns (Result: (Seq Ref)) + modifies Heap, Mask; +{ + var wildcard: real where wildcard > NoPerm; + var perm: Perm; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume AssumeFunctionsAbove == 11; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + havoc wildcard; + perm := wildcard; + assume self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of self.list_acc + assert {:msg " Function might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@516.1--520.2) [2240]"} + HasDirectPerm(Mask, self, list_acc); + + // -- Translate function body + Result := Heap[self, list_acc]; +} + +// ================================================== +// Translation of function Level +// ================================================== + +// Uninterpreted function definitions +function Level(Heap: HeapType, r_1: Ref): Perm; +function Level'(Heap: HeapType, r_1: Ref): Perm; +axiom (forall Heap: HeapType, r_1: Ref :: + { Level(Heap, r_1) } + Level(Heap, r_1) == Level'(Heap, r_1) && dummyFunction(Level#triggerStateless(r_1)) +); +axiom (forall Heap: HeapType, r_1: Ref :: + { Level'(Heap, r_1) } + dummyFunction(Level#triggerStateless(r_1)) +); + +// Framing axioms +function Level#frame(frame: FrameType, r_1: Ref): Perm; +axiom (forall Heap: HeapType, Mask: MaskType, r_1: Ref :: + { state(Heap, Mask), Level'(Heap, r_1) } + state(Heap, Mask) ==> Level'(Heap, r_1) == Level#frame(EmptyFrame, r_1) +); + +// Trigger function (controlling recursive postconditions) +function Level#trigger(frame: FrameType, r_1: Ref): bool; + +// State-independent trigger function +function Level#triggerStateless(r_1: Ref): Perm; + +// Check contract well-formedness and postcondition +procedure Level#definedness(r_1: Ref) returns (Result: Perm) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[r_1, $allocated]; + assume AssumeFunctionsAbove == 14; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); +} + +// ================================================== +// Translation of function Measure$check +// ================================================== + +// Uninterpreted function definitions +function Measure$check(Heap: HeapType, vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int): bool; +function Measure$check'(Heap: HeapType, vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int): bool; +axiom (forall Heap: HeapType, vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int :: + { Measure$check(Heap, vmap, key_1, value_1) } + Measure$check(Heap, vmap, key_1, value_1) == Measure$check'(Heap, vmap, key_1, value_1) && dummyFunction(Measure$check#triggerStateless(vmap, key_1, value_1)) +); +axiom (forall Heap: HeapType, vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int :: + { Measure$check'(Heap, vmap, key_1, value_1) } + dummyFunction(Measure$check#triggerStateless(vmap, key_1, value_1)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int :: + { state(Heap, Mask), Measure$check(Heap, vmap, key_1, value_1) } + state(Heap, Mask) && AssumeFunctionsAbove < 6 ==> Measure$check(Heap, vmap, key_1, value_1) == (forall m_1: Measure$DomainType :: + { Seq#ContainsTrigger(vmap, m_1) } { Seq#Contains(vmap, m_1) } + Seq#Contains(vmap, m_1) ==> (Measure$guard(m_1): bool) && (Measure$key(m_1): Ref) == key_1 ==> (Measure$value(m_1): int) > value_1 + ) +); + +// Framing axioms +function Measure$check#frame(frame: FrameType, vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int): bool; +axiom (forall Heap: HeapType, Mask: MaskType, vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int :: + { state(Heap, Mask), Measure$check'(Heap, vmap, key_1, value_1) } + state(Heap, Mask) ==> Measure$check'(Heap, vmap, key_1, value_1) == Measure$check#frame(EmptyFrame, vmap, key_1, value_1) +); + +// Trigger function (controlling recursive postconditions) +function Measure$check#trigger(frame: FrameType, vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int): bool; + +// State-independent trigger function +function Measure$check#triggerStateless(vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int): bool; + +// Check contract well-formedness and postcondition +procedure Measure$check#definedness(vmap: (Seq Measure$DomainType), key_1: Ref, value_1: int) returns (Result: bool) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[key_1, $allocated]; + assume AssumeFunctionsAbove == 6; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Check definedness of function body + + // -- Check definedness of (forall m: Measure$ :: { (m in map) } (m in map) ==> Measure$guard(m) && Measure$key(m) == key ==> Measure$value(m) > value) + if (*) { + assume false; + } + + // -- Translate function body + Result := (forall m_2: Measure$DomainType :: + { Seq#ContainsTrigger(vmap, m_2) } { Seq#Contains(vmap, m_2) } + Seq#Contains(vmap, m_2) ==> (Measure$guard(m_2): bool) && (Measure$key(m_2): Ref) == key_1 ==> (Measure$value(m_2): int) > value_1 + ); +} + +// ================================================== +// Translation of function PSeq___create__ +// ================================================== + +// Uninterpreted function definitions +function PSeq___create__(Heap: HeapType, prim: (Seq Ref), cont_type: PyTypeDomainType): Ref; +function PSeq___create__'(Heap: HeapType, prim: (Seq Ref), cont_type: PyTypeDomainType): Ref; +axiom (forall Heap: HeapType, prim: (Seq Ref), cont_type: PyTypeDomainType :: + { PSeq___create__(Heap, prim, cont_type) } + PSeq___create__(Heap, prim, cont_type) == PSeq___create__'(Heap, prim, cont_type) && dummyFunction(PSeq___create__#triggerStateless(prim, cont_type)) +); +axiom (forall Heap: HeapType, prim: (Seq Ref), cont_type: PyTypeDomainType :: + { PSeq___create__'(Heap, prim, cont_type) } + dummyFunction(PSeq___create__#triggerStateless(prim, cont_type)) +); + +// Framing axioms +function PSeq___create__#frame(frame: FrameType, prim: (Seq Ref), cont_type: PyTypeDomainType): Ref; +axiom (forall Heap: HeapType, Mask: MaskType, prim: (Seq Ref), cont_type: PyTypeDomainType :: + { state(Heap, Mask), PSeq___create__'(Heap, prim, cont_type) } + state(Heap, Mask) ==> PSeq___create__'(Heap, prim, cont_type) == PSeq___create__#frame(EmptyFrame, prim, cont_type) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, prim: (Seq Ref), cont_type: PyTypeDomainType :: + { state(Heap, Mask), PSeq___create__'(Heap, prim, cont_type) } + state(Heap, Mask) && (AssumeFunctionsAbove < 8 || PSeq___create__#trigger(EmptyFrame, prim, cont_type)) ==> (typeof(PSeq___create__'(Heap, prim, cont_type)): PyTypeDomainType) == (PSeq(cont_type): PyTypeDomainType) +); +axiom (forall Heap: HeapType, Mask: MaskType, prim: (Seq Ref), cont_type: PyTypeDomainType :: + { state(Heap, Mask), PSeq___create__'(Heap, prim, cont_type) } + state(Heap, Mask) && (AssumeFunctionsAbove < 8 || PSeq___create__#trigger(EmptyFrame, prim, cont_type)) ==> Seq#Equal(PSeq___sil_seq__(Heap, PSeq___create__'(Heap, prim, cont_type)), prim) +); + +// Trigger function (controlling recursive postconditions) +function PSeq___create__#trigger(frame: FrameType, prim: (Seq Ref), cont_type: PyTypeDomainType): bool; + +// State-independent trigger function +function PSeq___create__#triggerStateless(prim: (Seq Ref), cont_type: PyTypeDomainType): Ref; + +// Check contract well-formedness and postcondition +procedure PSeq___create__#definedness(prim: (Seq Ref), cont_type: PyTypeDomainType) returns (Result: Ref) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 8; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Checking definedness of postcondition (no body) + assume (typeof(Result): PyTypeDomainType) == (PSeq(cont_type): PyTypeDomainType); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of PSeq___sil_seq__(result) == prim + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function PSeq___sil_seq__ might not hold. Assertion issubtype(typeof(result), PSeq(PSeq_arg(typeof(result), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@532.11--532.35) [2241]"} + (issubtype((typeof(Result): PyTypeDomainType), (PSeq((PSeq_arg((typeof(Result): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + // Stop execution + assume false; + } + assume Seq#Equal(PSeq___sil_seq__(Heap, Result), prim); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function PSeq___sil_seq__ +// ================================================== + +// Uninterpreted function definitions +function PSeq___sil_seq__(Heap: HeapType, box: Ref): Seq Ref; +function PSeq___sil_seq__'(Heap: HeapType, box: Ref): Seq Ref; +axiom (forall Heap: HeapType, box: Ref :: + { PSeq___sil_seq__(Heap, box) } + PSeq___sil_seq__(Heap, box) == PSeq___sil_seq__'(Heap, box) && dummyFunction(PSeq___sil_seq__#triggerStateless(box)) +); +axiom (forall Heap: HeapType, box: Ref :: + { PSeq___sil_seq__'(Heap, box) } + dummyFunction(PSeq___sil_seq__#triggerStateless(box)) +); + +// Framing axioms +function PSeq___sil_seq__#frame(frame: FrameType, box: Ref): Seq Ref; +axiom (forall Heap: HeapType, Mask: MaskType, box: Ref :: + { state(Heap, Mask), PSeq___sil_seq__'(Heap, box) } + state(Heap, Mask) ==> PSeq___sil_seq__'(Heap, box) == PSeq___sil_seq__#frame(EmptyFrame, box) +); + +// Trigger function (controlling recursive postconditions) +function PSeq___sil_seq__#trigger(frame: FrameType, box: Ref): bool; + +// State-independent trigger function +function PSeq___sil_seq__#triggerStateless(box: Ref): Seq Ref; + +// Check contract well-formedness and postcondition +procedure PSeq___sil_seq__#definedness(box: Ref) returns (Result: (Seq Ref)) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[box, $allocated]; + assume AssumeFunctionsAbove == 17; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume (issubtype((typeof(box): PyTypeDomainType), (PSeq((PSeq_arg((typeof(box): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function PSeq___len__ +// ================================================== + +// Uninterpreted function definitions +function PSeq___len__(Heap: HeapType, self: Ref): int; +function PSeq___len__'(Heap: HeapType, self: Ref): int; +axiom (forall Heap: HeapType, self: Ref :: + { PSeq___len__(Heap, self) } + PSeq___len__(Heap, self) == PSeq___len__'(Heap, self) && dummyFunction(PSeq___len__#triggerStateless(self)) +); +axiom (forall Heap: HeapType, self: Ref :: + { PSeq___len__'(Heap, self) } + dummyFunction(PSeq___len__#triggerStateless(self)) +); + +// Framing axioms +function PSeq___len__#frame(frame: FrameType, self: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), PSeq___len__'(Heap, self) } + state(Heap, Mask) ==> PSeq___len__'(Heap, self) == PSeq___len__#frame(EmptyFrame, self) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), PSeq___len__'(Heap, self) } + state(Heap, Mask) && (AssumeFunctionsAbove < 2 || PSeq___len__#trigger(EmptyFrame, self)) ==> (issubtype((typeof(self): PyTypeDomainType), (PSeq((PSeq_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool) ==> PSeq___len__'(Heap, self) == Seq#Length(PSeq___sil_seq__(Heap, self)) +); + +// Trigger function (controlling recursive postconditions) +function PSeq___len__#trigger(frame: FrameType, self: Ref): bool; + +// State-independent trigger function +function PSeq___len__#triggerStateless(self: Ref): int; + +// Check contract well-formedness and postcondition +procedure PSeq___len__#definedness(self: Ref) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume AssumeFunctionsAbove == 2; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume (issubtype((typeof(self): PyTypeDomainType), (PSeq((PSeq_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(Heap, Mask); + + // -- Checking definedness of postcondition (no body) + assume state(Heap, Mask); + + // -- Check definedness of result == |PSeq___sil_seq__(self)| + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function PSeq___sil_seq__ might not hold. Assertion issubtype(typeof(self), PSeq(PSeq_arg(typeof(self), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@541.22--541.44) [2242]"} + (issubtype((typeof(self): PyTypeDomainType), (PSeq((PSeq_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + // Stop execution + assume false; + } + assume Result == Seq#Length(PSeq___sil_seq__(Heap, self)); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function str___len__ +// ================================================== + +// Uninterpreted function definitions +function str___len__(Heap: HeapType, self: Ref): int; +function str___len__'(Heap: HeapType, self: Ref): int; +axiom (forall Heap: HeapType, self: Ref :: + { str___len__(Heap, self) } + str___len__(Heap, self) == str___len__'(Heap, self) && dummyFunction(str___len__#triggerStateless(self)) +); +axiom (forall Heap: HeapType, self: Ref :: + { str___len__'(Heap, self) } + dummyFunction(str___len__#triggerStateless(self)) +); + +// Framing axioms +function str___len__#frame(frame: FrameType, self: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), str___len__'(Heap, self) } + state(Heap, Mask) ==> str___len__'(Heap, self) == str___len__#frame(EmptyFrame, self) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), str___len__'(Heap, self) } + state(Heap, Mask) && (AssumeFunctionsAbove < 19 || str___len__#trigger(EmptyFrame, self)) ==> str___len__'(Heap, self) >= 0 +); + +// Trigger function (controlling recursive postconditions) +function str___len__#trigger(frame: FrameType, self: Ref): bool; + +// State-independent trigger function +function str___len__#triggerStateless(self: Ref): int; + +// Check contract well-formedness and postcondition +procedure str___len__#definedness(self: Ref) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume AssumeFunctionsAbove == 19; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Checking definedness of postcondition (no body) + assume Result >= 0; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function str___val__ +// ================================================== + +// Uninterpreted function definitions +function str___val__(Heap: HeapType, self: Ref): int; +function str___val__'(Heap: HeapType, self: Ref): int; +axiom (forall Heap: HeapType, self: Ref :: + { str___val__(Heap, self) } + str___val__(Heap, self) == str___val__'(Heap, self) && dummyFunction(str___val__#triggerStateless(self)) +); +axiom (forall Heap: HeapType, self: Ref :: + { str___val__'(Heap, self) } + dummyFunction(str___val__#triggerStateless(self)) +); + +// Framing axioms +function str___val__#frame(frame: FrameType, self: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), str___val__'(Heap, self) } + state(Heap, Mask) ==> str___val__'(Heap, self) == str___val__#frame(EmptyFrame, self) +); + +// Trigger function (controlling recursive postconditions) +function str___val__#trigger(frame: FrameType, self: Ref): bool; + +// State-independent trigger function +function str___val__#triggerStateless(self: Ref): int; + +// Check contract well-formedness and postcondition +procedure str___val__#definedness(self: Ref) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume AssumeFunctionsAbove == 20; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); +} + +// ================================================== +// Translation of function str___create__ +// ================================================== + +// Uninterpreted function definitions +function str___create__(Heap: HeapType, len: int, value_1: int): Ref; +function str___create__'(Heap: HeapType, len: int, value_1: int): Ref; +axiom (forall Heap: HeapType, len: int, value_1: int :: + { str___create__(Heap, len, value_1) } + str___create__(Heap, len, value_1) == str___create__'(Heap, len, value_1) && dummyFunction(str___create__#triggerStateless(len, value_1)) +); +axiom (forall Heap: HeapType, len: int, value_1: int :: + { str___create__'(Heap, len, value_1) } + dummyFunction(str___create__#triggerStateless(len, value_1)) +); + +// Framing axioms +function str___create__#frame(frame: FrameType, len: int, value_1: int): Ref; +axiom (forall Heap: HeapType, Mask: MaskType, len: int, value_1: int :: + { state(Heap, Mask), str___create__'(Heap, len, value_1) } + state(Heap, Mask) ==> str___create__'(Heap, len, value_1) == str___create__#frame(EmptyFrame, len, value_1) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, len: int, value_1: int :: + { state(Heap, Mask), str___create__'(Heap, len, value_1) } + state(Heap, Mask) && (AssumeFunctionsAbove < 13 || str___create__#trigger(EmptyFrame, len, value_1)) ==> str___len__(Heap, str___create__'(Heap, len, value_1)) == len +); +axiom (forall Heap: HeapType, Mask: MaskType, len: int, value_1: int :: + { state(Heap, Mask), str___create__'(Heap, len, value_1) } + state(Heap, Mask) && (AssumeFunctionsAbove < 13 || str___create__#trigger(EmptyFrame, len, value_1)) ==> str___val__(Heap, str___create__'(Heap, len, value_1)) == value_1 +); +axiom (forall Heap: HeapType, Mask: MaskType, len: int, value_1: int :: + { state(Heap, Mask), str___create__'(Heap, len, value_1) } + state(Heap, Mask) && (AssumeFunctionsAbove < 13 || str___create__#trigger(EmptyFrame, len, value_1)) ==> (typeof(str___create__'(Heap, len, value_1)): PyTypeDomainType) == str +); + +// Trigger function (controlling recursive postconditions) +function str___create__#trigger(frame: FrameType, len: int, value_1: int): bool; + +// State-independent trigger function +function str___create__#triggerStateless(len: int, value_1: int): Ref; + +// Check contract well-formedness and postcondition +procedure str___create__#definedness(len: int, value_1: int) returns (Result: Ref) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 13; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Checking definedness of postcondition (no body) + assume state(Heap, Mask); + + // -- Check definedness of str___len__(result) == len + if (*) { + // Stop execution + assume false; + } + assume str___len__(Heap, Result) == len; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of str___val__(result) == value + if (*) { + // Stop execution + assume false; + } + assume str___val__(Heap, Result) == value_1; + assume state(Heap, Mask); + assume (typeof(Result): PyTypeDomainType) == str; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function str___eq__ +// ================================================== + +// Uninterpreted function definitions +function str___eq__(Heap: HeapType, self: Ref, other: Ref): bool; +function str___eq__'(Heap: HeapType, self: Ref, other: Ref): bool; +axiom (forall Heap: HeapType, self: Ref, other: Ref :: + { str___eq__(Heap, self, other) } + str___eq__(Heap, self, other) == str___eq__'(Heap, self, other) && dummyFunction(str___eq__#triggerStateless(self, other)) +); +axiom (forall Heap: HeapType, self: Ref, other: Ref :: + { str___eq__'(Heap, self, other) } + dummyFunction(str___eq__#triggerStateless(self, other)) +); + +// Framing axioms +function str___eq__#frame(frame: FrameType, self: Ref, other: Ref): bool; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, other: Ref :: + { state(Heap, Mask), str___eq__'(Heap, self, other) } + state(Heap, Mask) ==> str___eq__'(Heap, self, other) == str___eq__#frame(EmptyFrame, self, other) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, other: Ref :: + { state(Heap, Mask), str___eq__'(Heap, self, other) } + state(Heap, Mask) && (AssumeFunctionsAbove < 5 || str___eq__#trigger(EmptyFrame, self, other)) ==> (issubtype((typeof(self): PyTypeDomainType), str): bool) ==> (str___val__(Heap, self) == str___val__(Heap, other)) == str___eq__'(Heap, self, other) +); +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, other: Ref :: + { state(Heap, Mask), str___eq__'(Heap, self, other) } + state(Heap, Mask) && (AssumeFunctionsAbove < 5 || str___eq__#trigger(EmptyFrame, self, other)) ==> (issubtype((typeof(self): PyTypeDomainType), str): bool) ==> str___eq__'(Heap, self, other) ==> str___len__(Heap, self) == str___len__(Heap, other) +); + +// Trigger function (controlling recursive postconditions) +function str___eq__#trigger(frame: FrameType, self: Ref, other: Ref): bool; + +// State-independent trigger function +function str___eq__#triggerStateless(self: Ref, other: Ref): bool; + +// Check contract well-formedness and postcondition +procedure str___eq__#definedness(self: Ref, other: Ref) returns (Result: bool) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume Heap[other, $allocated]; + assume AssumeFunctionsAbove == 5; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume (issubtype((typeof(self): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + + // -- Checking definedness of postcondition (no body) + assume state(Heap, Mask); + + // -- Check definedness of (str___val__(self) == str___val__(other)) == result + if (*) { + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assume (str___val__(Heap, self) == str___val__(Heap, other)) == Result; + assume state(Heap, Mask); + if (Result) { + assume state(Heap, Mask); + + // -- Check definedness of str___len__(self) == str___len__(other) + if (*) { + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assume str___len__(Heap, self) == str___len__(Heap, other); + } + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function tuple___val__ +// ================================================== + +// Uninterpreted function definitions +function tuple___val__(Heap: HeapType, self: Ref): Seq Ref; +function tuple___val__'(Heap: HeapType, self: Ref): Seq Ref; +axiom (forall Heap: HeapType, self: Ref :: + { tuple___val__(Heap, self) } + tuple___val__(Heap, self) == tuple___val__'(Heap, self) && dummyFunction(tuple___val__#triggerStateless(self)) +); +axiom (forall Heap: HeapType, self: Ref :: + { tuple___val__'(Heap, self) } + dummyFunction(tuple___val__#triggerStateless(self)) +); + +// Framing axioms +function tuple___val__#frame(frame: FrameType, self: Ref): Seq Ref; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), tuple___val__'(Heap, self) } + state(Heap, Mask) ==> tuple___val__'(Heap, self) == tuple___val__#frame(EmptyFrame, self) +); + +// Trigger function (controlling recursive postconditions) +function tuple___val__#trigger(frame: FrameType, self: Ref): bool; + +// State-independent trigger function +function tuple___val__#triggerStateless(self: Ref): Seq Ref; + +// Check contract well-formedness and postcondition +procedure tuple___val__#definedness(self: Ref) returns (Result: (Seq Ref)) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume AssumeFunctionsAbove == 22; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); +} + +// ================================================== +// Translation of function tuple___create2__ +// ================================================== + +// Uninterpreted function definitions +function tuple___create2__(Heap: HeapType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int): Ref; +function tuple___create2__'(Heap: HeapType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int): Ref; +axiom (forall Heap: HeapType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { tuple___create2__(Heap, arg0_1, arg1_1, t0, t1, ctr) } + tuple___create2__(Heap, arg0_1, arg1_1, t0, t1, ctr) == tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) && dummyFunction(tuple___create2__#triggerStateless(arg0_1, arg1_1, t0, t1, ctr)) +); +axiom (forall Heap: HeapType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) } + dummyFunction(tuple___create2__#triggerStateless(arg0_1, arg1_1, t0, t1, ctr)) +); + +// Framing axioms +function tuple___create2__#frame(frame: FrameType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int): Ref; +axiom (forall Heap: HeapType, Mask: MaskType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { state(Heap, Mask), tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) } + state(Heap, Mask) ==> tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) == tuple___create2__#frame(EmptyFrame, arg0_1, arg1_1, t0, t1, ctr) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { state(Heap, Mask), tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) } + state(Heap, Mask) && (AssumeFunctionsAbove < 7 || tuple___create2__#trigger(EmptyFrame, arg0_1, arg1_1, t0, t1, ctr)) ==> (issubtype((typeof(arg0_1): PyTypeDomainType), t0): bool) && (issubtype((typeof(arg1_1): PyTypeDomainType), t1): bool) ==> tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) != null +); +axiom (forall Heap: HeapType, Mask: MaskType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { state(Heap, Mask), tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) } + state(Heap, Mask) && (AssumeFunctionsAbove < 7 || tuple___create2__#trigger(EmptyFrame, arg0_1, arg1_1, t0, t1, ctr)) ==> (issubtype((typeof(arg0_1): PyTypeDomainType), t0): bool) && (issubtype((typeof(arg1_1): PyTypeDomainType), t1): bool) ==> (typeof(tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr)): PyTypeDomainType) == (tuple(Seq#Append(Seq#Singleton(t0), Seq#Singleton(t1))): PyTypeDomainType) +); +axiom (forall Heap: HeapType, Mask: MaskType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { state(Heap, Mask), tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) } + state(Heap, Mask) && (AssumeFunctionsAbove < 7 || tuple___create2__#trigger(EmptyFrame, arg0_1, arg1_1, t0, t1, ctr)) ==> (issubtype((typeof(arg0_1): PyTypeDomainType), t0): bool) && (issubtype((typeof(arg1_1): PyTypeDomainType), t1): bool) ==> Seq#Equal((tuple_args((typeof(tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr)): PyTypeDomainType)): Seq PyTypeDomainType), Seq#Append(Seq#Singleton(t0), Seq#Singleton(t1))) +); +axiom (forall Heap: HeapType, Mask: MaskType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { state(Heap, Mask), tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) } + state(Heap, Mask) && (AssumeFunctionsAbove < 7 || tuple___create2__#trigger(EmptyFrame, arg0_1, arg1_1, t0, t1, ctr)) ==> (issubtype((typeof(arg0_1): PyTypeDomainType), t0): bool) && (issubtype((typeof(arg1_1): PyTypeDomainType), t1): bool) ==> Seq#Equal((tuple_args((typeof(tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr)): PyTypeDomainType)): Seq PyTypeDomainType), Seq#Append(Seq#Singleton(t0), Seq#Singleton(t1))) +); +axiom (forall Heap: HeapType, Mask: MaskType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { state(Heap, Mask), tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) } + state(Heap, Mask) && (AssumeFunctionsAbove < 7 || tuple___create2__#trigger(EmptyFrame, arg0_1, arg1_1, t0, t1, ctr)) ==> (issubtype((typeof(arg0_1): PyTypeDomainType), t0): bool) && (issubtype((typeof(arg1_1): PyTypeDomainType), t1): bool) ==> Seq#Equal(tuple___val__(Heap, tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr)), Seq#Append(Seq#Singleton(arg0_1), Seq#Singleton(arg1_1))) +); +axiom (forall Heap: HeapType, Mask: MaskType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int :: + { state(Heap, Mask), tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr) } + state(Heap, Mask) && (AssumeFunctionsAbove < 7 || tuple___create2__#trigger(EmptyFrame, arg0_1, arg1_1, t0, t1, ctr)) ==> (issubtype((typeof(arg0_1): PyTypeDomainType), t0): bool) && (issubtype((typeof(arg1_1): PyTypeDomainType), t1): bool) ==> tuple___len__(Heap, tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr)) == 2 && (tuple___getitem__(Heap, tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr), 0) == arg0_1 && tuple___getitem__(Heap, tuple___create2__'(Heap, arg0_1, arg1_1, t0, t1, ctr), 1) == arg1_1) +); + +// Trigger function (controlling recursive postconditions) +function tuple___create2__#trigger(frame: FrameType, arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int): bool; + +// State-independent trigger function +function tuple___create2__#triggerStateless(arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int): Ref; + +// Check contract well-formedness and postcondition +procedure tuple___create2__#definedness(arg0_1: Ref, arg1_1: Ref, t0: PyTypeDomainType, t1: PyTypeDomainType, ctr: int) returns (Result: Ref) + modifies Heap, Mask; +{ + var ln_1: int; + var ln_3: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[arg0_1, $allocated]; + assume Heap[arg1_1, $allocated]; + assume AssumeFunctionsAbove == 7; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume (issubtype((typeof(arg0_1): PyTypeDomainType), t0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(arg1_1): PyTypeDomainType), t1): bool); + assume state(Heap, Mask); + + // -- Checking definedness of postcondition (no body) + assume Result != null; + assume state(Heap, Mask); + assume (typeof(Result): PyTypeDomainType) == (tuple(Seq#Append(Seq#Singleton(t0), Seq#Singleton(t1))): PyTypeDomainType); + assume state(Heap, Mask); + assume Seq#Equal((tuple_args((typeof(Result): PyTypeDomainType)): Seq PyTypeDomainType), Seq#Append(Seq#Singleton(t0), Seq#Singleton(t1))); + assume state(Heap, Mask); + assume Seq#Equal((tuple_args((typeof(Result): PyTypeDomainType)): Seq PyTypeDomainType), Seq#Append(Seq#Singleton(t0), Seq#Singleton(t1))); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of tuple___val__(result) == Seq(arg0, arg1) + if (*) { + // Stop execution + assume false; + } + assume Seq#Equal(tuple___val__(Heap, Result), Seq#Append(Seq#Singleton(arg0_1), Seq#Singleton(arg1_1))); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of tuple___len__(result) == 2 + if (*) { + // Stop execution + assume false; + } + assume tuple___len__(Heap, Result) == 2; + assume state(Heap, Mask); + + // -- Check definedness of tuple___getitem__(result, 0) == arg0 + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(result)) in (0 >= 0 ==> 0 < ln) && (0 < 0 ==> 0 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@574.42--574.70) [2243]"} + 0 < tuple___len__(Heap, Result); + + // -- Free assumptions (exhale module) + ln_1 := tuple___len__(Heap, Result); + // Stop execution + assume false; + } + assume tuple___getitem__(Heap, Result, 0) == arg0_1; + assume state(Heap, Mask); + + // -- Check definedness of tuple___getitem__(result, 1) == arg1 + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(result)) in (1 >= 0 ==> 1 < ln) && (1 < 0 ==> 1 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@574.82--574.110) [2244]"} + 1 < tuple___len__(Heap, Result); + + // -- Free assumptions (exhale module) + ln_3 := tuple___len__(Heap, Result); + // Stop execution + assume false; + } + assume tuple___getitem__(Heap, Result, 1) == arg1_1; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function tuple___len__ +// ================================================== + +// Uninterpreted function definitions +function tuple___len__(Heap: HeapType, self: Ref): int; +function tuple___len__'(Heap: HeapType, self: Ref): int; +axiom (forall Heap: HeapType, self: Ref :: + { tuple___len__(Heap, self) } + tuple___len__(Heap, self) == tuple___len__'(Heap, self) && dummyFunction(tuple___len__#triggerStateless(self)) +); +axiom (forall Heap: HeapType, self: Ref :: + { tuple___len__'(Heap, self) } + dummyFunction(tuple___len__#triggerStateless(self)) +); + +// Framing axioms +function tuple___len__#frame(frame: FrameType, self: Ref): int; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), tuple___len__'(Heap, self) } + state(Heap, Mask) ==> tuple___len__'(Heap, self) == tuple___len__#frame(EmptyFrame, self) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), tuple___len__'(Heap, self) } + state(Heap, Mask) && (AssumeFunctionsAbove < 21 || tuple___len__#trigger(EmptyFrame, self)) ==> tuple___len__'(Heap, self) == Seq#Length((tuple_args((typeof(self): PyTypeDomainType)): Seq PyTypeDomainType)) +); +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref :: + { state(Heap, Mask), tuple___len__'(Heap, self) } + state(Heap, Mask) && (AssumeFunctionsAbove < 21 || tuple___len__#trigger(EmptyFrame, self)) ==> tuple___len__'(Heap, self) == Seq#Length(tuple___val__(Heap, self)) +); + +// Trigger function (controlling recursive postconditions) +function tuple___len__#trigger(frame: FrameType, self: Ref): bool; + +// State-independent trigger function +function tuple___len__#triggerStateless(self: Ref): int; + +// Check contract well-formedness and postcondition +procedure tuple___len__#definedness(self: Ref) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume AssumeFunctionsAbove == 21; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Checking definedness of postcondition (no body) + assume Result == Seq#Length((tuple_args((typeof(self): PyTypeDomainType)): Seq PyTypeDomainType)); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of result == |tuple___val__(self)| + if (*) { + // Stop execution + assume false; + } + assume Result == Seq#Length(tuple___val__(Heap, self)); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of function tuple___getitem__ +// ================================================== + +// Uninterpreted function definitions +function tuple___getitem__(Heap: HeapType, self: Ref, key_1: int): Ref; +function tuple___getitem__'(Heap: HeapType, self: Ref, key_1: int): Ref; +axiom (forall Heap: HeapType, self: Ref, key_1: int :: + { tuple___getitem__(Heap, self, key_1) } + tuple___getitem__(Heap, self, key_1) == tuple___getitem__'(Heap, self, key_1) && dummyFunction(tuple___getitem__#triggerStateless(self, key_1)) +); +axiom (forall Heap: HeapType, self: Ref, key_1: int :: + { tuple___getitem__'(Heap, self, key_1) } + dummyFunction(tuple___getitem__#triggerStateless(self, key_1)) +); + +// Framing axioms +function tuple___getitem__#frame(frame: FrameType, self: Ref, key_1: int): Ref; +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, key_1: int :: + { state(Heap, Mask), tuple___getitem__'(Heap, self, key_1) } + state(Heap, Mask) ==> tuple___getitem__'(Heap, self, key_1) == tuple___getitem__#frame(CombineFrames(FrameFragment((if key_1 >= 0 then EmptyFrame else EmptyFrame)), FrameFragment((if key_1 < 0 then EmptyFrame else EmptyFrame))), self, key_1) +); + +// Postcondition axioms +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, key_1: int :: + { state(Heap, Mask), tuple___getitem__'(Heap, self, key_1) } + state(Heap, Mask) && (AssumeFunctionsAbove < 16 || tuple___getitem__#trigger(CombineFrames(FrameFragment((if key_1 >= 0 then EmptyFrame else EmptyFrame)), FrameFragment((if key_1 < 0 then EmptyFrame else EmptyFrame))), self, key_1)) ==> (key_1 >= 0 ==> key_1 < tuple___len__(Heap, self)) && (key_1 < 0 ==> key_1 >= -tuple___len__(Heap, self)) ==> key_1 >= 0 ==> (issubtype((typeof(tuple___getitem__'(Heap, self, key_1)): PyTypeDomainType), (tuple_arg((typeof(self): PyTypeDomainType), key_1): PyTypeDomainType)): bool) +); +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, key_1: int :: + { state(Heap, Mask), tuple___getitem__'(Heap, self, key_1) } + state(Heap, Mask) && (AssumeFunctionsAbove < 16 || tuple___getitem__#trigger(CombineFrames(FrameFragment((if key_1 >= 0 then EmptyFrame else EmptyFrame)), FrameFragment((if key_1 < 0 then EmptyFrame else EmptyFrame))), self, key_1)) ==> (key_1 >= 0 ==> key_1 < tuple___len__(Heap, self)) && (key_1 < 0 ==> key_1 >= -tuple___len__(Heap, self)) ==> key_1 < 0 ==> (issubtype((typeof(tuple___getitem__'(Heap, self, key_1)): PyTypeDomainType), (tuple_arg((typeof(self): PyTypeDomainType), tuple___len__(Heap, self) + key_1): PyTypeDomainType)): bool) +); +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, key_1: int :: + { state(Heap, Mask), tuple___getitem__'(Heap, self, key_1) } + state(Heap, Mask) && (AssumeFunctionsAbove < 16 || tuple___getitem__#trigger(CombineFrames(FrameFragment((if key_1 >= 0 then EmptyFrame else EmptyFrame)), FrameFragment((if key_1 < 0 then EmptyFrame else EmptyFrame))), self, key_1)) ==> (key_1 >= 0 ==> key_1 < tuple___len__(Heap, self)) && (key_1 < 0 ==> key_1 >= -tuple___len__(Heap, self)) ==> key_1 >= 0 ==> tuple___getitem__'(Heap, self, key_1) == Seq#Index(tuple___val__(Heap, self), key_1) +); +axiom (forall Heap: HeapType, Mask: MaskType, self: Ref, key_1: int :: + { state(Heap, Mask), tuple___getitem__'(Heap, self, key_1) } + state(Heap, Mask) && (AssumeFunctionsAbove < 16 || tuple___getitem__#trigger(CombineFrames(FrameFragment((if key_1 >= 0 then EmptyFrame else EmptyFrame)), FrameFragment((if key_1 < 0 then EmptyFrame else EmptyFrame))), self, key_1)) ==> (key_1 >= 0 ==> key_1 < tuple___len__(Heap, self)) && (key_1 < 0 ==> key_1 >= -tuple___len__(Heap, self)) ==> key_1 < 0 ==> tuple___getitem__'(Heap, self, key_1) == Seq#Index(tuple___val__(Heap, self), tuple___len__(Heap, self) + key_1) +); + +// Trigger function (controlling recursive postconditions) +function tuple___getitem__#trigger(frame: FrameType, self: Ref, key_1: int): bool; + +// State-independent trigger function +function tuple___getitem__#triggerStateless(self: Ref, key_1: int): Ref; + +// Check contract well-formedness and postcondition +procedure tuple___getitem__#definedness(self: Ref, key_1: int) returns (Result: Ref) + modifies Heap, Mask; +{ + var ln_1: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume Heap[self, $allocated]; + assume AssumeFunctionsAbove == 16; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + + // -- Check definedness of tuple___len__(self) + if (*) { + // Stop execution + assume false; + } + ln_1 := tuple___len__(Heap, self); + if (key_1 >= 0) { + assume key_1 < ln_1; + } + if (key_1 < 0) { + assume key_1 >= -ln_1; + } + assume state(Heap, Mask); + + // -- Checking definedness of postcondition (no body) + if (key_1 >= 0) { + assume (issubtype((typeof(Result): PyTypeDomainType), (tuple_arg((typeof(self): PyTypeDomainType), key_1): PyTypeDomainType)): bool); + } + assume state(Heap, Mask); + if (key_1 < 0) { + assume state(Heap, Mask); + + // -- Check definedness of issubtype(typeof(result), tuple_arg(typeof(self), tuple___len__(self) + key)) + if (*) { + // Stop execution + assume false; + } + assume (issubtype((typeof(Result): PyTypeDomainType), (tuple_arg((typeof(self): PyTypeDomainType), tuple___len__(Heap, self) + key_1): PyTypeDomainType)): bool); + } + assume state(Heap, Mask); + if (key_1 >= 0) { + assume state(Heap, Mask); + + // -- Check definedness of result == tuple___val__(self)[key] + if (*) { + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. Index tuple___val__(self)[key] into tuple___val__(self) might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@586.11--586.58) [2245]"} + key_1 >= 0; + assert {:msg " Contract might not be well-formed. Index tuple___val__(self)[key] into tuple___val__(self) might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@586.11--586.58) [2246]"} + key_1 < Seq#Length(tuple___val__(Heap, self)); + assume Result == Seq#Index(tuple___val__(Heap, self), key_1); + } + assume state(Heap, Mask); + if (key_1 < 0) { + assume state(Heap, Mask); + + // -- Check definedness of result == tuple___val__(self)[tuple___len__(self) + key] + if (*) { + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. Index tuple___val__(self)[tuple___len__(self) + key] into tuple___val__(self) might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@587.11--587.79) [2247]"} + tuple___len__(Heap, self) + key_1 >= 0; + assert {:msg " Contract might not be well-formed. Index tuple___val__(self)[tuple___len__(self) + key] into tuple___val__(self) might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@587.11--587.79) [2248]"} + tuple___len__(Heap, self) + key_1 < Seq#Length(tuple___val__(Heap, self)); + assume Result == Seq#Index(tuple___val__(Heap, self), tuple___len__(Heap, self) + key_1); + } + assume state(Heap, Mask); +} + +// ================================================== +// Translation of predicate MustTerminate +// ================================================== + +type PredicateType_MustTerminate; +function MustTerminate(r_1: Ref): Field PredicateType_MustTerminate FrameType; +function MustTerminate#sm(r_1: Ref): Field PredicateType_MustTerminate PMaskType; +axiom (forall r_1: Ref :: + { PredicateMaskField(MustTerminate(r_1)) } + PredicateMaskField(MustTerminate(r_1)) == MustTerminate#sm(r_1) +); +axiom (forall r_1: Ref :: + { MustTerminate(r_1) } + IsPredicateField(MustTerminate(r_1)) +); +axiom (forall r_1: Ref :: + { MustTerminate(r_1) } + getPredicateId(MustTerminate(r_1)) == 0 +); +function MustTerminate#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function MustTerminate#everUsed(pred: (Field A FrameType)): bool; +axiom (forall r_1: Ref, r2: Ref :: + { MustTerminate(r_1), MustTerminate(r2) } + MustTerminate(r_1) == MustTerminate(r2) ==> r_1 == r2 +); +axiom (forall r_1: Ref, r2: Ref :: + { MustTerminate#sm(r_1), MustTerminate#sm(r2) } + MustTerminate#sm(r_1) == MustTerminate#sm(r2) ==> r_1 == r2 +); + +axiom (forall Heap: HeapType, r_1: Ref :: + { MustTerminate#trigger(Heap, MustTerminate(r_1)) } + MustTerminate#everUsed(MustTerminate(r_1)) +); + +// ================================================== +// Translation of predicate MustInvokeBounded +// ================================================== + +type PredicateType_MustInvokeBounded; +function MustInvokeBounded(r_1: Ref): Field PredicateType_MustInvokeBounded FrameType; +function MustInvokeBounded#sm(r_1: Ref): Field PredicateType_MustInvokeBounded PMaskType; +axiom (forall r_1: Ref :: + { PredicateMaskField(MustInvokeBounded(r_1)) } + PredicateMaskField(MustInvokeBounded(r_1)) == MustInvokeBounded#sm(r_1) +); +axiom (forall r_1: Ref :: + { MustInvokeBounded(r_1) } + IsPredicateField(MustInvokeBounded(r_1)) +); +axiom (forall r_1: Ref :: + { MustInvokeBounded(r_1) } + getPredicateId(MustInvokeBounded(r_1)) == 1 +); +function MustInvokeBounded#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function MustInvokeBounded#everUsed(pred: (Field A FrameType)): bool; +axiom (forall r_1: Ref, r2: Ref :: + { MustInvokeBounded(r_1), MustInvokeBounded(r2) } + MustInvokeBounded(r_1) == MustInvokeBounded(r2) ==> r_1 == r2 +); +axiom (forall r_1: Ref, r2: Ref :: + { MustInvokeBounded#sm(r_1), MustInvokeBounded#sm(r2) } + MustInvokeBounded#sm(r_1) == MustInvokeBounded#sm(r2) ==> r_1 == r2 +); + +axiom (forall Heap: HeapType, r_1: Ref :: + { MustInvokeBounded#trigger(Heap, MustInvokeBounded(r_1)) } + MustInvokeBounded#everUsed(MustInvokeBounded(r_1)) +); + +// ================================================== +// Translation of predicate MustInvokeUnbounded +// ================================================== + +type PredicateType_MustInvokeUnbounded; +function MustInvokeUnbounded(r_1: Ref): Field PredicateType_MustInvokeUnbounded FrameType; +function MustInvokeUnbounded#sm(r_1: Ref): Field PredicateType_MustInvokeUnbounded PMaskType; +axiom (forall r_1: Ref :: + { PredicateMaskField(MustInvokeUnbounded(r_1)) } + PredicateMaskField(MustInvokeUnbounded(r_1)) == MustInvokeUnbounded#sm(r_1) +); +axiom (forall r_1: Ref :: + { MustInvokeUnbounded(r_1) } + IsPredicateField(MustInvokeUnbounded(r_1)) +); +axiom (forall r_1: Ref :: + { MustInvokeUnbounded(r_1) } + getPredicateId(MustInvokeUnbounded(r_1)) == 2 +); +function MustInvokeUnbounded#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function MustInvokeUnbounded#everUsed(pred: (Field A FrameType)): bool; +axiom (forall r_1: Ref, r2: Ref :: + { MustInvokeUnbounded(r_1), MustInvokeUnbounded(r2) } + MustInvokeUnbounded(r_1) == MustInvokeUnbounded(r2) ==> r_1 == r2 +); +axiom (forall r_1: Ref, r2: Ref :: + { MustInvokeUnbounded#sm(r_1), MustInvokeUnbounded#sm(r2) } + MustInvokeUnbounded#sm(r_1) == MustInvokeUnbounded#sm(r2) ==> r_1 == r2 +); + +axiom (forall Heap: HeapType, r_1: Ref :: + { MustInvokeUnbounded#trigger(Heap, MustInvokeUnbounded(r_1)) } + MustInvokeUnbounded#everUsed(MustInvokeUnbounded(r_1)) +); + +// ================================================== +// Translation of predicate _MaySet +// ================================================== + +type PredicateType__MaySet; +function _MaySet(rec: Ref, id: int): Field PredicateType__MaySet FrameType; +function _MaySet#sm(rec: Ref, id: int): Field PredicateType__MaySet PMaskType; +axiom (forall rec: Ref, id: int :: + { PredicateMaskField(_MaySet(rec, id)) } + PredicateMaskField(_MaySet(rec, id)) == _MaySet#sm(rec, id) +); +axiom (forall rec: Ref, id: int :: + { _MaySet(rec, id) } + IsPredicateField(_MaySet(rec, id)) +); +axiom (forall rec: Ref, id: int :: + { _MaySet(rec, id) } + getPredicateId(_MaySet(rec, id)) == 3 +); +function _MaySet#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function _MaySet#everUsed(pred: (Field A FrameType)): bool; +axiom (forall rec: Ref, id: int, rec2: Ref, id2: int :: + { _MaySet(rec, id), _MaySet(rec2, id2) } + _MaySet(rec, id) == _MaySet(rec2, id2) ==> rec == rec2 && id == id2 +); +axiom (forall rec: Ref, id: int, rec2: Ref, id2: int :: + { _MaySet#sm(rec, id), _MaySet#sm(rec2, id2) } + _MaySet#sm(rec, id) == _MaySet#sm(rec2, id2) ==> rec == rec2 && id == id2 +); + +axiom (forall Heap: HeapType, rec: Ref, id: int :: + { _MaySet#trigger(Heap, _MaySet(rec, id)) } + _MaySet#everUsed(_MaySet(rec, id)) +); + +// ================================================== +// Translation of predicate Ticket_state +// ================================================== + +type PredicateType_Ticket_state; +function Ticket_state(self_1: Ref): Field PredicateType_Ticket_state FrameType; +function Ticket_state#sm(self_1: Ref): Field PredicateType_Ticket_state PMaskType; +axiom (forall self_1: Ref :: + { PredicateMaskField(Ticket_state(self_1)) } + PredicateMaskField(Ticket_state(self_1)) == Ticket_state#sm(self_1) +); +axiom (forall self_1: Ref :: + { Ticket_state(self_1) } + IsPredicateField(Ticket_state(self_1)) +); +axiom (forall self_1: Ref :: + { Ticket_state(self_1) } + getPredicateId(Ticket_state(self_1)) == 4 +); +function Ticket_state#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function Ticket_state#everUsed(pred: (Field A FrameType)): bool; +axiom (forall self_1: Ref, self_12: Ref :: + { Ticket_state(self_1), Ticket_state(self_12) } + Ticket_state(self_1) == Ticket_state(self_12) ==> self_1 == self_12 +); +axiom (forall self_1: Ref, self_12: Ref :: + { Ticket_state#sm(self_1), Ticket_state#sm(self_12) } + Ticket_state#sm(self_1) == Ticket_state#sm(self_12) ==> self_1 == self_12 +); + +axiom (forall Heap: HeapType, self_1: Ref :: + { Ticket_state#trigger(Heap, Ticket_state(self_1)) } + Ticket_state#everUsed(Ticket_state(self_1)) +); + +procedure Ticket_state#definedness(self_1: Ref) returns () + modifies Heap, Mask; +{ + var perm: Perm; + + // -- Check definedness of predicate body of Ticket_state + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + assume Heap[self_1, $allocated]; + assume (issubtype((typeof(self_1): PyTypeDomainType), Ticket): bool); + if ((issubtype((typeof(self_1): PyTypeDomainType), Ticket): bool)) { + perm := FullPerm; + assume self_1 != null; + Mask[self_1, Ticket_show_id] := Mask[self_1, Ticket_show_id] + perm; + assume state(Heap, Mask); + + // -- Check definedness of issubtype(typeof(self_1.Ticket_show_id), int()) + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access self_1.Ticket_show_id (testsfunctionalverificationexamplescav_example.py.vpr@598.1--600.2) [2249]"} + HasDirectPerm(Mask, self_1, Ticket_show_id); + assume (issubtype((typeof(Heap[self_1, Ticket_show_id]): PyTypeDomainType), vint): bool); + perm := FullPerm; + assume self_1 != null; + Mask[self_1, Ticket_row] := Mask[self_1, Ticket_row] + perm; + assume state(Heap, Mask); + + // -- Check definedness of issubtype(typeof(self_1.Ticket_row), int()) + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access self_1.Ticket_row (testsfunctionalverificationexamplescav_example.py.vpr@598.1--600.2) [2250]"} + HasDirectPerm(Mask, self_1, Ticket_row); + assume (issubtype((typeof(Heap[self_1, Ticket_row]): PyTypeDomainType), vint): bool); + perm := FullPerm; + assume self_1 != null; + Mask[self_1, Ticket_seat] := Mask[self_1, Ticket_seat] + perm; + assume state(Heap, Mask); + + // -- Check definedness of issubtype(typeof(self_1.Ticket_seat), int()) + assert {:msg " Predicate might not be well-formed. There might be insufficient permission to access self_1.Ticket_seat (testsfunctionalverificationexamplescav_example.py.vpr@598.1--600.2) [2251]"} + HasDirectPerm(Mask, self_1, Ticket_seat); + assume (issubtype((typeof(Heap[self_1, Ticket_seat]): PyTypeDomainType), vint): bool); + } + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method get_seats +// ================================================== + +procedure get_seats(_cthread_159: Ref, _caller_measures_159: (Seq Measure$DomainType), _residue_159: Perm, id_0: Ref, num_0: Ref) returns (_current_wait_level_159: Perm, _res: Ref, _err: Ref) + modifies Heap, Mask; +{ + var _r_0: Ref; + var _r_0_2: Ref; + var _r_0_4: Ref; + var _r_0_6: Ref; + var perm: Perm; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r: Ref; + var _r_2: Ref; + var wildcard: real where wildcard > NoPerm; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[_cthread_159, $allocated]; + assume Heap[id_0, $allocated]; + assume Heap[num_0, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_159 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_159): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(id_0): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(num_0): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of int___gt__(int___unbox__(num_0), 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___unbox__ might not hold. Assertion issubtype(typeof(num_0), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@607.23--607.43) [2252]"} + (issubtype((typeof(num_0): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assume int___gt__(Heap, int___unbox__(Heap, num_0), 0); + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_159, _cthread_159, 1) || perm(MustTerminate(_cthread_159)) == none && ((forperm _r_0: Ref [MustInvokeBounded(_r_0)] :: false) && ((forperm _r_0: Ref [MustInvokeUnbounded(_r_0)] :: false) && ((forperm _r_0: Ref [_r_0.MustReleaseBounded] :: false) && (forperm _r_0: Ref [_r_0.MustReleaseUnbounded] :: false)))) + if (*) { + // Stop execution + assume false; + } + if (!Measure$check(Heap, _caller_measures_159, _cthread_159, 1)) { + if (Mask[null, MustTerminate(_cthread_159)] == NoPerm) { + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeBounded(_r_0))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_0) (testsfunctionalverificationexamplescav_example.py.vpr@609.12--609.359) [2253]"} + HasDirectPerm(Mask, null, MustInvokeBounded(_r_0)); + } + assume false; + } + if ((forall _r_0_1: Ref :: + { Mask[null, MustInvokeBounded(_r_0_1)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_0_1)) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_0_2))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_0) (testsfunctionalverificationexamplescav_example.py.vpr@609.12--609.359) [2254]"} + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_0_2)); + } + assume false; + } + if ((forall _r_0_3: Ref :: + { Mask[null, MustInvokeUnbounded(_r_0_3)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_0_3)) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, _r_0_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_0.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@609.12--609.359) [2255]"} + HasDirectPerm(Mask, _r_0_4, MustReleaseBounded); + } + assume false; + } + if ((forall _r_0_5: Ref :: + { Mask[_r_0_5, MustReleaseBounded] } + HasDirectPerm(Mask, _r_0_5, MustReleaseBounded) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, _r_0_6, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_0.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@609.12--609.359) [2256]"} + HasDirectPerm(Mask, _r_0_6, MustReleaseUnbounded); + } + assume false; + } + } + } + } + } + } + assume Measure$check(Heap, _caller_measures_159, _cthread_159, 1) || (Mask[null, MustTerminate(_cthread_159)] == NoPerm && ((forall _r_0_7: Ref :: + { Mask[null, MustInvokeBounded(_r_0_7)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_0_7)) ==> false + ) && ((forall _r_0_8: Ref :: + { Mask[null, MustInvokeUnbounded(_r_0_8)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_0_8)) ==> false + ) && ((forall _r_0_9: Ref :: + { Mask[_r_0_9, MustReleaseBounded] } + HasDirectPerm(Mask, _r_0_9, MustReleaseBounded) ==> false + ) && (forall _r_0_10: Ref :: + { Mask[_r_0_10, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_0_10, MustReleaseUnbounded) ==> false + ))))); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_159 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_159): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(id_0): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(num_0): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of int___gt__(int___unbox__(num_0), 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___unbox__ might not hold. Assertion issubtype(typeof(num_0), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@607.23--607.43) [2257]"} + (issubtype((typeof(num_0): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assume int___gt__(Heap, int___unbox__(Heap, num_0), 0); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, MustTerminate(_cthread_159)] := Mask[null, MustTerminate(_cthread_159)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r: Ref [_r.MustReleaseBounded] :: Level(_r) <= _current_wait_level_159) + if (*) { + if (HasDirectPerm(PostMask, _r, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@610.11--610.232) [2258]"} + HasDirectPerm(PostMask, _r, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_1: Ref :: + { PostMask[_r_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_1, MustReleaseBounded) ==> Level(PostHeap, _r_1) <= _current_wait_level_159 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r: Ref [_r.MustReleaseUnbounded] :: Level(_r) <= _current_wait_level_159) + if (*) { + if (HasDirectPerm(PostMask, _r_2, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@610.11--610.232) [2259]"} + HasDirectPerm(PostMask, _r_2, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_3: Ref :: + { PostMask[_r_3, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_3, MustReleaseUnbounded) ==> Level(PostHeap, _r_3) <= _current_wait_level_159 + ); + assume _residue_159 <= _current_wait_level_159; + assume state(PostHeap, PostMask); + if (_err == null) { + assume (issubtype((typeof(_res): PyTypeDomainType), (list((tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): PyTypeDomainType)): bool); + } + assume state(PostHeap, PostMask); + if (_err == null) { + perm := FullPerm; + assume _res != null; + PostMask[_res, list_acc] := PostMask[_res, list_acc] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + if (_err == null) { + assume state(PostHeap, PostMask); + + // -- Check definedness of int___eq__(__prim__int___box__(list___len__(_res)), num_0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_res), list(list_arg(typeof(_res), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@613.59--613.77) [2260]"} + (issubtype((typeof(_res): PyTypeDomainType), (list((list_arg((typeof(_res): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@613.59--613.77) [2261]"} + PostMask[_res, list_acc] > NoPerm; + havoc wildcard; + assume wildcard < PostMask[_res, list_acc]; + PostMask[_res, list_acc] := PostMask[_res, list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(PostHeap, ExhaleHeap, PostMask); + PostHeap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___eq__ might not hold. Assertion issubtype(typeof(__prim__int___box__(list___len__(_res))), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@613.28--613.86) [2262]"} + (issubtype((typeof(__prim__int___box__(PostHeap, list___len__(PostHeap, _res))): PyTypeDomainType), vint): bool); + assert {:msg " Precondition of function int___eq__ might not hold. Assertion issubtype(typeof(num_0), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@613.28--613.86) [2263]"} + (issubtype((typeof(num_0): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + assume int___eq__(PostHeap, __prim__int___box__(PostHeap, list___len__(PostHeap, _res)), num_0); + } + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + if (_err != null) { + assume (issubtype((typeof(_err): PyTypeDomainType), SoldoutException): bool); + } + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + if (_err == null) { + assume (issubtype((typeof(_res): PyTypeDomainType), (list((tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): PyTypeDomainType)): bool); + } + assume state(PostHeap, PostMask); + if (_err == null) { + perm := FullPerm; + assume _res != null; + PostMask[_res, list_acc] := PostMask[_res, list_acc] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + if (_err == null) { + assume state(PostHeap, PostMask); + + // -- Check definedness of int___eq__(__prim__int___box__(list___len__(_res)), num_0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_res), list(list_arg(typeof(_res), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@613.59--613.77) [2264]"} + (issubtype((typeof(_res): PyTypeDomainType), (list((list_arg((typeof(_res): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@613.59--613.77) [2265]"} + PostMask[_res, list_acc] > NoPerm; + havoc wildcard; + assume wildcard < PostMask[_res, list_acc]; + PostMask[_res, list_acc] := PostMask[_res, list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(PostHeap, ExhaleHeap, PostMask); + PostHeap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___eq__ might not hold. Assertion issubtype(typeof(__prim__int___box__(list___len__(_res))), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@613.28--613.86) [2266]"} + (issubtype((typeof(__prim__int___box__(PostHeap, list___len__(PostHeap, _res))): PyTypeDomainType), vint): bool); + assert {:msg " Precondition of function int___eq__ might not hold. Assertion issubtype(typeof(num_0), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@613.28--613.86) [2267]"} + (issubtype((typeof(num_0): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + assume int___eq__(PostHeap, __prim__int___box__(PostHeap, list___len__(PostHeap, _res)), num_0); + } + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + if (_err != null) { + assume (issubtype((typeof(_err): PyTypeDomainType), SoldoutException): bool); + } + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: _res := null -- testsfunctionalverificationexamplescav_example.py.vpr@618.3--618.15 + _res := null; + assume state(Heap, Mask); + + // -- Translating statement: inhale false -- testsfunctionalverificationexamplescav_example.py.vpr@619.3--619.15 + assume false; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + if (_err == null) { + assert {:msg " Postcondition of get_seats might not hold. Assertion issubtype(typeof(_res), list(tuple(Seq(int(), int())))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@611.11--611.83) [2268]"} + (issubtype((typeof(_res): PyTypeDomainType), (list((tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): PyTypeDomainType)): bool); + } + if (_err == null) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of get_seats might not hold. There might be insufficient permission to access _res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@612.11--612.53) [2269]"} + perm <= Mask[_res, list_acc]; + } + Mask[_res, list_acc] := Mask[_res, list_acc] - perm; + } + if (_err == null) { + assert {:msg " Postcondition of get_seats might not hold. Assertion int___eq__(__prim__int___box__(list___len__(_res)), num_0) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@613.11--613.86) [2270]"} + int___eq__(Heap, __prim__int___box__(Heap, list___len__(Heap, _res)), num_0); + } + if (_err != null) { + assert {:msg " Postcondition of get_seats might not hold. Assertion issubtype(typeof(_err), SoldoutException()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@615.11--615.71) [2271]"} + (issubtype((typeof(_err): PyTypeDomainType), SoldoutException): bool); + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method order_tickets +// ================================================== + +procedure order_tickets(_cthread_160: Ref, _caller_measures_160: (Seq Measure$DomainType), _residue_160: Perm, num_1: Ref, show_id: Ref, code_0: Ref) returns (_current_wait_level_160: Perm, _res: Ref, _err: Ref) + modifies Heap, Mask; +{ + var loop_end_lblGuard: bool; + var __end_lblGuard: bool; + var post_loop_lblGuard: bool; + var _r_5: Ref; + var _r_5_2: Ref; + var _r_5_4: Ref; + var _r_5_6: Ref; + var perm: Perm; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_3_1: Ref; + var _r_3_2: Ref; + var _r_4: Ref; + var _r_4_2: Ref; + var _r_4_4: Ref; + var _r_4_6: Ref; + var seats: Ref; + var res: Ref; + var row_0: Ref; + var seat_0: Ref; + var ticket: Ref; + var num_2: Ref; + var show_id_0: Ref; + var code_1: Ref; + var get_seats_res: Ref; + var list_0: Ref; + var iterable: Ref; + var iter: Ref; + var loop_target: Ref; + var iter_err: Ref; + var Ticket_res: Ref; + var _method_measures_160: (Seq Measure$DomainType); + var PreCallHeap: HeapType; + var PreCallMask: MaskType; + var _cwl_160: Perm; + var ExhaleHeap: HeapType; + var ln_1: int; + var ln_3: int; + var seqtmp: (Seq Ref); + var _loop_original_must_terminate: Perm; + var _loop_termination_flag: bool; + var _loop_check_before: bool; + var QPMask: MaskType; + var lambda46_30$t_2_1: Ref; + var frameMask74: MaskType; + var frameHeap74: HeapType; + var _loop_measures: (Seq Measure$DomainType); + var _r_1_1: Ref; + var _residue_161: Perm; + var _r_1_3: Ref; + var ln_5: int; + var ln_7: int; + var wildcard: real where wildcard > NoPerm; + var lambda46_30$t_3: Ref; + var lambda46_30$t_4: Ref; + var lambda46_30$t_6: Ref; + var loopHeap: HeapType; + var loopMask: MaskType; + var freshObj: Ref; + var arg_row: Ref; + var arg_seat: Ref; + var arg_self: Ref; + var arg_item: Ref; + var Labelloop_endMask: MaskType; + var Labelloop_endHeap: HeapType; + var ln_9: int; + var ln_11: int; + var lambda46_30$t_17: Ref; + var Labelpost_loopMask: MaskType; + var Labelpost_loopHeap: HeapType; + var Label__endMask: MaskType; + var Label__endHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + loop_end_lblGuard := false; + __end_lblGuard := false; + post_loop_lblGuard := false; + + // -- Assumptions about method arguments + assume Heap[_cthread_160, $allocated]; + assume Heap[num_1, $allocated]; + assume Heap[show_id, $allocated]; + assume Heap[code_0, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_160 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(num_1): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(show_id): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume code_0 == null || (issubtype((typeof(code_0): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of int___gt__(int___unbox__(num_1), 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___unbox__ might not hold. Assertion issubtype(typeof(num_1), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@628.23--628.43) [2272]"} + (issubtype((typeof(num_1): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assume int___gt__(Heap, int___unbox__(Heap, num_1), 0); + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_160, _cthread_160, 2) || perm(MustTerminate(_cthread_160)) == none && ((forperm _r_5: Ref [MustInvokeBounded(_r_5)] :: false) && ((forperm _r_5: Ref [MustInvokeUnbounded(_r_5)] :: false) && ((forperm _r_5: Ref [_r_5.MustReleaseBounded] :: false) && (forperm _r_5: Ref [_r_5.MustReleaseUnbounded] :: false)))) + if (*) { + // Stop execution + assume false; + } + if (!Measure$check(Heap, _caller_measures_160, _cthread_160, 2)) { + if (Mask[null, MustTerminate(_cthread_160)] == NoPerm) { + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeBounded(_r_5))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_5) (testsfunctionalverificationexamplescav_example.py.vpr@630.12--630.359) [2273]"} + HasDirectPerm(Mask, null, MustInvokeBounded(_r_5)); + } + assume false; + } + if ((forall _r_5_1: Ref :: + { Mask[null, MustInvokeBounded(_r_5_1)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_5_1)) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_5_2))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_5) (testsfunctionalverificationexamplescav_example.py.vpr@630.12--630.359) [2274]"} + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_5_2)); + } + assume false; + } + if ((forall _r_5_3: Ref :: + { Mask[null, MustInvokeUnbounded(_r_5_3)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_5_3)) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, _r_5_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_5.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@630.12--630.359) [2275]"} + HasDirectPerm(Mask, _r_5_4, MustReleaseBounded); + } + assume false; + } + if ((forall _r_5_5: Ref :: + { Mask[_r_5_5, MustReleaseBounded] } + HasDirectPerm(Mask, _r_5_5, MustReleaseBounded) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, _r_5_6, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_5.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@630.12--630.359) [2276]"} + HasDirectPerm(Mask, _r_5_6, MustReleaseUnbounded); + } + assume false; + } + } + } + } + } + } + assume Measure$check(Heap, _caller_measures_160, _cthread_160, 2) || (Mask[null, MustTerminate(_cthread_160)] == NoPerm && ((forall _r_5_7: Ref :: + { Mask[null, MustInvokeBounded(_r_5_7)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_5_7)) ==> false + ) && ((forall _r_5_8: Ref :: + { Mask[null, MustInvokeUnbounded(_r_5_8)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_5_8)) ==> false + ) && ((forall _r_5_9: Ref :: + { Mask[_r_5_9, MustReleaseBounded] } + HasDirectPerm(Mask, _r_5_9, MustReleaseBounded) ==> false + ) && (forall _r_5_10: Ref :: + { Mask[_r_5_10, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_5_10, MustReleaseUnbounded) ==> false + ))))); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_160 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(num_1): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(show_id): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume code_0 == null || (issubtype((typeof(code_0): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of int___gt__(int___unbox__(num_1), 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___unbox__ might not hold. Assertion issubtype(typeof(num_1), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@628.23--628.43) [2277]"} + (issubtype((typeof(num_1): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assume int___gt__(Heap, int___unbox__(Heap, num_1), 0); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, MustTerminate(_cthread_160)] := Mask[null, MustTerminate(_cthread_160)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_3: Ref [_r_3.MustReleaseBounded] :: Level(_r_3) <= _current_wait_level_160) + if (*) { + if (HasDirectPerm(PostMask, _r_3_1, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_3.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@631.11--631.244) [2278]"} + HasDirectPerm(PostMask, _r_3_1, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_3_1_1: Ref :: + { PostMask[_r_3_1_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_3_1_1, MustReleaseBounded) ==> Level(PostHeap, _r_3_1_1) <= _current_wait_level_160 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_3: Ref [_r_3.MustReleaseUnbounded] :: Level(_r_3) <= _current_wait_level_160) + if (*) { + if (HasDirectPerm(PostMask, _r_3_2, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_3.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@631.11--631.244) [2279]"} + HasDirectPerm(PostMask, _r_3_2, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_3_3: Ref :: + { PostMask[_r_3_3, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_3_3, MustReleaseUnbounded) ==> Level(PostHeap, _r_3_3) <= _current_wait_level_160 + ); + assume _residue_160 <= _current_wait_level_160; + assume state(PostHeap, PostMask); + if (_err == null) { + assume (issubtype((typeof(_res): PyTypeDomainType), (list(Ticket): PyTypeDomainType)): bool); + } + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + if (_err != null) { + assume (issubtype((typeof(_err): PyTypeDomainType), SoldoutException): bool); + } + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + if (_err == null) { + assume (issubtype((typeof(_res): PyTypeDomainType), (list(Ticket): PyTypeDomainType)): bool); + } + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + if (_err != null) { + assume (issubtype((typeof(_err): PyTypeDomainType), SoldoutException): bool); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_4: Ref [MustInvokeBounded(_r_4)] :: false) + if (*) { + if (HasDirectPerm(PostMask, null, MustInvokeBounded(_r_4))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_4) (testsfunctionalverificationexamplescav_example.py.vpr@635.11--635.255) [2280]"} + HasDirectPerm(PostMask, null, MustInvokeBounded(_r_4)); + } + assume false; + } + assume (forall _r_4_1: Ref :: + { PostMask[null, MustInvokeBounded(_r_4_1)] } + HasDirectPerm(PostMask, null, MustInvokeBounded(_r_4_1)) ==> false + ); + + // -- Check definedness of (forperm _r_4: Ref [MustInvokeUnbounded(_r_4)] :: false) + if (*) { + if (HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_4_2))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_4) (testsfunctionalverificationexamplescav_example.py.vpr@635.11--635.255) [2281]"} + HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_4_2)); + } + assume false; + } + assume (forall _r_4_3: Ref :: + { PostMask[null, MustInvokeUnbounded(_r_4_3)] } + HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_4_3)) ==> false + ); + + // -- Check definedness of (forperm _r_4: Ref [_r_4.MustReleaseBounded] :: false) + if (*) { + if (HasDirectPerm(PostMask, _r_4_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_4.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@635.11--635.255) [2282]"} + HasDirectPerm(PostMask, _r_4_4, MustReleaseBounded); + } + assume false; + } + assume (forall _r_4_5: Ref :: + { PostMask[_r_4_5, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_4_5, MustReleaseBounded) ==> false + ); + + // -- Check definedness of (forperm _r_4: Ref [_r_4.MustReleaseUnbounded] :: false) + if (*) { + if (HasDirectPerm(PostMask, _r_4_6, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_4.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@635.11--635.255) [2283]"} + HasDirectPerm(PostMask, _r_4_6, MustReleaseUnbounded); + } + assume false; + } + assume (forall _r_4_7: Ref :: + { PostMask[_r_4_7, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_4_7, MustReleaseUnbounded) ==> false + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Assumptions about local variables + assume Heap[seats, $allocated]; + assume Heap[res, $allocated]; + assume Heap[row_0, $allocated]; + assume Heap[seat_0, $allocated]; + assume Heap[ticket, $allocated]; + assume Heap[num_2, $allocated]; + assume Heap[show_id_0, $allocated]; + assume Heap[code_1, $allocated]; + assume Heap[get_seats_res, $allocated]; + assume Heap[list_0, $allocated]; + assume Heap[iterable, $allocated]; + assume Heap[iter, $allocated]; + assume Heap[loop_target, $allocated]; + assume Heap[iter_err, $allocated]; + assume Heap[Ticket_res, $allocated]; + + // -- Translating statement: // id = 1 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 2 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 3 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 4 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 5 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 6 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 7 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 8 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 9 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 10 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 11 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 12 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 13 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 14 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 15 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 16 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 17 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 18 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 19 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 20 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 21 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 22 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 23 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 24 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 25 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 26 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 27 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 28 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 29 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 30 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 31 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 32 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 33 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 34 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 35 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 36 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 37 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 38 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 39 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 40 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 41 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 42 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 43 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 44 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 45 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 46 + // _method_measures_160 := Seq(Measure$create(true, _cthread_160, 2)) -- testsfunctionalverificationexamplescav_example.py.vpr@660.3--660.69 + _method_measures_160 := Seq#Singleton((Measure$create(true, _cthread_160, 2): Measure$DomainType)); + assume state(Heap, Mask); + + // -- Translating statement: // id = 47 + // _res := null -- testsfunctionalverificationexamplescav_example.py.vpr@661.3--661.15 + _res := null; + assume state(Heap, Mask); + + // -- Translating statement: // id = 48 + // _err := null -- testsfunctionalverificationexamplescav_example.py.vpr@662.3--662.15 + _err := null; + assume state(Heap, Mask); + + // -- Translating statement: // id = 49 + // num_2 := num_1 -- testsfunctionalverificationexamplescav_example.py.vpr@663.3--663.17 + num_2 := num_1; + assume state(Heap, Mask); + + // -- Translating statement: // id = 50 + // show_id_0 := show_id -- testsfunctionalverificationexamplescav_example.py.vpr@664.3--664.23 + show_id_0 := show_id; + assume state(Heap, Mask); + + // -- Translating statement: // id = 51 + // code_1 := code_0 -- testsfunctionalverificationexamplescav_example.py.vpr@665.3--665.19 + code_1 := code_0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 52 + // _cwl_160, get_seats_res, _err := get_seats(_cthread_160, _method_measures_160, + // _residue_160, show_id_0, num_2) -- testsfunctionalverificationexamplescav_example.py.vpr@666.3--666.113 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc _cwl_160, get_seats_res, _err; + + // -- Exhaling precondition + assert {:msg " The precondition of method get_seats might not hold. Assertion _cthread_160 != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@666.3--666.113) [2284]"} + _cthread_160 != null; + assert {:msg " The precondition of method get_seats might not hold. Assertion issubtype(typeof(_cthread_160), Thread_0()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@666.3--666.113) [2285]"} + (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assert {:msg " The precondition of method get_seats might not hold. Assertion issubtype(typeof(show_id_0), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@666.3--666.113) [2286]"} + (issubtype((typeof(show_id_0): PyTypeDomainType), vint): bool); + assert {:msg " The precondition of method get_seats might not hold. Assertion issubtype(typeof(num_2), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@666.3--666.113) [2287]"} + (issubtype((typeof(num_2): PyTypeDomainType), vint): bool); + assert {:msg " The precondition of method get_seats might not hold. Assertion int___gt__(int___unbox__(num_2), 0) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@666.3--666.113) [2288]"} + int___gt__(Heap, int___unbox__(Heap, num_2), 0); + assert {:msg " The precondition of method get_seats might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) || perm(MustTerminate(_cthread_160)) == none && ((forperm _r_0: Ref [MustInvokeBounded(_r_0)] :: false) && ((forperm _r_0: Ref [MustInvokeUnbounded(_r_0)] :: false) && ((forperm _r_0: Ref [_r_0.MustReleaseBounded] :: false) && (forperm _r_0: Ref [_r_0.MustReleaseUnbounded] :: false)))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@666.3--666.113) [2289]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1) || (Mask[null, MustTerminate(_cthread_160)] == NoPerm && ((forall _r_0_11: Ref :: + { Mask[null, MustInvokeBounded(_r_0_11)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_0_11)) ==> false + ) && ((forall _r_0_1: Ref :: + { Mask[null, MustInvokeUnbounded(_r_0_1)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_0_1)) ==> false + ) && ((forall _r_0_2_1: Ref :: + { Mask[_r_0_2_1, MustReleaseBounded] } + HasDirectPerm(Mask, _r_0_2_1, MustReleaseBounded) ==> false + ) && (forall _r_0_3: Ref :: + { Mask[_r_0_3, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_0_3, MustReleaseUnbounded) ==> false + ))))); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + assume state(Heap, Mask); + assume (forall _r_6: Ref :: + { Mask[_r_6, MustReleaseBounded] } + HasDirectPerm(Mask, _r_6, MustReleaseBounded) ==> Level(Heap, _r_6) <= _cwl_160 + ); + assume state(Heap, Mask); + assume (forall _r_1: Ref :: + { Mask[_r_1, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_1, MustReleaseUnbounded) ==> Level(Heap, _r_1) <= _cwl_160 + ); + assume _residue_160 <= _cwl_160; + if (_err == null) { + assume (issubtype((typeof(get_seats_res): PyTypeDomainType), (list((tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): PyTypeDomainType)): bool); + } + if (_err == null) { + perm := FullPerm; + assume get_seats_res != null; + Mask[get_seats_res, list_acc] := Mask[get_seats_res, list_acc] + perm; + assume state(Heap, Mask); + } + if (_err == null) { + assume state(Heap, Mask); + assume int___eq__(Heap, __prim__int___box__(Heap, list___len__(Heap, get_seats_res)), num_2); + } + if (_err != null) { + assume (issubtype((typeof(_err): PyTypeDomainType), SoldoutException): bool); + } + assume state(Heap, Mask); + assume Heap[get_seats_res, $allocated]; + assume Heap[_err, $allocated]; + assume state(Heap, Mask); + + // -- Translating statement: if (_err != null) -- testsfunctionalverificationexamplescav_example.py.vpr@667.3--670.4 + if (_err != null) { + + // -- Translating statement: // id = 53 + // _err := _err -- testsfunctionalverificationexamplescav_example.py.vpr@668.5--668.17 + _err := _err; + assume state(Heap, Mask); + + // -- Translating statement: // id = 54 + // goto __end -- testsfunctionalverificationexamplescav_example.py.vpr@669.5--669.15 + goto __end; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 55 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 56 + // seats := get_seats_res -- testsfunctionalverificationexamplescav_example.py.vpr@671.3--671.25 + seats := get_seats_res; + assume state(Heap, Mask); + + // -- Translating statement: // id = 57 + // inhale _isDefined(495873779059) -- testsfunctionalverificationexamplescav_example.py.vpr@672.3--672.34 + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(495873779059) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 495873779059); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 58 + // _cwl_160, list_0 := list___init__(_cthread_160, _method_measures_160, _residue_160) -- testsfunctionalverificationexamplescav_example.py.vpr@673.3--673.86 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc _cwl_160, list_0; + + // -- Exhaling precondition + assert {:msg " The precondition of method list___init__ might not hold. Assertion _cthread_160 != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@673.3--673.86) [2290]"} + _cthread_160 != null; + assert {:msg " The precondition of method list___init__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@673.3--673.86) [2291]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + assert {:msg " The precondition of method list___init__ might not hold. Assertion issubtype(typeof(_cthread_160), Thread_0()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@673.3--673.86) [2292]"} + (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assert {:msg " The precondition of method list___init__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@673.3--673.86) [2293]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + + // -- Inhaling postcondition + assume state(Heap, Mask); + assume (forall _r_19: Ref :: + { Mask[_r_19, MustReleaseBounded] } + HasDirectPerm(Mask, _r_19, MustReleaseBounded) ==> Level(Heap, _r_19) <= _cwl_160 + ); + assume state(Heap, Mask); + assume (forall _r_19_1: Ref :: + { Mask[_r_19_1, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_19_1, MustReleaseUnbounded) ==> Level(Heap, _r_19_1) <= _cwl_160 + ); + assume _residue_160 <= _cwl_160; + perm := FullPerm; + assume list_0 != null; + Mask[list_0, list_acc] := Mask[list_0, list_acc] + perm; + assume state(Heap, Mask); + assume Seq#Equal(Heap[list_0, list_acc], (Seq#Empty(): Seq Ref)); + assume (typeof(list_0): PyTypeDomainType) == (list((list_arg((typeof(list_0): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType); + assume (Low(list_0): bool); + assume state(Heap, Mask); + assume Heap[list_0, $allocated]; + assume state(Heap, Mask); + + // -- Translating statement: // id = 59 + // inhale issubtype(typeof(list_0), list(Ticket())) -- testsfunctionalverificationexamplescav_example.py.vpr@674.3--674.51 + assume (issubtype((typeof(list_0): PyTypeDomainType), (list(Ticket): PyTypeDomainType)): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 60 + // res := list_0 -- testsfunctionalverificationexamplescav_example.py.vpr@675.3--675.16 + res := list_0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 61 + // inhale _isDefined(7562610) -- testsfunctionalverificationexamplescav_example.py.vpr@676.3--676.29 + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(7562610) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 7562610); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 62 + // iterable := _checkDefined(seats, 495873779059) -- testsfunctionalverificationexamplescav_example.py.vpr@677.3--677.49 + + // -- Check definedness of _checkDefined(seats, 495873779059) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(495873779059) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@677.15--677.49) [2294]"} + _isDefined(Heap, 495873779059); + // Stop execution + assume false; + } + iterable := _checkDefined(Heap, seats, 495873779059); + assume state(Heap, Mask); + + // -- Translating statement: // id = 63 + // _cwl_160, iter := list___iter__(_cthread_160, _method_measures_160, _residue_160, + // iterable) -- testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc _cwl_160, iter; + + // -- Exhaling precondition + assert {:msg " The precondition of method list___iter__ might not hold. Assertion _cthread_160 != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2295]"} + _cthread_160 != null; + assert {:msg " The precondition of method list___iter__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2296]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + assert {:msg " The precondition of method list___iter__ might not hold. Assertion issubtype(typeof(_cthread_160), Thread_0()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2297]"} + (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assert {:msg " The precondition of method list___iter__ might not hold. Assertion issubtype(typeof(iterable), list(list_arg(typeof(iterable), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2298]"} + (issubtype((typeof(iterable): PyTypeDomainType), (list((list_arg((typeof(iterable): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " The precondition of method list___iter__ might not hold. Fraction 1 / 10 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2299]"} + 1 / 10 >= NoPerm; + perm := 1 / 10; + if (perm != NoPerm) { + assert {:msg " The precondition of method list___iter__ might not hold. There might be insufficient permission to access iterable.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2300]"} + perm <= Mask[iterable, list_acc]; + } + Mask[iterable, list_acc] := Mask[iterable, list_acc] - perm; + assert {:msg " The precondition of method list___iter__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2301]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + assume state(Heap, Mask); + assume (forall _r_23: Ref :: + { Mask[_r_23, MustReleaseBounded] } + HasDirectPerm(Mask, _r_23, MustReleaseBounded) ==> Level(Heap, _r_23) <= _cwl_160 + ); + assume state(Heap, Mask); + assume (forall _r_23_1: Ref :: + { Mask[_r_23_1, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_23_1, MustReleaseUnbounded) ==> Level(Heap, _r_23_1) <= _cwl_160 + ); + assume _residue_160 <= _cwl_160; + assume iter != iterable; + perm := 1 / 20; + assert {:msg " Method call might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2302]"} + perm >= NoPerm; + assume perm > NoPerm ==> iter != null; + Mask[iter, list_acc] := Mask[iter, list_acc] + perm; + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " Method call might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@678.3--678.94) [2303]"} + perm >= NoPerm; + assume perm > NoPerm ==> iterable != null; + Mask[iterable, list_acc] := Mask[iterable, list_acc] + perm; + assume state(Heap, Mask); + assume Seq#Equal(Heap[iter, list_acc], Heap[iterable, list_acc]); + perm := FullPerm; + assume iter != null; + Mask[iter, __container] := Mask[iter, __container] + perm; + assume state(Heap, Mask); + assume Heap[iter, __container] == iterable; + perm := FullPerm; + assume iter != null; + Mask[iter, __iter_index] := Mask[iter, __iter_index] + perm; + assume state(Heap, Mask); + assume Heap[iter, __iter_index] == 0; + perm := FullPerm; + assume iter != null; + Mask[iter, __previous] := Mask[iter, __previous] + perm; + assume state(Heap, Mask); + assume Seq#Equal(Heap[iter, __previous], (Seq#Empty(): Seq Ref)); + assume (issubtype((typeof(iter): PyTypeDomainType), (Iterator((list_arg((typeof(iterable): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(Heap, Mask); + assume Heap[iter, $allocated]; + assume state(Heap, Mask); + + // -- Translating statement: // id = 64 + // _cwl_160, loop_target, iter_err := Iterator___next__(_cthread_160, _method_measures_160, + // _residue_160, iter) -- testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc _cwl_160, loop_target, iter_err; + + // -- Exhaling precondition + assert {:msg " The precondition of method Iterator___next__ might not hold. Assertion _cthread_160 != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2304]"} + _cthread_160 != null; + assert {:msg " The precondition of method Iterator___next__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2305]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + assert {:msg " The precondition of method Iterator___next__ might not hold. Assertion issubtype(typeof(_cthread_160), Thread_0()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2306]"} + (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assert {:msg " The precondition of method Iterator___next__ might not hold. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2307]"} + 1 / 40 >= NoPerm; + perm := 1 / 40; + if (perm != NoPerm) { + assert {:msg " The precondition of method Iterator___next__ might not hold. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2308]"} + perm <= Mask[iter, list_acc]; + } + Mask[iter, list_acc] := Mask[iter, list_acc] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method Iterator___next__ might not hold. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2309]"} + perm <= Mask[iter, __iter_index]; + } + Mask[iter, __iter_index] := Mask[iter, __iter_index] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method Iterator___next__ might not hold. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2310]"} + perm <= Mask[iter, __previous]; + } + Mask[iter, __previous] := Mask[iter, __previous] - perm; + assert {:msg " The precondition of method Iterator___next__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2311]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + assume state(Heap, Mask); + assume (forall _r_15: Ref :: + { Mask[_r_15, MustReleaseBounded] } + HasDirectPerm(Mask, _r_15, MustReleaseBounded) ==> Level(Heap, _r_15) <= _cwl_160 + ); + assume state(Heap, Mask); + assume (forall _r_15_1: Ref :: + { Mask[_r_15_1, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_15_1, MustReleaseUnbounded) ==> Level(Heap, _r_15_1) <= _cwl_160 + ); + assume _residue_160 <= _cwl_160; + perm := 1 / 40; + assert {:msg " Method call might fail. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@679.3--679.111) [2312]"} + perm >= NoPerm; + assume perm > NoPerm ==> iter != null; + Mask[iter, list_acc] := Mask[iter, list_acc] + perm; + assume state(Heap, Mask); + assume Seq#Equal(Heap[iter, list_acc], old(PreCallHeap)[iter, list_acc]); + perm := FullPerm; + assume iter != null; + Mask[iter, __iter_index] := Mask[iter, __iter_index] + perm; + assume state(Heap, Mask); + assume Heap[iter, __iter_index] <= Seq#Length(Heap[iter, list_acc]) + 1; + assume (old(PreCallHeap)[iter, __iter_index] == Seq#Length(old(PreCallHeap)[iter, list_acc])) == (iter_err != null); + perm := FullPerm; + assume iter != null; + Mask[iter, __previous] := Mask[iter, __previous] + perm; + assume state(Heap, Mask); + if (iter_err == null) { + assume Heap[iter, __iter_index] == old(PreCallHeap)[iter, __iter_index] + 1; + } + if (iter_err == null) { + assume Heap[iter, __iter_index] > 0; + } + if (iter_err == null) { + assume Seq#Equal(Heap[iter, __previous], Seq#Take(Heap[iter, list_acc], Heap[iter, __iter_index] - 1)); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume Heap[iter, __iter_index] > 0; + } + if (iter_err != null) { + assume Seq#Equal(Heap[iter, __previous], Heap[iter, list_acc]); + } + if (iter_err != null) { + assume Heap[iter, __iter_index] == Seq#Length(Heap[iter, list_acc]); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume loop_target == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1); + assume Seq#Contains(Heap[iter, list_acc], loop_target); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume (issubtype((typeof(loop_target): PyTypeDomainType), (Iterator_arg((typeof(iter): PyTypeDomainType), 0): PyTypeDomainType)): bool); + } + assume (forall r_1: Ref :: + { Seq#ContainsTrigger(Heap[iter, __previous], r_1) } { Seq#Contains(Heap[iter, __previous], r_1) } + Seq#Contains(Heap[iter, __previous], r_1) == (Seq#Contains(old(PreCallHeap)[iter, __previous], r_1) || ((Heap[iter, __iter_index] > 1 && (r_1 == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 2) && iter_err == null)) || (Heap[iter, __iter_index] > 0 && (iter_err != null && r_1 == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1))))) + ); + assume state(Heap, Mask); + assume Heap[loop_target, $allocated]; + assume Heap[iter_err, $allocated]; + assume state(Heap, Mask); + + // -- Translating statement: if (iter_err == null) -- testsfunctionalverificationexamplescav_example.py.vpr@680.3--685.4 + if (iter_err == null) { + + // -- Translating statement: // id = 65 + // row_0 := tuple___getitem__(loop_target, 0) -- testsfunctionalverificationexamplescav_example.py.vpr@681.5--681.47 + + // -- Check definedness of tuple___getitem__(loop_target, 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(loop_target)) in (0 >= 0 ==> 0 < ln) && (0 < 0 ==> 0 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@681.14--681.47) [2313]"} + 0 < tuple___len__(Heap, loop_target); + + // -- Free assumptions (exhale module) + ln_1 := tuple___len__(Heap, loop_target); + // Stop execution + assume false; + } + row_0 := tuple___getitem__(Heap, loop_target, 0); + assume state(Heap, Mask); + + // -- Translating statement: // id = 66 + // inhale _isDefined(207760093042) -- testsfunctionalverificationexamplescav_example.py.vpr@682.5--682.36 + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(207760093042) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 207760093042); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 67 + // seat_0 := tuple___getitem__(loop_target, 1) -- testsfunctionalverificationexamplescav_example.py.vpr@683.5--683.48 + + // -- Check definedness of tuple___getitem__(loop_target, 1) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(loop_target)) in (1 >= 0 ==> 1 < ln) && (1 < 0 ==> 1 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@683.15--683.48) [2314]"} + 1 < tuple___len__(Heap, loop_target); + + // -- Free assumptions (exhale module) + ln_3 := tuple___len__(Heap, loop_target); + // Stop execution + assume false; + } + seat_0 := tuple___getitem__(Heap, loop_target, 1); + assume state(Heap, Mask); + + // -- Translating statement: // id = 68 + // inhale _isDefined(53186532566387) -- testsfunctionalverificationexamplescav_example.py.vpr@684.5--684.38 + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(53186532566387) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 53186532566387); + assume state(Heap, Mask); + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 69 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 70 + // seqtmp := iterable.list_acc -- testsfunctionalverificationexamplescav_example.py.vpr@686.3--686.30 + + // -- Check definedness of iterable.list_acc + assert {:msg " Assignment might fail. There might be insufficient permission to access iterable.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@686.3--686.30) [2315]"} + HasDirectPerm(Mask, iterable, list_acc); + seqtmp := Heap[iterable, list_acc]; + assume state(Heap, Mask); + + // -- Translating statement: // id = 71 + // _loop_original_must_terminate := perm(MustTerminate(_cthread_160)) -- testsfunctionalverificationexamplescav_example.py.vpr@688.3--688.69 + _loop_original_must_terminate := Mask[null, MustTerminate(_cthread_160)]; + assume state(Heap, Mask); + + // -- Translating statement: // id = 72 + // _loop_termination_flag := true -- testsfunctionalverificationexamplescav_example.py.vpr@690.3--690.33 + _loop_termination_flag := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 73 + // // LoopInfo(None,Set()) + // _loop_check_before := true -- testsfunctionalverificationexamplescav_example.py.vpr@692.3--692.29 + _loop_check_before := true; + assume state(Heap, Mask); + + // -- Translating statement: while (iter_err == null) -- testsfunctionalverificationexamplescav_example.py.vpr@693.3--751.4 + + // -- Before loop head74 + + // -- Exhale loop invariant before loop + assert {:msg " Loop invariant acc(iterable.list_acc, 1 / 20) might not hold on entry. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@695.15--695.45) [2316]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(iterable.list_acc, 1 / 20) might not hold on entry. There might be insufficient permission to access iterable.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@695.15--695.45) [2317]"} + perm <= Mask[iterable, list_acc]; + } + Mask[iterable, list_acc] := Mask[iterable, list_acc] - perm; + assert {:msg " Loop invariant acc(iter.list_acc, 1 / 20) might not hold on entry. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@696.15--696.41) [2318]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(iter.list_acc, 1 / 20) might not hold on entry. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@696.15--696.41) [2319]"} + perm <= Mask[iter, list_acc]; + } + Mask[iter, list_acc] := Mask[iter, list_acc] - perm; + assert {:msg " Loop invariant iter.list_acc == iterable.list_acc might not hold on entry. Assertion iter.list_acc == iterable.list_acc might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@697.15--697.49) [2320]"} + Seq#Equal(Heap[iter, list_acc], Heap[iterable, list_acc]); + assert {:msg " Loop invariant seqtmp == iterable.list_acc might not hold on entry. Assertion seqtmp == iterable.list_acc might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@698.15--698.42) [2321]"} + Seq#Equal(seqtmp, Heap[iterable, list_acc]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(iter.__iter_index, write) might not hold on entry. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@699.15--699.44) [2322]"} + perm <= Mask[iter, __iter_index]; + } + Mask[iter, __iter_index] := Mask[iter, __iter_index] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(iter.__previous, write) might not hold on entry. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@700.15--700.42) [2323]"} + perm <= Mask[iter, __previous]; + } + Mask[iter, __previous] := Mask[iter, __previous] - perm; + if (iter_err == null) { + assert {:msg " Loop invariant iter_err == null ==> iter.__iter_index - 1 == |iter.__previous| might not hold on entry. Assertion iter.__iter_index - 1 == |iter.__previous| might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@701.15--701.78) [2324]"} + Heap[iter, __iter_index] - 1 == Seq#Length(Heap[iter, __previous]); + } + if (iter_err != null) { + assert {:msg " Loop invariant iter_err != null ==> iter.__iter_index == |iter.__previous| might not hold on entry. Assertion iter.__iter_index == |iter.__previous| might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@702.15--702.74) [2325]"} + Heap[iter, __iter_index] == Seq#Length(Heap[iter, __previous]); + } + if (iter_err == null) { + assert {:msg " Loop invariant iter_err == null ==> |iter.list_acc| > 0 might not hold on entry. Assertion |iter.list_acc| > 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@703.15--703.55) [2326]"} + Seq#Length(Heap[iter, list_acc]) > 0; + } + assert {:msg " Loop invariant iter.__iter_index >= 0 && iter.__iter_index <= |iter.list_acc| might not hold on entry. Assertion iter.__iter_index >= 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@704.15--704.77) [2327]"} + Heap[iter, __iter_index] >= 0; + assert {:msg " Loop invariant iter.__iter_index >= 0 && iter.__iter_index <= |iter.list_acc| might not hold on entry. Assertion iter.__iter_index <= |iter.list_acc| might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@704.15--704.77) [2328]"} + Heap[iter, __iter_index] <= Seq#Length(Heap[iter, list_acc]); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> iter.__iter_index > 0 might not hold on entry. Assertion iter.__iter_index > 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@705.15--705.60) [2329]"} + Heap[iter, __iter_index] > 0; + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> loop_target == iter.list_acc[iter.__iter_index - 1] might not hold on entry. Assertion loop_target == iter.list_acc[iter.__iter_index - 1] might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@706.15--706.90) [2330]"} + loop_target == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> (loop_target in iter.list_acc) might not hold on entry. Assertion (loop_target in iter.list_acc) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@707.15--707.69) [2331]"} + Seq#Contains(Heap[iter, list_acc], loop_target); + } + if (iter_err == null) { + assert {:msg " Loop invariant iter_err == null ==> iter.__previous == iter.list_acc[..iter.__iter_index - 1] might not hold on entry. Assertion iter.__previous == iter.list_acc[..iter.__iter_index - 1] might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@708.15--708.93) [2332]"} + Seq#Equal(Heap[iter, __previous], Seq#Take(Heap[iter, list_acc], Heap[iter, __iter_index] - 1)); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> issubtype(typeof(loop_target), tuple(Seq(int(), int()))) might not hold on entry. Assertion issubtype(typeof(loop_target), tuple(Seq(int(), int()))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@709.15--709.95) [2333]"} + (issubtype((typeof(loop_target): PyTypeDomainType), (tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): bool); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> row_0 == tuple___getitem__(loop_target, 0) && _isDefined(207760093042) might not hold on entry. Assertion row_0 == tuple___getitem__(loop_target, 0) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@710.15--710.109) [2334]"} + row_0 == tuple___getitem__(Heap, loop_target, 0); + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> row_0 == tuple___getitem__(loop_target, 0) && _isDefined(207760093042) might not hold on entry. Assertion _isDefined(207760093042) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@710.15--710.109) [2335]"} + _isDefined(Heap, 207760093042); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> seat_0 == tuple___getitem__(loop_target, 1) && _isDefined(53186532566387) might not hold on entry. Assertion seat_0 == tuple___getitem__(loop_target, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@711.15--711.112) [2336]"} + seat_0 == tuple___getitem__(Heap, loop_target, 1); + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> seat_0 == tuple___getitem__(loop_target, 1) && _isDefined(53186532566387) might not hold on entry. Assertion _isDefined(53186532566387) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@711.15--711.112) [2337]"} + _isDefined(Heap, 53186532566387); + } + if (iter_err != null) { + assert {:msg " Loop invariant iter_err != null ==> iter.__previous == iter.list_acc might not hold on entry. Assertion iter.__previous == iter.list_acc might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@712.15--712.68) [2338]"} + Seq#Equal(Heap[iter, __previous], Heap[iter, list_acc]); + } + if (Seq#Length(Heap[iter, list_acc]) == 0) { + assert {:msg " Loop invariant |iter.list_acc| == 0 ==> iter_err != null might not hold on entry. Assertion iter_err != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@713.15--713.56) [2339]"} + iter_err != null; + } + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(_checkDefined(res, 7562610).list_acc, write) && int___eq__(__prim__int___box__(list___len__(_checkDefined(res, 7562610))), __prim__int___box__(PSeq___len__(PSeq___create__(iter.__previous, int())))) might not hold on entry. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@715.15--715.217) [2340]"} + perm <= Mask[_checkDefined(Heap, res, 7562610), list_acc]; + } + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] - perm; + assert {:msg " Loop invariant acc(_checkDefined(res, 7562610).list_acc, write) && int___eq__(__prim__int___box__(list___len__(_checkDefined(res, 7562610))), __prim__int___box__(PSeq___len__(PSeq___create__(iter.__previous, int())))) might not hold on entry. Assertion int___eq__(__prim__int___box__(list___len__(_checkDefined(res, 7562610))), __prim__int___box__(PSeq___len__(PSeq___create__(iter.__previous, int())))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@715.15--715.217) [2341]"} + int___eq__(Heap, __prim__int___box__(Heap, list___len__(Heap, _checkDefined(Heap, res, 7562610))), __prim__int___box__(Heap, PSeq___len__(Heap, PSeq___create__(Heap, Heap[iter, __previous], vint)))); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver acc(Ticket_state(lambda46_30$t), write) is injective + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not hold on entry. Quantified resource Ticket_state(lambda46_30$t) might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2342]"} + (forall lambda46_30$t: Ref, lambda46_30$t_2: Ref :: + { neverTriggered1(lambda46_30$t), neverTriggered1(lambda46_30$t_2) } + (((lambda46_30$t != lambda46_30$t_2 && ((issubtype((typeof(lambda46_30$t): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t))) && ((issubtype((typeof(lambda46_30$t_2): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_2))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t != lambda46_30$t_2 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not hold on entry. There might be insufficient permission to access Ticket_state(lambda46_30$t) (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2343]"} + (forall lambda46_30$t: Ref :: + { Heap[null, Ticket_state(lambda46_30$t)] } { Mask[null, Ticket_state(lambda46_30$t)] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t) } + (issubtype((typeof(lambda46_30$t): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t) ==> Mask[null, Ticket_state(lambda46_30$t)] >= FullPerm + ); + + // -- assumptions for inverse of receiver acc(Ticket_state(lambda46_30$t), write) + assume (forall lambda46_30$t: Ref :: + { Heap[null, Ticket_state(lambda46_30$t)] } { Mask[null, Ticket_state(lambda46_30$t)] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t) } + ((issubtype((typeof(lambda46_30$t): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t)) && NoPerm < FullPerm ==> invRecv1(lambda46_30$t) == lambda46_30$t && qpRange1(lambda46_30$t) + ); + assume (forall self_1: Ref :: + { invRecv1(self_1) } + (((issubtype((typeof(invRecv1(self_1)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv1(self_1))) && NoPerm < FullPerm) && qpRange1(self_1) ==> invRecv1(self_1) == self_1 + ); + + // -- assume permission updates for predicate Ticket_state + assume (forall self_1: Ref :: + { QPMask[null, Ticket_state(self_1)] } + (((issubtype((typeof(invRecv1(self_1)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv1(self_1))) && NoPerm < FullPerm) && qpRange1(self_1) ==> invRecv1(self_1) == self_1 && QPMask[null, Ticket_state(self_1)] == Mask[null, Ticket_state(self_1)] - FullPerm + ); + assume (forall self_1: Ref :: + { QPMask[null, Ticket_state(self_1)] } + !((((issubtype((typeof(invRecv1(self_1)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv1(self_1))) && NoPerm < FullPerm) && qpRange1(self_1)) ==> QPMask[null, Ticket_state(self_1)] == Mask[null, Ticket_state(self_1)] + ); + + // -- assume permission updates for independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 4 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver lambda46_30$t is injective + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not hold on entry. Quantified resource lambda46_30$t.Ticket_discount_code might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2344]"} + (forall lambda46_30$t_1: Ref, lambda46_30$t_1_1: Ref :: + { neverTriggered2(lambda46_30$t_1), neverTriggered2(lambda46_30$t_1_1) } + (((lambda46_30$t_1 != lambda46_30$t_1_1 && ((issubtype((typeof(lambda46_30$t_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_1) && code_1 != null))) && ((issubtype((typeof(lambda46_30$t_1_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_1_1) && code_1 != null))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_1 != lambda46_30$t_1_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not hold on entry. There might be insufficient permission to access lambda46_30$t.Ticket_discount_code (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2345]"} + (forall lambda46_30$t_1: Ref :: + { Heap[lambda46_30$t_1, Ticket_discount_code] } { QPMask[lambda46_30$t_1, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_1) } + (issubtype((typeof(lambda46_30$t_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_1) && code_1 != null) ==> Mask[lambda46_30$t_1, Ticket_discount_code] >= FullPerm + ); + + // -- assumptions for inverse of receiver lambda46_30$t + assume (forall lambda46_30$t_1: Ref :: + { Heap[lambda46_30$t_1, Ticket_discount_code] } { QPMask[lambda46_30$t_1, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_1) } + ((issubtype((typeof(lambda46_30$t_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_1) && code_1 != null)) && NoPerm < FullPerm ==> qpRange2(lambda46_30$t_1) && invRecv2(lambda46_30$t_1) == lambda46_30$t_1 + ); + assume (forall o_4: Ref :: + { invRecv2(o_4) } + ((issubtype((typeof(invRecv2(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv2(o_4)) && code_1 != null)) && (NoPerm < FullPerm && qpRange2(o_4)) ==> invRecv2(o_4) == o_4 + ); + + // -- assume permission updates for field Ticket_discount_code + assume (forall o_4: Ref :: + { QPMask[o_4, Ticket_discount_code] } + (((issubtype((typeof(invRecv2(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv2(o_4)) && code_1 != null)) && (NoPerm < FullPerm && qpRange2(o_4)) ==> invRecv2(o_4) == o_4 && QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code] - FullPerm) && (!(((issubtype((typeof(invRecv2(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv2(o_4)) && code_1 != null)) && (NoPerm < FullPerm && qpRange2(o_4))) ==> QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code]) + ); + + // -- assume permission updates for independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { QPMask[o_4, f_6] } + f_6 != Ticket_discount_code ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + Mask := QPMask; + if (*) { + if ((issubtype((typeof(lambda46_30$t_2_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_2_1) && code_1 != null)) { + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not hold on entry. Assertion issubtype(typeof(lambda46_30$t.Ticket_discount_code), str()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2346]"} + (issubtype((typeof(Heap[lambda46_30$t_2_1, Ticket_discount_code]): PyTypeDomainType), str): bool); + } + assume false; + } + assume (forall lambda46_30$t_3_1: Ref :: + { Seq#ContainsTrigger(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_3_1) } { Seq#Contains(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_3_1) } + (issubtype((typeof(lambda46_30$t_3_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_3_1) && code_1 != null) ==> (issubtype((typeof(Heap[lambda46_30$t_3_1, Ticket_discount_code]): PyTypeDomainType), str): bool) + ); + if (iter_err == null) { + assert {:msg " Loop invariant (iter_err == null ==> int___sub__(list___len__(_checkDefined(seats, 495873779059)), list___len__(_checkDefined(res, 7562610))) > 0) && [acc(MustTerminate(_cthread_160), write), true] might not hold on entry. Assertion int___sub__(list___len__(_checkDefined(seats, 495873779059)), list___len__(_checkDefined(res, 7562610))) > 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@717.15--717.197) [2347]"} + int___sub__(Heap, list___len__(Heap, _checkDefined(Heap, seats, 495873779059)), list___len__(Heap, _checkDefined(Heap, res, 7562610))) > 0; + } + if (_loop_check_before) { + assert {:msg " Loop invariant [true, _loop_check_before ==> _loop_termination_flag || (!(iter_err == null) || perm(MustTerminate(_cthread_160)) == none && ((forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))))] might not hold on entry. Assertion _loop_termination_flag || (!(iter_err == null) || perm(MustTerminate(_cthread_160)) == none && ((forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false))))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@718.15--718.380) [2348]"} + _loop_termination_flag || (!(iter_err == null) || (Mask[null, MustTerminate(_cthread_160)] == NoPerm && ((forall _r_2_1: Ref :: + { Mask[null, MustInvokeBounded(_r_2_1)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_2_1)) ==> false + ) && ((forall _r_2_1_1: Ref :: + { Mask[null, MustInvokeUnbounded(_r_2_1_1)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_2_1_1)) ==> false + ) && ((forall _r_2_2: Ref :: + { Mask[_r_2_2, MustReleaseBounded] } + HasDirectPerm(Mask, _r_2_2, MustReleaseBounded) ==> false + ) && (forall _r_2_3: Ref :: + { Mask[_r_2_3, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_2_3, MustReleaseUnbounded) ==> false + )))))); + } + if (!_loop_check_before) { + assert {:msg " Loop invariant [true, !_loop_check_before ==> (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))] might not hold on entry. Assertion (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@719.15--719.283) [2349]"} + (forall _r_2_4: Ref :: + { Mask[null, MustInvokeBounded(_r_2_4)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_2_4)) ==> false + ); + assert {:msg " Loop invariant [true, !_loop_check_before ==> (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))] might not hold on entry. Assertion (forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@719.15--719.283) [2350]"} + (forall _r_2_5: Ref :: + { Mask[null, MustInvokeUnbounded(_r_2_5)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_2_5)) ==> false + ); + assert {:msg " Loop invariant [true, !_loop_check_before ==> (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))] might not hold on entry. Assertion (forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@719.15--719.283) [2351]"} + (forall _r_2_6: Ref :: + { Mask[_r_2_6, MustReleaseBounded] } + HasDirectPerm(Mask, _r_2_6, MustReleaseBounded) ==> false + ); + assert {:msg " Loop invariant [true, !_loop_check_before ==> (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))] might not hold on entry. Assertion (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@719.15--719.283) [2352]"} + (forall _r_2_7: Ref :: + { Mask[_r_2_7, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_2_7, MustReleaseUnbounded) ==> false + ); + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Store frame in mask associated with loop + frameMask74 := Mask; + frameHeap74 := Heap; + + // -- Havoc loop written variables (except locals) + havoc _cwl_160, loop_target, iter_err, _loop_measures, Ticket_res, ticket, row_0, seat_0, _loop_check_before; + assume Heap[loop_target, $allocated]; + assume Heap[iter_err, $allocated]; + assume Heap[Ticket_res, $allocated]; + assume Heap[ticket, $allocated]; + assume Heap[row_0, $allocated]; + assume Heap[seat_0, $allocated]; + + // -- Check definedness of invariant + if (*) { + assume state(Heap, Mask); + + // -- Check definedness of (forperm _r_1: Ref [_r_1.MustReleaseBounded] :: Level(_r_1) <= _residue_161) + if (*) { + if (HasDirectPerm(Mask, _r_1_1, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_1.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@694.15--694.215) [2353]"} + HasDirectPerm(Mask, _r_1_1, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_1_2: Ref :: + { Mask[_r_1_2, MustReleaseBounded] } + HasDirectPerm(Mask, _r_1_2, MustReleaseBounded) ==> Level(Heap, _r_1_2) <= _residue_161 + ); + assume state(Heap, Mask); + + // -- Check definedness of (forperm _r_1: Ref [_r_1.MustReleaseUnbounded] :: Level(_r_1) <= _residue_161) + if (*) { + if (HasDirectPerm(Mask, _r_1_3, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_1.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@694.15--694.215) [2354]"} + HasDirectPerm(Mask, _r_1_3, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_1_4: Ref :: + { Mask[_r_1_4, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_1_4, MustReleaseUnbounded) ==> Level(Heap, _r_1_4) <= _residue_161 + ); + assume _residue_160 <= _residue_161; + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@695.15--695.45) [2355]"} + perm >= NoPerm; + assume perm > NoPerm ==> iterable != null; + Mask[iterable, list_acc] := Mask[iterable, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@696.15--696.41) [2356]"} + perm >= NoPerm; + assume perm > NoPerm ==> iter != null; + Mask[iter, list_acc] := Mask[iter, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of iter.list_acc == iterable.list_acc + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@697.15--697.49) [2357]"} + HasDirectPerm(Mask, iter, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iterable.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@697.15--697.49) [2358]"} + HasDirectPerm(Mask, iterable, list_acc); + assume Seq#Equal(Heap[iter, list_acc], Heap[iterable, list_acc]); + assume state(Heap, Mask); + + // -- Check definedness of seqtmp == iterable.list_acc + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iterable.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@698.15--698.42) [2359]"} + HasDirectPerm(Mask, iterable, list_acc); + assume Seq#Equal(seqtmp, Heap[iterable, list_acc]); + assume state(Heap, Mask); + perm := FullPerm; + assume iter != null; + Mask[iter, __iter_index] := Mask[iter, __iter_index] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + assume iter != null; + Mask[iter, __previous] := Mask[iter, __previous] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + if (iter_err == null) { + + // -- Check definedness of iter.__iter_index - 1 == |iter.__previous| + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@701.15--701.78) [2360]"} + HasDirectPerm(Mask, iter, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@701.15--701.78) [2361]"} + HasDirectPerm(Mask, iter, __previous); + assume Heap[iter, __iter_index] - 1 == Seq#Length(Heap[iter, __previous]); + } + assume state(Heap, Mask); + if (iter_err != null) { + + // -- Check definedness of iter.__iter_index == |iter.__previous| + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@702.15--702.74) [2362]"} + HasDirectPerm(Mask, iter, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@702.15--702.74) [2363]"} + HasDirectPerm(Mask, iter, __previous); + assume Heap[iter, __iter_index] == Seq#Length(Heap[iter, __previous]); + } + assume state(Heap, Mask); + if (iter_err == null) { + + // -- Check definedness of |iter.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@703.15--703.55) [2364]"} + HasDirectPerm(Mask, iter, list_acc); + assume Seq#Length(Heap[iter, list_acc]) > 0; + } + assume state(Heap, Mask); + + // -- Check definedness of iter.__iter_index >= 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@704.15--704.77) [2365]"} + HasDirectPerm(Mask, iter, __iter_index); + assume Heap[iter, __iter_index] >= 0; + + // -- Check definedness of iter.__iter_index <= |iter.list_acc| + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@704.15--704.77) [2366]"} + HasDirectPerm(Mask, iter, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@704.15--704.77) [2367]"} + HasDirectPerm(Mask, iter, list_acc); + assume Heap[iter, __iter_index] <= Seq#Length(Heap[iter, list_acc]); + assume state(Heap, Mask); + + // -- Check definedness of |iter.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@705.15--705.60) [2368]"} + HasDirectPerm(Mask, iter, list_acc); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + + // -- Check definedness of iter.__iter_index > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@705.15--705.60) [2369]"} + HasDirectPerm(Mask, iter, __iter_index); + assume Heap[iter, __iter_index] > 0; + } + assume state(Heap, Mask); + + // -- Check definedness of |iter.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@706.15--706.90) [2370]"} + HasDirectPerm(Mask, iter, list_acc); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + + // -- Check definedness of loop_target == iter.list_acc[iter.__iter_index - 1] + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@706.15--706.90) [2371]"} + HasDirectPerm(Mask, iter, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@706.15--706.90) [2372]"} + HasDirectPerm(Mask, iter, __iter_index); + assert {:msg " Contract might not be well-formed. Index iter.list_acc[iter.__iter_index - 1] into iter.list_acc might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@706.15--706.90) [2373]"} + Heap[iter, __iter_index] - 1 >= 0; + assert {:msg " Contract might not be well-formed. Index iter.list_acc[iter.__iter_index - 1] into iter.list_acc might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@706.15--706.90) [2374]"} + Heap[iter, __iter_index] - 1 < Seq#Length(Heap[iter, list_acc]); + assume loop_target == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1); + } + assume state(Heap, Mask); + + // -- Check definedness of |iter.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@707.15--707.69) [2375]"} + HasDirectPerm(Mask, iter, list_acc); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + + // -- Check definedness of (loop_target in iter.list_acc) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@707.15--707.69) [2376]"} + HasDirectPerm(Mask, iter, list_acc); + assume Seq#Contains(Heap[iter, list_acc], loop_target); + } + assume state(Heap, Mask); + if (iter_err == null) { + + // -- Check definedness of iter.__previous == iter.list_acc[..iter.__iter_index - 1] + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@708.15--708.93) [2377]"} + HasDirectPerm(Mask, iter, __previous); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@708.15--708.93) [2378]"} + HasDirectPerm(Mask, iter, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@708.15--708.93) [2379]"} + HasDirectPerm(Mask, iter, __iter_index); + assume Seq#Equal(Heap[iter, __previous], Seq#Take(Heap[iter, list_acc], Heap[iter, __iter_index] - 1)); + } + assume state(Heap, Mask); + + // -- Check definedness of |iter.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@709.15--709.95) [2380]"} + HasDirectPerm(Mask, iter, list_acc); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume (issubtype((typeof(loop_target): PyTypeDomainType), (tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): bool); + } + assume state(Heap, Mask); + + // -- Check definedness of |iter.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@710.15--710.109) [2381]"} + HasDirectPerm(Mask, iter, list_acc); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume state(Heap, Mask); + + // -- Check definedness of row_0 == tuple___getitem__(loop_target, 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(loop_target)) in (0 >= 0 ==> 0 < ln) && (0 < 0 ==> 0 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@710.48--710.81) [2382]"} + 0 < tuple___len__(Heap, loop_target); + + // -- Free assumptions (exhale module) + ln_5 := tuple___len__(Heap, loop_target); + // Stop execution + assume false; + } + assume row_0 == tuple___getitem__(Heap, loop_target, 0); + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(207760093042) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 207760093042); + } + assume state(Heap, Mask); + + // -- Check definedness of |iter.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@711.15--711.112) [2383]"} + HasDirectPerm(Mask, iter, list_acc); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume state(Heap, Mask); + + // -- Check definedness of seat_0 == tuple___getitem__(loop_target, 1) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(loop_target)) in (1 >= 0 ==> 1 < ln) && (1 < 0 ==> 1 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@711.49--711.82) [2384]"} + 1 < tuple___len__(Heap, loop_target); + + // -- Free assumptions (exhale module) + ln_7 := tuple___len__(Heap, loop_target); + // Stop execution + assume false; + } + assume seat_0 == tuple___getitem__(Heap, loop_target, 1); + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(53186532566387) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 53186532566387); + } + assume state(Heap, Mask); + if (iter_err != null) { + + // -- Check definedness of iter.__previous == iter.list_acc + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@712.15--712.68) [2385]"} + HasDirectPerm(Mask, iter, __previous); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@712.15--712.68) [2386]"} + HasDirectPerm(Mask, iter, list_acc); + assume Seq#Equal(Heap[iter, __previous], Heap[iter, list_acc]); + } + assume state(Heap, Mask); + + // -- Check definedness of |iter.list_acc| == 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@713.15--713.56) [2387]"} + HasDirectPerm(Mask, iter, list_acc); + if (Seq#Length(Heap[iter, list_acc]) == 0) { + assume iter_err != null; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of acc(_checkDefined(res, 7562610).list_acc, write) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@715.19--715.46) [2388]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + perm := FullPerm; + assume _checkDefined(Heap, res, 7562610) != null; + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of int___eq__(__prim__int___box__(list___len__(_checkDefined(res, 7562610))), __prim__int___box__(PSeq___len__(PSeq___create__(iter.__previous, int())))) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@715.111--715.138) [2389]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_checkDefined(res, 7562610)), list(list_arg(typeof(_checkDefined(res, 7562610)), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@715.98--715.139) [2390]"} + (issubtype((typeof(_checkDefined(Heap, res, 7562610)): PyTypeDomainType), (list((list_arg((typeof(_checkDefined(Heap, res, 7562610)): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@715.98--715.139) [2391]"} + Mask[_checkDefined(Heap, res, 7562610), list_acc] > NoPerm; + havoc wildcard; + assume wildcard < Mask[_checkDefined(Heap, res, 7562610), list_acc]; + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@715.15--715.217) [2392]"} + HasDirectPerm(Mask, iter, __previous); + if (*) { + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function PSeq___len__ might not hold. Assertion issubtype(typeof(PSeq___create__(iter.__previous, int())), PSeq(PSeq_arg(typeof(PSeq___create__(iter.__previous, int())), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@715.162--715.215) [2393]"} + (issubtype((typeof(PSeq___create__(Heap, Heap[iter, __previous], vint)): PyTypeDomainType), (PSeq((PSeq_arg((typeof(PSeq___create__(Heap, Heap[iter, __previous], vint)): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function int___eq__ might not hold. Assertion issubtype(typeof(__prim__int___box__(list___len__(_checkDefined(res, 7562610)))), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@715.67--715.217) [2394]"} + (issubtype((typeof(__prim__int___box__(Heap, list___len__(Heap, _checkDefined(Heap, res, 7562610)))): PyTypeDomainType), vint): bool); + assert {:msg " Precondition of function int___eq__ might not hold. Assertion issubtype(typeof(__prim__int___box__(PSeq___len__(PSeq___create__(iter.__previous, int())))), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@715.67--715.217) [2395]"} + (issubtype((typeof(__prim__int___box__(Heap, PSeq___len__(Heap, PSeq___create__(Heap, Heap[iter, __previous], vint)))): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + assume int___eq__(Heap, __prim__int___box__(Heap, list___len__(Heap, _checkDefined(Heap, res, 7562610))), __prim__int___box__(Heap, PSeq___len__(Heap, PSeq___create__(Heap, Heap[iter, __previous], vint)))); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) + if (*) { + if ((issubtype((typeof(lambda46_30$t_3): PyTypeDomainType), Ticket): bool)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2396]"} + HasDirectPerm(Mask, _checkDefined(Heap, res, 7562610), list_acc); + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@716.177--716.204) [2397]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + } + assume false; + } + havoc QPMask; + + // -- check if receiver acc(Ticket_state(lambda46_30$t), write) is injective + assert {:msg " Contract might not be well-formed. Quantified resource Ticket_state(lambda46_30$t) might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2398]"} + (forall lambda46_30$t_5: Ref, lambda46_30$t_5_1: Ref :: + { neverTriggered3(lambda46_30$t_5), neverTriggered3(lambda46_30$t_5_1) } + (((lambda46_30$t_5 != lambda46_30$t_5_1 && ((issubtype((typeof(lambda46_30$t_5): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_5))) && ((issubtype((typeof(lambda46_30$t_5_1): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_5_1))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_5 != lambda46_30$t_5_1 + ); + + // -- Define Inverse Function + assume (forall lambda46_30$t_5: Ref :: + { Heap[null, Ticket_state(lambda46_30$t_5)] } { Mask[null, Ticket_state(lambda46_30$t_5)] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_5) } + ((issubtype((typeof(lambda46_30$t_5): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_5)) && NoPerm < FullPerm ==> invRecv3(lambda46_30$t_5) == lambda46_30$t_5 && qpRange3(lambda46_30$t_5) + ); + assume (forall self_1_1: Ref :: + { invRecv3(self_1_1) } + (((issubtype((typeof(invRecv3(self_1_1)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv3(self_1_1))) && NoPerm < FullPerm) && qpRange3(self_1_1) ==> invRecv3(self_1_1) == self_1_1 + ); + + // -- Define updated permissions + assume (forall self_1_1: Ref :: + { QPMask[null, Ticket_state(self_1_1)] } + (((issubtype((typeof(invRecv3(self_1_1)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv3(self_1_1))) && NoPerm < FullPerm) && qpRange3(self_1_1) ==> (NoPerm < FullPerm ==> invRecv3(self_1_1) == self_1_1) && QPMask[null, Ticket_state(self_1_1)] == Mask[null, Ticket_state(self_1_1)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 4 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall self_1_1: Ref :: + { QPMask[null, Ticket_state(self_1_1)] } + !((((issubtype((typeof(invRecv3(self_1_1)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv3(self_1_1))) && NoPerm < FullPerm) && qpRange3(self_1_1)) ==> QPMask[null, Ticket_state(self_1_1)] == Mask[null, Ticket_state(self_1_1)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) + if (*) { + if ((issubtype((typeof(lambda46_30$t_4): PyTypeDomainType), Ticket): bool)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2399]"} + HasDirectPerm(Mask, _checkDefined(Heap, res, 7562610), list_acc); + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@716.417--716.444) [2400]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + } + assume false; + } + havoc QPMask; + assert {:msg " Contract might not be well-formed. Quantified resource lambda46_30$t.Ticket_discount_code might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2401]"} + (forall lambda46_30$t_8: Ref, lambda46_30$t_8_1: Ref :: + + (((lambda46_30$t_8 != lambda46_30$t_8_1 && ((issubtype((typeof(lambda46_30$t_8): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_8) && code_1 != null))) && ((issubtype((typeof(lambda46_30$t_8_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_8_1) && code_1 != null))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_8 != lambda46_30$t_8_1 + ); + + // -- Define Inverse Function + assume (forall lambda46_30$t_8: Ref :: + { Heap[lambda46_30$t_8, Ticket_discount_code] } { QPMask[lambda46_30$t_8, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_8) } + ((issubtype((typeof(lambda46_30$t_8): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_8) && code_1 != null)) && NoPerm < FullPerm ==> qpRange4(lambda46_30$t_8) && invRecv4(lambda46_30$t_8) == lambda46_30$t_8 + ); + assume (forall o_4: Ref :: + { invRecv4(o_4) } + (((issubtype((typeof(invRecv4(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv4(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange4(o_4) ==> invRecv4(o_4) == o_4 + ); + + // -- Assume set of fields is nonNull + assume (forall lambda46_30$t_8: Ref :: + { Heap[lambda46_30$t_8, Ticket_discount_code] } { QPMask[lambda46_30$t_8, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_8) } + (issubtype((typeof(lambda46_30$t_8): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_8) && code_1 != null) ==> lambda46_30$t_8 != null + ); + + // -- Define permissions + assume (forall o_4: Ref :: + { QPMask[o_4, Ticket_discount_code] } + ((((issubtype((typeof(invRecv4(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv4(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange4(o_4) ==> (NoPerm < FullPerm ==> invRecv4(o_4) == o_4) && QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code] + FullPerm) && (!((((issubtype((typeof(invRecv4(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv4(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange4(o_4)) ==> QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code]) + ); + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + f_6 != Ticket_discount_code ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())) + if (*) { + if ((issubtype((typeof(lambda46_30$t_6): PyTypeDomainType), Ticket): bool)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2402]"} + HasDirectPerm(Mask, _checkDefined(Heap, res, 7562610), list_acc); + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@716.682--716.709) [2403]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + } + if ((issubtype((typeof(lambda46_30$t_6): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_6) && code_1 != null)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access lambda46_30$t.Ticket_discount_code (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2404]"} + HasDirectPerm(Mask, lambda46_30$t_6, Ticket_discount_code); + } + assume false; + } + assume (forall lambda46_30$t_10: Ref :: + { Seq#ContainsTrigger(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_10) } { Seq#Contains(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_10) } + (issubtype((typeof(lambda46_30$t_10): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_10) && code_1 != null) ==> (issubtype((typeof(Heap[lambda46_30$t_10, Ticket_discount_code]): PyTypeDomainType), str): bool) + ); + assume state(Heap, Mask); + if (iter_err == null) { + assume state(Heap, Mask); + + // -- Check definedness of int___sub__(list___len__(_checkDefined(seats, 495873779059)), list___len__(_checkDefined(res, 7562610))) > 0 + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(495873779059) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@717.62--717.96) [2405]"} + _isDefined(Heap, 495873779059); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_checkDefined(seats, 495873779059)), list(list_arg(typeof(_checkDefined(seats, 495873779059)), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@717.49--717.97) [2406]"} + (issubtype((typeof(_checkDefined(Heap, seats, 495873779059)): PyTypeDomainType), (list((list_arg((typeof(_checkDefined(Heap, seats, 495873779059)): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _checkDefined(seats, 495873779059).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@717.49--717.97) [2407]"} + Mask[_checkDefined(Heap, seats, 495873779059), list_acc] > NoPerm; + havoc wildcard; + assume wildcard < Mask[_checkDefined(Heap, seats, 495873779059), list_acc]; + Mask[_checkDefined(Heap, seats, 495873779059), list_acc] := Mask[_checkDefined(Heap, seats, 495873779059), list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@717.112--717.139) [2408]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_checkDefined(res, 7562610)), list(list_arg(typeof(_checkDefined(res, 7562610)), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@717.99--717.140) [2409]"} + (issubtype((typeof(_checkDefined(Heap, res, 7562610)): PyTypeDomainType), (list((list_arg((typeof(_checkDefined(Heap, res, 7562610)): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@717.99--717.140) [2410]"} + Mask[_checkDefined(Heap, res, 7562610), list_acc] > NoPerm; + havoc wildcard; + assume wildcard < Mask[_checkDefined(Heap, res, 7562610), list_acc]; + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + assume int___sub__(Heap, list___len__(Heap, _checkDefined(Heap, seats, 495873779059)), list___len__(Heap, _checkDefined(Heap, res, 7562610))) > 0; + } + perm := FullPerm; + Mask[null, MustTerminate(_cthread_160)] := Mask[null, MustTerminate(_cthread_160)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + assume false; + } + + // -- Check the loop body + if (*) { + // Reset state + loopHeap := Heap; + loopMask := Mask; + Mask := ZeroMask; + assume state(Heap, Mask); + // Inhale invariant + assume state(Heap, Mask); + assume (forall _r_1_5: Ref :: + { Mask[_r_1_5, MustReleaseBounded] } + HasDirectPerm(Mask, _r_1_5, MustReleaseBounded) ==> Level(Heap, _r_1_5) <= _residue_161 + ); + assume state(Heap, Mask); + assume (forall _r_1_6: Ref :: + { Mask[_r_1_6, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_1_6, MustReleaseUnbounded) ==> Level(Heap, _r_1_6) <= _residue_161 + ); + assume _residue_160 <= _residue_161; + perm := 1 / 20; + assert {:msg " While statement might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@695.15--695.45) [2411]"} + perm >= NoPerm; + assume perm > NoPerm ==> iterable != null; + Mask[iterable, list_acc] := Mask[iterable, list_acc] + perm; + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " While statement might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@696.15--696.41) [2412]"} + perm >= NoPerm; + assume perm > NoPerm ==> iter != null; + Mask[iter, list_acc] := Mask[iter, list_acc] + perm; + assume state(Heap, Mask); + assume Seq#Equal(Heap[iter, list_acc], Heap[iterable, list_acc]); + assume Seq#Equal(seqtmp, Heap[iterable, list_acc]); + perm := FullPerm; + assume iter != null; + Mask[iter, __iter_index] := Mask[iter, __iter_index] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume iter != null; + Mask[iter, __previous] := Mask[iter, __previous] + perm; + assume state(Heap, Mask); + if (iter_err == null) { + assume Heap[iter, __iter_index] - 1 == Seq#Length(Heap[iter, __previous]); + } + if (iter_err != null) { + assume Heap[iter, __iter_index] == Seq#Length(Heap[iter, __previous]); + } + if (iter_err == null) { + assume Seq#Length(Heap[iter, list_acc]) > 0; + } + assume Heap[iter, __iter_index] >= 0; + assume Heap[iter, __iter_index] <= Seq#Length(Heap[iter, list_acc]); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume Heap[iter, __iter_index] > 0; + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume loop_target == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume Seq#Contains(Heap[iter, list_acc], loop_target); + } + if (iter_err == null) { + assume Seq#Equal(Heap[iter, __previous], Seq#Take(Heap[iter, list_acc], Heap[iter, __iter_index] - 1)); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume (issubtype((typeof(loop_target): PyTypeDomainType), (tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): bool); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume state(Heap, Mask); + assume row_0 == tuple___getitem__(Heap, loop_target, 0); + assume state(Heap, Mask); + assume _isDefined(Heap, 207760093042); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume state(Heap, Mask); + assume seat_0 == tuple___getitem__(Heap, loop_target, 1); + assume state(Heap, Mask); + assume _isDefined(Heap, 53186532566387); + } + if (iter_err != null) { + assume Seq#Equal(Heap[iter, __previous], Heap[iter, list_acc]); + } + if (Seq#Length(Heap[iter, list_acc]) == 0) { + assume iter_err != null; + } + assume state(Heap, Mask); + perm := FullPerm; + assume _checkDefined(Heap, res, 7562610) != null; + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume int___eq__(Heap, __prim__int___box__(Heap, list___len__(Heap, _checkDefined(Heap, res, 7562610))), __prim__int___box__(Heap, PSeq___len__(Heap, PSeq___create__(Heap, Heap[iter, __previous], vint)))); + assume state(Heap, Mask); + havoc QPMask; + + // -- check if receiver acc(Ticket_state(lambda46_30$t), write) is injective + assert {:msg " While statement might fail. Quantified resource Ticket_state(lambda46_30$t) might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2413]"} + (forall lambda46_30$t_11: Ref, lambda46_30$t_11_1: Ref :: + { neverTriggered5(lambda46_30$t_11), neverTriggered5(lambda46_30$t_11_1) } + (((lambda46_30$t_11 != lambda46_30$t_11_1 && ((issubtype((typeof(lambda46_30$t_11): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_11))) && ((issubtype((typeof(lambda46_30$t_11_1): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_11_1))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_11 != lambda46_30$t_11_1 + ); + + // -- Define Inverse Function + assume (forall lambda46_30$t_11: Ref :: + { Heap[null, Ticket_state(lambda46_30$t_11)] } { Mask[null, Ticket_state(lambda46_30$t_11)] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_11) } + ((issubtype((typeof(lambda46_30$t_11): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_11)) && NoPerm < FullPerm ==> invRecv5(lambda46_30$t_11) == lambda46_30$t_11 && qpRange5(lambda46_30$t_11) + ); + assume (forall self_1_2: Ref :: + { invRecv5(self_1_2) } + (((issubtype((typeof(invRecv5(self_1_2)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv5(self_1_2))) && NoPerm < FullPerm) && qpRange5(self_1_2) ==> invRecv5(self_1_2) == self_1_2 + ); + + // -- Define updated permissions + assume (forall self_1_2: Ref :: + { QPMask[null, Ticket_state(self_1_2)] } + (((issubtype((typeof(invRecv5(self_1_2)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv5(self_1_2))) && NoPerm < FullPerm) && qpRange5(self_1_2) ==> (NoPerm < FullPerm ==> invRecv5(self_1_2) == self_1_2) && QPMask[null, Ticket_state(self_1_2)] == Mask[null, Ticket_state(self_1_2)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 4 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall self_1_2: Ref :: + { QPMask[null, Ticket_state(self_1_2)] } + !((((issubtype((typeof(invRecv5(self_1_2)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv5(self_1_2))) && NoPerm < FullPerm) && qpRange5(self_1_2)) ==> QPMask[null, Ticket_state(self_1_2)] == Mask[null, Ticket_state(self_1_2)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource lambda46_30$t.Ticket_discount_code might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2414]"} + (forall lambda46_30$t_13: Ref, lambda46_30$t_13_1: Ref :: + + (((lambda46_30$t_13 != lambda46_30$t_13_1 && ((issubtype((typeof(lambda46_30$t_13): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_13) && code_1 != null))) && ((issubtype((typeof(lambda46_30$t_13_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_13_1) && code_1 != null))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_13 != lambda46_30$t_13_1 + ); + + // -- Define Inverse Function + assume (forall lambda46_30$t_13: Ref :: + { Heap[lambda46_30$t_13, Ticket_discount_code] } { QPMask[lambda46_30$t_13, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_13) } + ((issubtype((typeof(lambda46_30$t_13): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_13) && code_1 != null)) && NoPerm < FullPerm ==> qpRange6(lambda46_30$t_13) && invRecv6(lambda46_30$t_13) == lambda46_30$t_13 + ); + assume (forall o_4: Ref :: + { invRecv6(o_4) } + (((issubtype((typeof(invRecv6(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv6(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange6(o_4) ==> invRecv6(o_4) == o_4 + ); + + // -- Assume set of fields is nonNull + assume (forall lambda46_30$t_13: Ref :: + { Heap[lambda46_30$t_13, Ticket_discount_code] } { QPMask[lambda46_30$t_13, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_13) } + (issubtype((typeof(lambda46_30$t_13): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_13) && code_1 != null) ==> lambda46_30$t_13 != null + ); + + // -- Define permissions + assume (forall o_4: Ref :: + { QPMask[o_4, Ticket_discount_code] } + ((((issubtype((typeof(invRecv6(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv6(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange6(o_4) ==> (NoPerm < FullPerm ==> invRecv6(o_4) == o_4) && QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code] + FullPerm) && (!((((issubtype((typeof(invRecv6(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv6(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange6(o_4)) ==> QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code]) + ); + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + f_6 != Ticket_discount_code ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (forall lambda46_30$t_14: Ref :: + { Seq#ContainsTrigger(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_14) } { Seq#Contains(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_14) } + (issubtype((typeof(lambda46_30$t_14): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_14) && code_1 != null) ==> (issubtype((typeof(Heap[lambda46_30$t_14, Ticket_discount_code]): PyTypeDomainType), str): bool) + ); + if (iter_err == null) { + assume state(Heap, Mask); + assume int___sub__(Heap, list___len__(Heap, _checkDefined(Heap, seats, 495873779059)), list___len__(Heap, _checkDefined(Heap, res, 7562610))) > 0; + } + perm := FullPerm; + Mask[null, MustTerminate(_cthread_160)] := Mask[null, MustTerminate(_cthread_160)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + // Check and assume guard + assume iter_err == null; + assume state(Heap, Mask); + + // -- Translate loop body + + // -- Translating statement: // id = 75 + // _loop_measures := Seq(Measure$create(true, _cthread_160, int___sub__(list___len__(_checkDefined(seats, + // 495873779059)), list___len__(_checkDefined(res, 7562610))))) -- testsfunctionalverificationexamplescav_example.py.vpr@721.5--721.168 + + // -- Check definedness of Seq(Measure$create(true, _cthread_160, int___sub__(list___len__(_checkDefined(seats, 495873779059)), list___len__(_checkDefined(res, 7562610))))) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(495873779059) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@721.87--721.121) [2415]"} + _isDefined(Heap, 495873779059); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_checkDefined(seats, 495873779059)), list(list_arg(typeof(_checkDefined(seats, 495873779059)), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@721.74--721.122) [2416]"} + (issubtype((typeof(_checkDefined(Heap, seats, 495873779059)): PyTypeDomainType), (list((list_arg((typeof(_checkDefined(Heap, seats, 495873779059)): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _checkDefined(seats, 495873779059).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@721.74--721.122) [2417]"} + Mask[_checkDefined(Heap, seats, 495873779059), list_acc] > NoPerm; + havoc wildcard; + assume wildcard < Mask[_checkDefined(Heap, seats, 495873779059), list_acc]; + Mask[_checkDefined(Heap, seats, 495873779059), list_acc] := Mask[_checkDefined(Heap, seats, 495873779059), list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@721.137--721.164) [2418]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_checkDefined(res, 7562610)), list(list_arg(typeof(_checkDefined(res, 7562610)), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@721.124--721.165) [2419]"} + (issubtype((typeof(_checkDefined(Heap, res, 7562610)): PyTypeDomainType), (list((list_arg((typeof(_checkDefined(Heap, res, 7562610)): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@721.124--721.165) [2420]"} + Mask[_checkDefined(Heap, res, 7562610), list_acc] > NoPerm; + havoc wildcard; + assume wildcard < Mask[_checkDefined(Heap, res, 7562610), list_acc]; + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + _loop_measures := Seq#Singleton((Measure$create(true, _cthread_160, int___sub__(Heap, list___len__(Heap, _checkDefined(Heap, seats, 495873779059)), list___len__(Heap, _checkDefined(Heap, res, 7562610)))): Measure$DomainType)); + assume state(Heap, Mask); + + // -- Translating statement: // id = 76 + // Ticket_res := new() -- testsfunctionalverificationexamplescav_example.py.vpr@722.5--722.24 + havoc freshObj; + assume freshObj != null && !Heap[freshObj, $allocated]; + Heap[freshObj, $allocated] := true; + Ticket_res := freshObj; + assume state(Heap, Mask); + + // -- Translating statement: // id = 77 + // inhale typeof(Ticket_res) == Ticket() -- testsfunctionalverificationexamplescav_example.py.vpr@723.5--723.42 + assume (typeof(Ticket_res): PyTypeDomainType) == Ticket; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 78 + // inhale acc(_MaySet(Ticket_res, 2036589462893379814238060391131476), write) -- testsfunctionalverificationexamplescav_example.py.vpr@724.5--724.79 + perm := FullPerm; + Mask[null, _MaySet(Ticket_res, 2036589462893379814238060391131476)] := Mask[null, _MaySet(Ticket_res, 2036589462893379814238060391131476)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 79 + // inhale acc(_MaySet(Ticket_res, 564017441487491594152276), write) -- testsfunctionalverificationexamplescav_example.py.vpr@725.5--725.69 + perm := FullPerm; + Mask[null, _MaySet(Ticket_res, 564017441487491594152276)] := Mask[null, _MaySet(Ticket_res, 564017441487491594152276)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 80 + // inhale acc(_MaySet(Ticket_res, 140695336058778200607779156), write) -- testsfunctionalverificationexamplescav_example.py.vpr@726.5--726.72 + perm := FullPerm; + Mask[null, _MaySet(Ticket_res, 140695336058778200607779156)] := Mask[null, _MaySet(Ticket_res, 140695336058778200607779156)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 81 + // inhale acc(_MaySet(Ticket_res, 578847845651634811226368290157834565233854867796), write) -- testsfunctionalverificationexamplescav_example.py.vpr@727.5--727.93 + perm := FullPerm; + Mask[null, _MaySet(Ticket_res, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(Ticket_res, 578847845651634811226368290157834565233854867796)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 82 + // _cwl_160 := Ticket___init__(_cthread_160, _method_measures_160, _residue_161, + // Ticket_res, show_id_0, _checkDefined(row_0, 207760093042), _checkDefined(seat_0, + // 53186532566387)) -- testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180 + PreCallHeap := Heap; + PreCallMask := Mask; + + // -- Check definedness of _checkDefined(row_0, 207760093042) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(207760093042) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.106--728.140) [2421]"} + _isDefined(Heap, 207760093042); + // Stop execution + assume false; + } + + // -- Check definedness of _checkDefined(seat_0, 53186532566387) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(53186532566387) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.142--728.179) [2422]"} + _isDefined(Heap, 53186532566387); + // Stop execution + assume false; + } + arg_row := _checkDefined(Heap, row_0, 207760093042); + arg_seat := _checkDefined(Heap, seat_0, 53186532566387); + havoc _cwl_160; + + // -- Exhaling precondition + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion _cthread_160 != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2423]"} + _cthread_160 != null; + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion issubtype(typeof(_cthread_160), Thread_0()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2424]"} + (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion Ticket_res != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2425]"} + Ticket_res != null; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method Ticket___init__ might not hold. There might be insufficient permission to access _MaySet(Ticket_res, 2036589462893379814238060391131476) (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2426]"} + perm <= Mask[null, _MaySet(Ticket_res, 2036589462893379814238060391131476)]; + } + Mask[null, _MaySet(Ticket_res, 2036589462893379814238060391131476)] := Mask[null, _MaySet(Ticket_res, 2036589462893379814238060391131476)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method Ticket___init__ might not hold. There might be insufficient permission to access _MaySet(Ticket_res, 564017441487491594152276) (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2427]"} + perm <= Mask[null, _MaySet(Ticket_res, 564017441487491594152276)]; + } + Mask[null, _MaySet(Ticket_res, 564017441487491594152276)] := Mask[null, _MaySet(Ticket_res, 564017441487491594152276)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method Ticket___init__ might not hold. There might be insufficient permission to access _MaySet(Ticket_res, 140695336058778200607779156) (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2428]"} + perm <= Mask[null, _MaySet(Ticket_res, 140695336058778200607779156)]; + } + Mask[null, _MaySet(Ticket_res, 140695336058778200607779156)] := Mask[null, _MaySet(Ticket_res, 140695336058778200607779156)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method Ticket___init__ might not hold. There might be insufficient permission to access _MaySet(Ticket_res, 578847845651634811226368290157834565233854867796) (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2429]"} + perm <= Mask[null, _MaySet(Ticket_res, 578847845651634811226368290157834565233854867796)]; + } + Mask[null, _MaySet(Ticket_res, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(Ticket_res, 578847845651634811226368290157834565233854867796)] - perm; + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion issubtype(typeof(Ticket_res), Ticket()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2430]"} + (issubtype((typeof(Ticket_res): PyTypeDomainType), Ticket): bool); + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion issubtype(typeof(show_id_0), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2431]"} + (issubtype((typeof(show_id_0): PyTypeDomainType), vint): bool); + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion issubtype(typeof(_checkDefined(row_0, 207760093042)), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2432]"} + (issubtype((typeof(arg_row): PyTypeDomainType), vint): bool); + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion issubtype(typeof(_checkDefined(seat_0, 53186532566387)), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2433]"} + (issubtype((typeof(arg_seat): PyTypeDomainType), vint): bool); + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion Ticket_res != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2434]"} + Ticket_res != null; + assert {:msg " The precondition of method Ticket___init__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) || perm(MustTerminate(_cthread_160)) == none && ((forperm _r_8: Ref [MustInvokeBounded(_r_8)] :: false) && ((forperm _r_8: Ref [MustInvokeUnbounded(_r_8)] :: false) && ((forperm _r_8: Ref [_r_8.MustReleaseBounded] :: false) && (forperm _r_8: Ref [_r_8.MustReleaseUnbounded] :: false)))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@728.5--728.180) [2435]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1) || (Mask[null, MustTerminate(_cthread_160)] == NoPerm && ((forall _r_8: Ref :: + { Mask[null, MustInvokeBounded(_r_8)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_8)) ==> false + ) && ((forall _r_8_1: Ref :: + { Mask[null, MustInvokeUnbounded(_r_8_1)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_8_1)) ==> false + ) && ((forall _r_8_2: Ref :: + { Mask[_r_8_2, MustReleaseBounded] } + HasDirectPerm(Mask, _r_8_2, MustReleaseBounded) ==> false + ) && (forall _r_8_3: Ref :: + { Mask[_r_8_3, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_8_3, MustReleaseUnbounded) ==> false + ))))); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + assume state(Heap, Mask); + assume (forall _r_6_1: Ref :: + { Mask[_r_6_1, MustReleaseBounded] } + HasDirectPerm(Mask, _r_6_1, MustReleaseBounded) ==> Level(Heap, _r_6_1) <= _cwl_160 + ); + assume state(Heap, Mask); + assume (forall _r_6_1_1: Ref :: + { Mask[_r_6_1_1, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_6_1_1, MustReleaseUnbounded) ==> Level(Heap, _r_6_1_1) <= _cwl_160 + ); + assume _residue_161 <= _cwl_160; + perm := FullPerm; + Mask[null, Ticket_state(Ticket_res)] := Mask[null, Ticket_state(Ticket_res)] + perm; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(Ticket_res, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(Ticket_res, 578847845651634811226368290157834565233854867796)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 83 + // ticket := Ticket_res -- testsfunctionalverificationexamplescav_example.py.vpr@729.5--729.25 + ticket := Ticket_res; + assume state(Heap, Mask); + + // -- Translating statement: // id = 84 + // inhale _isDefined(127978942196084) -- testsfunctionalverificationexamplescav_example.py.vpr@730.5--730.39 + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(127978942196084) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 127978942196084); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: if (code_1 != null) -- testsfunctionalverificationexamplescav_example.py.vpr@731.5--737.6 + if (code_1 != null) { + + // -- Translating statement: // id = 85 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: if (perm(_MaySet(_checkDefined(ticket, 127978942196084), 578847845651634811226368290157834565233854867796)) > none) -- testsfunctionalverificationexamplescav_example.py.vpr@732.7--735.8 + + // -- Check definedness of perm(_MaySet(_checkDefined(ticket, 127978942196084), 578847845651634811226368290157834565233854867796)) > none + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(127978942196084) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@732.24--732.62) [2436]"} + _isDefined(Heap, 127978942196084); + // Stop execution + assume false; + } + if (NoPerm < Mask[null, _MaySet(_checkDefined(Heap, ticket, 127978942196084), 578847845651634811226368290157834565233854867796)]) { + + // -- Translating statement: // id = 86 + // exhale acc(_MaySet(_checkDefined(ticket, 127978942196084), 578847845651634811226368290157834565233854867796), write) -- testsfunctionalverificationexamplescav_example.py.vpr@733.9--733.125 + + // -- Check definedness of acc(_MaySet(_checkDefined(ticket, 127978942196084), 578847845651634811226368290157834565233854867796), write) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(127978942196084) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@733.28--733.66) [2437]"} + _isDefined(Heap, 127978942196084); + // Stop execution + assume false; + } + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access _MaySet(_checkDefined(ticket, 127978942196084), 578847845651634811226368290157834565233854867796) (testsfunctionalverificationexamplescav_example.py.vpr@733.16--733.125) [2438]"} + perm <= Mask[null, _MaySet(_checkDefined(Heap, ticket, 127978942196084), 578847845651634811226368290157834565233854867796)]; + } + Mask[null, _MaySet(_checkDefined(Heap, ticket, 127978942196084), 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(_checkDefined(Heap, ticket, 127978942196084), 578847845651634811226368290157834565233854867796)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Translating statement: // id = 87 + // inhale acc(_checkDefined(ticket, 127978942196084).Ticket_discount_code, write) -- testsfunctionalverificationexamplescav_example.py.vpr@734.9--734.87 + assume state(Heap, Mask); + + // -- Check definedness of acc(_checkDefined(ticket, 127978942196084).Ticket_discount_code, write) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(127978942196084) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@734.20--734.58) [2439]"} + _isDefined(Heap, 127978942196084); + // Stop execution + assume false; + } + perm := FullPerm; + assume _checkDefined(Heap, ticket, 127978942196084) != null; + Mask[_checkDefined(Heap, ticket, 127978942196084), Ticket_discount_code] := Mask[_checkDefined(Heap, ticket, 127978942196084), Ticket_discount_code] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 88 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 89 + // _checkDefined(ticket, 127978942196084).Ticket_discount_code := code_1 -- testsfunctionalverificationexamplescav_example.py.vpr@736.7--736.76 + + // -- Check definedness of _checkDefined(ticket, 127978942196084) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(127978942196084) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@736.7--736.45) [2440]"} + _isDefined(Heap, 127978942196084); + // Stop execution + assume false; + } + assert {:msg " Assignment might fail. There might be insufficient permission to access _checkDefined(ticket, 127978942196084).Ticket_discount_code (testsfunctionalverificationexamplescav_example.py.vpr@736.7--736.76) [2441]"} + FullPerm == Mask[_checkDefined(Heap, ticket, 127978942196084), Ticket_discount_code]; + Heap[_checkDefined(Heap, ticket, 127978942196084), Ticket_discount_code] := code_1; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 90 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 91 + // _cwl_160 := list_append(_cthread_160, _method_measures_160, _residue_161, _checkDefined(res, + // 7562610), _checkDefined(ticket, 127978942196084)) -- testsfunctionalverificationexamplescav_example.py.vpr@738.5--738.147 + PreCallHeap := Heap; + PreCallMask := Mask; + + // -- Check definedness of _checkDefined(res, 7562610) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@738.79--738.106) [2442]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + + // -- Check definedness of _checkDefined(ticket, 127978942196084) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(127978942196084) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@738.108--738.146) [2443]"} + _isDefined(Heap, 127978942196084); + // Stop execution + assume false; + } + arg_self := _checkDefined(Heap, res, 7562610); + arg_item := _checkDefined(Heap, ticket, 127978942196084); + havoc _cwl_160; + + // -- Exhaling precondition + assert {:msg " The precondition of method list_append might not hold. Assertion _cthread_160 != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@738.5--738.147) [2444]"} + _cthread_160 != null; + assert {:msg " The precondition of method list_append might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@738.5--738.147) [2445]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + assert {:msg " The precondition of method list_append might not hold. Assertion issubtype(typeof(_cthread_160), Thread_0()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@738.5--738.147) [2446]"} + (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assert {:msg " The precondition of method list_append might not hold. Assertion issubtype(typeof(_checkDefined(res, 7562610)), list(list_arg(typeof(_checkDefined(res, 7562610)), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@738.5--738.147) [2447]"} + (issubtype((typeof(arg_self): PyTypeDomainType), (list((list_arg((typeof(arg_self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method list_append might not hold. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@738.5--738.147) [2448]"} + perm <= Mask[arg_self, list_acc]; + } + Mask[arg_self, list_acc] := Mask[arg_self, list_acc] - perm; + assert {:msg " The precondition of method list_append might not hold. Assertion issubtype(typeof(_checkDefined(ticket, 127978942196084)), list_arg(typeof(_checkDefined(res, 7562610)), 0)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@738.5--738.147) [2449]"} + (issubtype((typeof(arg_item): PyTypeDomainType), (list_arg((typeof(arg_self): PyTypeDomainType), 0): PyTypeDomainType)): bool); + assert {:msg " The precondition of method list_append might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@738.5--738.147) [2450]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + assume state(Heap, Mask); + assume (forall _r_21: Ref :: + { Mask[_r_21, MustReleaseBounded] } + HasDirectPerm(Mask, _r_21, MustReleaseBounded) ==> Level(Heap, _r_21) <= _cwl_160 + ); + assume state(Heap, Mask); + assume (forall _r_21_1: Ref :: + { Mask[_r_21_1, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_21_1, MustReleaseUnbounded) ==> Level(Heap, _r_21_1) <= _cwl_160 + ); + assume _residue_161 <= _cwl_160; + perm := FullPerm; + assume arg_self != null; + Mask[arg_self, list_acc] := Mask[arg_self, list_acc] + perm; + assume state(Heap, Mask); + assume Seq#Equal(Heap[arg_self, list_acc], Seq#Append(old(PreCallHeap)[arg_self, list_acc], Seq#Singleton(arg_item))); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 92 + // label loop_end -- testsfunctionalverificationexamplescav_example.py.vpr@739.5--739.19 + loop_end: + Labelloop_endMask := Mask; + Labelloop_endHeap := Heap; + loop_end_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 93 + // _cwl_160, loop_target, iter_err := Iterator___next__(_cthread_160, _method_measures_160, + // _residue_160, iter) -- testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc _cwl_160, loop_target, iter_err; + + // -- Exhaling precondition + assert {:msg " The precondition of method Iterator___next__ might not hold. Assertion _cthread_160 != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2451]"} + _cthread_160 != null; + assert {:msg " The precondition of method Iterator___next__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2452]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + assert {:msg " The precondition of method Iterator___next__ might not hold. Assertion issubtype(typeof(_cthread_160), Thread_0()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2453]"} + (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assert {:msg " The precondition of method Iterator___next__ might not hold. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2454]"} + 1 / 40 >= NoPerm; + perm := 1 / 40; + if (perm != NoPerm) { + assert {:msg " The precondition of method Iterator___next__ might not hold. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2455]"} + perm <= Mask[iter, list_acc]; + } + Mask[iter, list_acc] := Mask[iter, list_acc] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method Iterator___next__ might not hold. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2456]"} + perm <= Mask[iter, __iter_index]; + } + Mask[iter, __iter_index] := Mask[iter, __iter_index] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " The precondition of method Iterator___next__ might not hold. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2457]"} + perm <= Mask[iter, __previous]; + } + Mask[iter, __previous] := Mask[iter, __previous] - perm; + assert {:msg " The precondition of method Iterator___next__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2458]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + assume state(Heap, Mask); + assume (forall _r_15_2: Ref :: + { Mask[_r_15_2, MustReleaseBounded] } + HasDirectPerm(Mask, _r_15_2, MustReleaseBounded) ==> Level(Heap, _r_15_2) <= _cwl_160 + ); + assume state(Heap, Mask); + assume (forall _r_15_3: Ref :: + { Mask[_r_15_3, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_15_3, MustReleaseUnbounded) ==> Level(Heap, _r_15_3) <= _cwl_160 + ); + assume _residue_160 <= _cwl_160; + perm := 1 / 40; + assert {:msg " Method call might fail. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@740.5--740.113) [2459]"} + perm >= NoPerm; + assume perm > NoPerm ==> iter != null; + Mask[iter, list_acc] := Mask[iter, list_acc] + perm; + assume state(Heap, Mask); + assume Seq#Equal(Heap[iter, list_acc], old(PreCallHeap)[iter, list_acc]); + perm := FullPerm; + assume iter != null; + Mask[iter, __iter_index] := Mask[iter, __iter_index] + perm; + assume state(Heap, Mask); + assume Heap[iter, __iter_index] <= Seq#Length(Heap[iter, list_acc]) + 1; + assume (old(PreCallHeap)[iter, __iter_index] == Seq#Length(old(PreCallHeap)[iter, list_acc])) == (iter_err != null); + perm := FullPerm; + assume iter != null; + Mask[iter, __previous] := Mask[iter, __previous] + perm; + assume state(Heap, Mask); + if (iter_err == null) { + assume Heap[iter, __iter_index] == old(PreCallHeap)[iter, __iter_index] + 1; + } + if (iter_err == null) { + assume Heap[iter, __iter_index] > 0; + } + if (iter_err == null) { + assume Seq#Equal(Heap[iter, __previous], Seq#Take(Heap[iter, list_acc], Heap[iter, __iter_index] - 1)); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume Heap[iter, __iter_index] > 0; + } + if (iter_err != null) { + assume Seq#Equal(Heap[iter, __previous], Heap[iter, list_acc]); + } + if (iter_err != null) { + assume Heap[iter, __iter_index] == Seq#Length(Heap[iter, list_acc]); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume loop_target == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1); + assume Seq#Contains(Heap[iter, list_acc], loop_target); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume (issubtype((typeof(loop_target): PyTypeDomainType), (Iterator_arg((typeof(iter): PyTypeDomainType), 0): PyTypeDomainType)): bool); + } + assume (forall r_1_1: Ref :: + { Seq#ContainsTrigger(Heap[iter, __previous], r_1_1) } { Seq#Contains(Heap[iter, __previous], r_1_1) } + Seq#Contains(Heap[iter, __previous], r_1_1) == (Seq#Contains(old(PreCallHeap)[iter, __previous], r_1_1) || ((Heap[iter, __iter_index] > 1 && (r_1_1 == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 2) && iter_err == null)) || (Heap[iter, __iter_index] > 0 && (iter_err != null && r_1_1 == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1))))) + ); + assume state(Heap, Mask); + assume Heap[loop_target, $allocated]; + assume Heap[iter_err, $allocated]; + assume state(Heap, Mask); + + // -- Translating statement: if (iter_err == null) -- testsfunctionalverificationexamplescav_example.py.vpr@741.5--746.6 + if (iter_err == null) { + + // -- Translating statement: // id = 94 + // row_0 := tuple___getitem__(loop_target, 0) -- testsfunctionalverificationexamplescav_example.py.vpr@742.7--742.49 + + // -- Check definedness of tuple___getitem__(loop_target, 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(loop_target)) in (0 >= 0 ==> 0 < ln) && (0 < 0 ==> 0 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@742.16--742.49) [2460]"} + 0 < tuple___len__(Heap, loop_target); + + // -- Free assumptions (exhale module) + ln_9 := tuple___len__(Heap, loop_target); + // Stop execution + assume false; + } + row_0 := tuple___getitem__(Heap, loop_target, 0); + assume state(Heap, Mask); + + // -- Translating statement: // id = 95 + // inhale _isDefined(207760093042) -- testsfunctionalverificationexamplescav_example.py.vpr@743.7--743.38 + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(207760093042) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 207760093042); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 96 + // seat_0 := tuple___getitem__(loop_target, 1) -- testsfunctionalverificationexamplescav_example.py.vpr@744.7--744.50 + + // -- Check definedness of tuple___getitem__(loop_target, 1) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(loop_target)) in (1 >= 0 ==> 1 < ln) && (1 < 0 ==> 1 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@744.17--744.50) [2461]"} + 1 < tuple___len__(Heap, loop_target); + + // -- Free assumptions (exhale module) + ln_11 := tuple___len__(Heap, loop_target); + // Stop execution + assume false; + } + seat_0 := tuple___getitem__(Heap, loop_target, 1); + assume state(Heap, Mask); + + // -- Translating statement: // id = 97 + // inhale _isDefined(53186532566387) -- testsfunctionalverificationexamplescav_example.py.vpr@745.7--745.40 + assume state(Heap, Mask); + + // -- Check definedness of _isDefined(53186532566387) + if (*) { + // Stop execution + assume false; + } + assume _isDefined(Heap, 53186532566387); + assume state(Heap, Mask); + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 98 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 99 + // _loop_check_before := false -- testsfunctionalverificationexamplescav_example.py.vpr@748.5--748.32 + _loop_check_before := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 100 + // assert _loop_termination_flag ==> + // !(iter_err == null) || + // Measure$check(_loop_measures, _cthread_160, int___sub__(list___len__(_checkDefined(seats, + // 495873779059)), list___len__(_checkDefined(res, 7562610)))) -- testsfunctionalverificationexamplescav_example.py.vpr@750.5--750.211 + + // -- Check definedness of _loop_termination_flag ==> !(iter_err == null) || Measure$check(_loop_measures, _cthread_160, int___sub__(list___len__(_checkDefined(seats, 495873779059)), list___len__(_checkDefined(res, 7562610)))) + if (_loop_termination_flag) { + if (iter_err == null) { + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(495873779059) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@750.131--750.165) [2462]"} + _isDefined(Heap, 495873779059); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_checkDefined(seats, 495873779059)), list(list_arg(typeof(_checkDefined(seats, 495873779059)), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@750.118--750.166) [2463]"} + (issubtype((typeof(_checkDefined(Heap, seats, 495873779059)): PyTypeDomainType), (list((list_arg((typeof(_checkDefined(Heap, seats, 495873779059)): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _checkDefined(seats, 495873779059).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@750.118--750.166) [2464]"} + Mask[_checkDefined(Heap, seats, 495873779059), list_acc] > NoPerm; + havoc wildcard; + assume wildcard < Mask[_checkDefined(Heap, seats, 495873779059), list_acc]; + Mask[_checkDefined(Heap, seats, 495873779059), list_acc] := Mask[_checkDefined(Heap, seats, 495873779059), list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@750.181--750.208) [2465]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function list___len__ might not hold. Assertion issubtype(typeof(_checkDefined(res, 7562610)), list(list_arg(typeof(_checkDefined(res, 7562610)), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@750.168--750.209) [2466]"} + (issubtype((typeof(_checkDefined(Heap, res, 7562610)): PyTypeDomainType), (list((list_arg((typeof(_checkDefined(Heap, res, 7562610)): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assert {:msg " Precondition of function list___len__ might not hold. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@750.168--750.209) [2467]"} + Mask[_checkDefined(Heap, res, 7562610), list_acc] > NoPerm; + havoc wildcard; + assume wildcard < Mask[_checkDefined(Heap, res, 7562610), list_acc]; + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] - wildcard; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + if (*) { + // Stop execution + assume false; + } + } + } + if (_loop_termination_flag) { + assert {:msg " Assert might fail. Assertion !(iter_err == null) || Measure$check(_loop_measures, _cthread_160, int___sub__(list___len__(_checkDefined(seats, 495873779059)), list___len__(_checkDefined(res, 7562610)))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@750.12--750.211) [2468]"} + !(iter_err == null) || Measure$check(Heap, _loop_measures, _cthread_160, int___sub__(Heap, list___len__(Heap, _checkDefined(Heap, seats, 495873779059)), list___len__(Heap, _checkDefined(Heap, res, 7562610)))); + } + assume state(Heap, Mask); + // Exhale invariant + assert {:msg " Loop invariant acc(iterable.list_acc, 1 / 20) might not be preserved. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@695.15--695.45) [2469]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(iterable.list_acc, 1 / 20) might not be preserved. There might be insufficient permission to access iterable.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@695.15--695.45) [2470]"} + perm <= Mask[iterable, list_acc]; + } + Mask[iterable, list_acc] := Mask[iterable, list_acc] - perm; + assert {:msg " Loop invariant acc(iter.list_acc, 1 / 20) might not be preserved. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@696.15--696.41) [2471]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(iter.list_acc, 1 / 20) might not be preserved. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@696.15--696.41) [2472]"} + perm <= Mask[iter, list_acc]; + } + Mask[iter, list_acc] := Mask[iter, list_acc] - perm; + assert {:msg " Loop invariant iter.list_acc == iterable.list_acc might not be preserved. Assertion iter.list_acc == iterable.list_acc might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@697.15--697.49) [2473]"} + Seq#Equal(Heap[iter, list_acc], Heap[iterable, list_acc]); + assert {:msg " Loop invariant seqtmp == iterable.list_acc might not be preserved. Assertion seqtmp == iterable.list_acc might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@698.15--698.42) [2474]"} + Seq#Equal(seqtmp, Heap[iterable, list_acc]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(iter.__iter_index, write) might not be preserved. There might be insufficient permission to access iter.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@699.15--699.44) [2475]"} + perm <= Mask[iter, __iter_index]; + } + Mask[iter, __iter_index] := Mask[iter, __iter_index] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(iter.__previous, write) might not be preserved. There might be insufficient permission to access iter.__previous (testsfunctionalverificationexamplescav_example.py.vpr@700.15--700.42) [2476]"} + perm <= Mask[iter, __previous]; + } + Mask[iter, __previous] := Mask[iter, __previous] - perm; + if (iter_err == null) { + assert {:msg " Loop invariant iter_err == null ==> iter.__iter_index - 1 == |iter.__previous| might not be preserved. Assertion iter.__iter_index - 1 == |iter.__previous| might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@701.15--701.78) [2477]"} + Heap[iter, __iter_index] - 1 == Seq#Length(Heap[iter, __previous]); + } + if (iter_err != null) { + assert {:msg " Loop invariant iter_err != null ==> iter.__iter_index == |iter.__previous| might not be preserved. Assertion iter.__iter_index == |iter.__previous| might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@702.15--702.74) [2478]"} + Heap[iter, __iter_index] == Seq#Length(Heap[iter, __previous]); + } + if (iter_err == null) { + assert {:msg " Loop invariant iter_err == null ==> |iter.list_acc| > 0 might not be preserved. Assertion |iter.list_acc| > 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@703.15--703.55) [2479]"} + Seq#Length(Heap[iter, list_acc]) > 0; + } + assert {:msg " Loop invariant iter.__iter_index >= 0 && iter.__iter_index <= |iter.list_acc| might not be preserved. Assertion iter.__iter_index >= 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@704.15--704.77) [2480]"} + Heap[iter, __iter_index] >= 0; + assert {:msg " Loop invariant iter.__iter_index >= 0 && iter.__iter_index <= |iter.list_acc| might not be preserved. Assertion iter.__iter_index <= |iter.list_acc| might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@704.15--704.77) [2481]"} + Heap[iter, __iter_index] <= Seq#Length(Heap[iter, list_acc]); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> iter.__iter_index > 0 might not be preserved. Assertion iter.__iter_index > 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@705.15--705.60) [2482]"} + Heap[iter, __iter_index] > 0; + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> loop_target == iter.list_acc[iter.__iter_index - 1] might not be preserved. Assertion loop_target == iter.list_acc[iter.__iter_index - 1] might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@706.15--706.90) [2483]"} + loop_target == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> (loop_target in iter.list_acc) might not be preserved. Assertion (loop_target in iter.list_acc) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@707.15--707.69) [2484]"} + Seq#Contains(Heap[iter, list_acc], loop_target); + } + if (iter_err == null) { + assert {:msg " Loop invariant iter_err == null ==> iter.__previous == iter.list_acc[..iter.__iter_index - 1] might not be preserved. Assertion iter.__previous == iter.list_acc[..iter.__iter_index - 1] might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@708.15--708.93) [2485]"} + Seq#Equal(Heap[iter, __previous], Seq#Take(Heap[iter, list_acc], Heap[iter, __iter_index] - 1)); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> issubtype(typeof(loop_target), tuple(Seq(int(), int()))) might not be preserved. Assertion issubtype(typeof(loop_target), tuple(Seq(int(), int()))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@709.15--709.95) [2486]"} + (issubtype((typeof(loop_target): PyTypeDomainType), (tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): bool); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> row_0 == tuple___getitem__(loop_target, 0) && _isDefined(207760093042) might not be preserved. Assertion row_0 == tuple___getitem__(loop_target, 0) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@710.15--710.109) [2487]"} + row_0 == tuple___getitem__(Heap, loop_target, 0); + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> row_0 == tuple___getitem__(loop_target, 0) && _isDefined(207760093042) might not be preserved. Assertion _isDefined(207760093042) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@710.15--710.109) [2488]"} + _isDefined(Heap, 207760093042); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> seat_0 == tuple___getitem__(loop_target, 1) && _isDefined(53186532566387) might not be preserved. Assertion seat_0 == tuple___getitem__(loop_target, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@711.15--711.112) [2489]"} + seat_0 == tuple___getitem__(Heap, loop_target, 1); + assert {:msg " Loop invariant |iter.list_acc| > 0 ==> seat_0 == tuple___getitem__(loop_target, 1) && _isDefined(53186532566387) might not be preserved. Assertion _isDefined(53186532566387) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@711.15--711.112) [2490]"} + _isDefined(Heap, 53186532566387); + } + if (iter_err != null) { + assert {:msg " Loop invariant iter_err != null ==> iter.__previous == iter.list_acc might not be preserved. Assertion iter.__previous == iter.list_acc might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@712.15--712.68) [2491]"} + Seq#Equal(Heap[iter, __previous], Heap[iter, list_acc]); + } + if (Seq#Length(Heap[iter, list_acc]) == 0) { + assert {:msg " Loop invariant |iter.list_acc| == 0 ==> iter_err != null might not be preserved. Assertion iter_err != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@713.15--713.56) [2492]"} + iter_err != null; + } + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Loop invariant acc(_checkDefined(res, 7562610).list_acc, write) && int___eq__(__prim__int___box__(list___len__(_checkDefined(res, 7562610))), __prim__int___box__(PSeq___len__(PSeq___create__(iter.__previous, int())))) might not be preserved. There might be insufficient permission to access _checkDefined(res, 7562610).list_acc (testsfunctionalverificationexamplescav_example.py.vpr@715.15--715.217) [2493]"} + perm <= Mask[_checkDefined(Heap, res, 7562610), list_acc]; + } + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] - perm; + assert {:msg " Loop invariant acc(_checkDefined(res, 7562610).list_acc, write) && int___eq__(__prim__int___box__(list___len__(_checkDefined(res, 7562610))), __prim__int___box__(PSeq___len__(PSeq___create__(iter.__previous, int())))) might not be preserved. Assertion int___eq__(__prim__int___box__(list___len__(_checkDefined(res, 7562610))), __prim__int___box__(PSeq___len__(PSeq___create__(iter.__previous, int())))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@715.15--715.217) [2494]"} + int___eq__(Heap, __prim__int___box__(Heap, list___len__(Heap, _checkDefined(Heap, res, 7562610))), __prim__int___box__(Heap, PSeq___len__(Heap, PSeq___create__(Heap, Heap[iter, __previous], vint)))); + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver acc(Ticket_state(lambda46_30$t), write) is injective + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not be preserved. Quantified resource Ticket_state(lambda46_30$t) might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2495]"} + (forall lambda46_30$t_15: Ref, lambda46_30$t_15_1: Ref :: + { neverTriggered7(lambda46_30$t_15), neverTriggered7(lambda46_30$t_15_1) } + (((lambda46_30$t_15 != lambda46_30$t_15_1 && ((issubtype((typeof(lambda46_30$t_15): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_15))) && ((issubtype((typeof(lambda46_30$t_15_1): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_15_1))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_15 != lambda46_30$t_15_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not be preserved. There might be insufficient permission to access Ticket_state(lambda46_30$t) (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2496]"} + (forall lambda46_30$t_15: Ref :: + { Heap[null, Ticket_state(lambda46_30$t_15)] } { Mask[null, Ticket_state(lambda46_30$t_15)] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_15) } + (issubtype((typeof(lambda46_30$t_15): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_15) ==> Mask[null, Ticket_state(lambda46_30$t_15)] >= FullPerm + ); + + // -- assumptions for inverse of receiver acc(Ticket_state(lambda46_30$t), write) + assume (forall lambda46_30$t_15: Ref :: + { Heap[null, Ticket_state(lambda46_30$t_15)] } { Mask[null, Ticket_state(lambda46_30$t_15)] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_15) } + ((issubtype((typeof(lambda46_30$t_15): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_15)) && NoPerm < FullPerm ==> invRecv7(lambda46_30$t_15) == lambda46_30$t_15 && qpRange7(lambda46_30$t_15) + ); + assume (forall self_1_3: Ref :: + { invRecv7(self_1_3) } + (((issubtype((typeof(invRecv7(self_1_3)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv7(self_1_3))) && NoPerm < FullPerm) && qpRange7(self_1_3) ==> invRecv7(self_1_3) == self_1_3 + ); + + // -- assume permission updates for predicate Ticket_state + assume (forall self_1_3: Ref :: + { QPMask[null, Ticket_state(self_1_3)] } + (((issubtype((typeof(invRecv7(self_1_3)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv7(self_1_3))) && NoPerm < FullPerm) && qpRange7(self_1_3) ==> invRecv7(self_1_3) == self_1_3 && QPMask[null, Ticket_state(self_1_3)] == Mask[null, Ticket_state(self_1_3)] - FullPerm + ); + assume (forall self_1_3: Ref :: + { QPMask[null, Ticket_state(self_1_3)] } + !((((issubtype((typeof(invRecv7(self_1_3)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv7(self_1_3))) && NoPerm < FullPerm) && qpRange7(self_1_3)) ==> QPMask[null, Ticket_state(self_1_3)] == Mask[null, Ticket_state(self_1_3)] + ); + + // -- assume permission updates for independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 4 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + Mask := QPMask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver lambda46_30$t is injective + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not be preserved. Quantified resource lambda46_30$t.Ticket_discount_code might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2497]"} + (forall lambda46_30$t_16: Ref, lambda46_30$t_16_1: Ref :: + { neverTriggered8(lambda46_30$t_16), neverTriggered8(lambda46_30$t_16_1) } + (((lambda46_30$t_16 != lambda46_30$t_16_1 && ((issubtype((typeof(lambda46_30$t_16): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_16) && code_1 != null))) && ((issubtype((typeof(lambda46_30$t_16_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_16_1) && code_1 != null))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_16 != lambda46_30$t_16_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not be preserved. There might be insufficient permission to access lambda46_30$t.Ticket_discount_code (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2498]"} + (forall lambda46_30$t_16: Ref :: + { Heap[lambda46_30$t_16, Ticket_discount_code] } { QPMask[lambda46_30$t_16, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_16) } + (issubtype((typeof(lambda46_30$t_16): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_16) && code_1 != null) ==> Mask[lambda46_30$t_16, Ticket_discount_code] >= FullPerm + ); + + // -- assumptions for inverse of receiver lambda46_30$t + assume (forall lambda46_30$t_16: Ref :: + { Heap[lambda46_30$t_16, Ticket_discount_code] } { QPMask[lambda46_30$t_16, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_16) } + ((issubtype((typeof(lambda46_30$t_16): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_16) && code_1 != null)) && NoPerm < FullPerm ==> qpRange8(lambda46_30$t_16) && invRecv8(lambda46_30$t_16) == lambda46_30$t_16 + ); + assume (forall o_4: Ref :: + { invRecv8(o_4) } + ((issubtype((typeof(invRecv8(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv8(o_4)) && code_1 != null)) && (NoPerm < FullPerm && qpRange8(o_4)) ==> invRecv8(o_4) == o_4 + ); + + // -- assume permission updates for field Ticket_discount_code + assume (forall o_4: Ref :: + { QPMask[o_4, Ticket_discount_code] } + (((issubtype((typeof(invRecv8(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv8(o_4)) && code_1 != null)) && (NoPerm < FullPerm && qpRange8(o_4)) ==> invRecv8(o_4) == o_4 && QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code] - FullPerm) && (!(((issubtype((typeof(invRecv8(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv8(o_4)) && code_1 != null)) && (NoPerm < FullPerm && qpRange8(o_4))) ==> QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code]) + ); + + // -- assume permission updates for independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { QPMask[o_4, f_6] } + f_6 != Ticket_discount_code ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + Mask := QPMask; + if (*) { + if ((issubtype((typeof(lambda46_30$t_17): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_17) && code_1 != null)) { + assert {:msg " Loop invariant true && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && (lambda46_30$t in _checkDefined(res, 7562610).list_acc) ==> acc(Ticket_state(lambda46_30$t), write)) && ((forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> acc(lambda46_30$t.Ticket_discount_code, write)) && (forall lambda46_30$t: Ref :: { (lambda46_30$t in _checkDefined(res, 7562610).list_acc) } issubtype(typeof(lambda46_30$t), Ticket()) && ((lambda46_30$t in _checkDefined(res, 7562610).list_acc) && code_1 != null) ==> issubtype(typeof(lambda46_30$t.Ticket_discount_code), str())))) might not be preserved. Assertion issubtype(typeof(lambda46_30$t.Ticket_discount_code), str()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2499]"} + (issubtype((typeof(Heap[lambda46_30$t_17, Ticket_discount_code]): PyTypeDomainType), str): bool); + } + assume false; + } + assume (forall lambda46_30$t_18_1: Ref :: + { Seq#ContainsTrigger(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_18_1) } { Seq#Contains(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_18_1) } + (issubtype((typeof(lambda46_30$t_18_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_18_1) && code_1 != null) ==> (issubtype((typeof(Heap[lambda46_30$t_18_1, Ticket_discount_code]): PyTypeDomainType), str): bool) + ); + if (iter_err == null) { + assert {:msg " Loop invariant (iter_err == null ==> int___sub__(list___len__(_checkDefined(seats, 495873779059)), list___len__(_checkDefined(res, 7562610))) > 0) && [acc(MustTerminate(_cthread_160), write), true] might not be preserved. Assertion int___sub__(list___len__(_checkDefined(seats, 495873779059)), list___len__(_checkDefined(res, 7562610))) > 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@717.15--717.197) [2500]"} + int___sub__(Heap, list___len__(Heap, _checkDefined(Heap, seats, 495873779059)), list___len__(Heap, _checkDefined(Heap, res, 7562610))) > 0; + } + if (_loop_check_before) { + assert {:msg " Loop invariant [true, _loop_check_before ==> _loop_termination_flag || (!(iter_err == null) || perm(MustTerminate(_cthread_160)) == none && ((forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))))] might not be preserved. Assertion _loop_termination_flag || (!(iter_err == null) || perm(MustTerminate(_cthread_160)) == none && ((forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false))))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@718.15--718.380) [2501]"} + _loop_termination_flag || (!(iter_err == null) || (Mask[null, MustTerminate(_cthread_160)] == NoPerm && ((forall _r_2_8: Ref :: + { Mask[null, MustInvokeBounded(_r_2_8)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_2_8)) ==> false + ) && ((forall _r_2_9: Ref :: + { Mask[null, MustInvokeUnbounded(_r_2_9)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_2_9)) ==> false + ) && ((forall _r_2_10: Ref :: + { Mask[_r_2_10, MustReleaseBounded] } + HasDirectPerm(Mask, _r_2_10, MustReleaseBounded) ==> false + ) && (forall _r_2_11: Ref :: + { Mask[_r_2_11, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_2_11, MustReleaseUnbounded) ==> false + )))))); + } + if (!_loop_check_before) { + assert {:msg " Loop invariant [true, !_loop_check_before ==> (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))] might not be preserved. Assertion (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@719.15--719.283) [2502]"} + (forall _r_2_12: Ref :: + { Mask[null, MustInvokeBounded(_r_2_12)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_2_12)) ==> false + ); + assert {:msg " Loop invariant [true, !_loop_check_before ==> (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))] might not be preserved. Assertion (forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@719.15--719.283) [2503]"} + (forall _r_2_13: Ref :: + { Mask[null, MustInvokeUnbounded(_r_2_13)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_2_13)) ==> false + ); + assert {:msg " Loop invariant [true, !_loop_check_before ==> (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))] might not be preserved. Assertion (forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@719.15--719.283) [2504]"} + (forall _r_2_14: Ref :: + { Mask[_r_2_14, MustReleaseBounded] } + HasDirectPerm(Mask, _r_2_14, MustReleaseBounded) ==> false + ); + assert {:msg " Loop invariant [true, !_loop_check_before ==> (forperm _r_2: Ref [MustInvokeBounded(_r_2)] :: false) && ((forperm _r_2: Ref [MustInvokeUnbounded(_r_2)] :: false) && ((forperm _r_2: Ref [_r_2.MustReleaseBounded] :: false) && (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false)))] might not be preserved. Assertion (forperm _r_2: Ref [_r_2.MustReleaseUnbounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@719.15--719.283) [2505]"} + (forall _r_2_15: Ref :: + { Mask[_r_2_15, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_2_15, MustReleaseUnbounded) ==> false + ); + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + // Terminate execution + assume false; + } + + // -- Inhale loop invariant after loop, and assume guard + assume !(iter_err == null); + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (forall _r_1_7: Ref :: + { Mask[_r_1_7, MustReleaseBounded] } + HasDirectPerm(Mask, _r_1_7, MustReleaseBounded) ==> Level(Heap, _r_1_7) <= _residue_161 + ); + assume state(Heap, Mask); + assume (forall _r_1_8: Ref :: + { Mask[_r_1_8, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_1_8, MustReleaseUnbounded) ==> Level(Heap, _r_1_8) <= _residue_161 + ); + assume _residue_160 <= _residue_161; + perm := 1 / 20; + assert {:msg " While statement might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@695.15--695.45) [2506]"} + perm >= NoPerm; + assume perm > NoPerm ==> iterable != null; + Mask[iterable, list_acc] := Mask[iterable, list_acc] + perm; + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " While statement might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@696.15--696.41) [2507]"} + perm >= NoPerm; + assume perm > NoPerm ==> iter != null; + Mask[iter, list_acc] := Mask[iter, list_acc] + perm; + assume state(Heap, Mask); + assume Seq#Equal(Heap[iter, list_acc], Heap[iterable, list_acc]); + assume Seq#Equal(seqtmp, Heap[iterable, list_acc]); + perm := FullPerm; + assume iter != null; + Mask[iter, __iter_index] := Mask[iter, __iter_index] + perm; + assume state(Heap, Mask); + perm := FullPerm; + assume iter != null; + Mask[iter, __previous] := Mask[iter, __previous] + perm; + assume state(Heap, Mask); + if (iter_err == null) { + assume Heap[iter, __iter_index] - 1 == Seq#Length(Heap[iter, __previous]); + } + if (iter_err != null) { + assume Heap[iter, __iter_index] == Seq#Length(Heap[iter, __previous]); + } + if (iter_err == null) { + assume Seq#Length(Heap[iter, list_acc]) > 0; + } + assume Heap[iter, __iter_index] >= 0; + assume Heap[iter, __iter_index] <= Seq#Length(Heap[iter, list_acc]); + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume Heap[iter, __iter_index] > 0; + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume loop_target == Seq#Index(Heap[iter, list_acc], Heap[iter, __iter_index] - 1); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume Seq#Contains(Heap[iter, list_acc], loop_target); + } + if (iter_err == null) { + assume Seq#Equal(Heap[iter, __previous], Seq#Take(Heap[iter, list_acc], Heap[iter, __iter_index] - 1)); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume (issubtype((typeof(loop_target): PyTypeDomainType), (tuple(Seq#Append(Seq#Singleton(vint), Seq#Singleton(vint))): PyTypeDomainType)): bool); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume state(Heap, Mask); + assume row_0 == tuple___getitem__(Heap, loop_target, 0); + assume state(Heap, Mask); + assume _isDefined(Heap, 207760093042); + } + if (Seq#Length(Heap[iter, list_acc]) > 0) { + assume state(Heap, Mask); + assume seat_0 == tuple___getitem__(Heap, loop_target, 1); + assume state(Heap, Mask); + assume _isDefined(Heap, 53186532566387); + } + if (iter_err != null) { + assume Seq#Equal(Heap[iter, __previous], Heap[iter, list_acc]); + } + if (Seq#Length(Heap[iter, list_acc]) == 0) { + assume iter_err != null; + } + assume state(Heap, Mask); + perm := FullPerm; + assume _checkDefined(Heap, res, 7562610) != null; + Mask[_checkDefined(Heap, res, 7562610), list_acc] := Mask[_checkDefined(Heap, res, 7562610), list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume int___eq__(Heap, __prim__int___box__(Heap, list___len__(Heap, _checkDefined(Heap, res, 7562610))), __prim__int___box__(Heap, PSeq___len__(Heap, PSeq___create__(Heap, Heap[iter, __previous], vint)))); + assume state(Heap, Mask); + havoc QPMask; + + // -- check if receiver acc(Ticket_state(lambda46_30$t), write) is injective + assert {:msg " While statement might fail. Quantified resource Ticket_state(lambda46_30$t) might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2508]"} + (forall lambda46_30$t_19: Ref, lambda46_30$t_19_1: Ref :: + { neverTriggered9(lambda46_30$t_19), neverTriggered9(lambda46_30$t_19_1) } + (((lambda46_30$t_19 != lambda46_30$t_19_1 && ((issubtype((typeof(lambda46_30$t_19): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_19))) && ((issubtype((typeof(lambda46_30$t_19_1): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_19_1))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_19 != lambda46_30$t_19_1 + ); + + // -- Define Inverse Function + assume (forall lambda46_30$t_19: Ref :: + { Heap[null, Ticket_state(lambda46_30$t_19)] } { Mask[null, Ticket_state(lambda46_30$t_19)] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_19) } + ((issubtype((typeof(lambda46_30$t_19): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_19)) && NoPerm < FullPerm ==> invRecv9(lambda46_30$t_19) == lambda46_30$t_19 && qpRange9(lambda46_30$t_19) + ); + assume (forall self_1_4: Ref :: + { invRecv9(self_1_4) } + (((issubtype((typeof(invRecv9(self_1_4)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv9(self_1_4))) && NoPerm < FullPerm) && qpRange9(self_1_4) ==> invRecv9(self_1_4) == self_1_4 + ); + + // -- Define updated permissions + assume (forall self_1_4: Ref :: + { QPMask[null, Ticket_state(self_1_4)] } + (((issubtype((typeof(invRecv9(self_1_4)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv9(self_1_4))) && NoPerm < FullPerm) && qpRange9(self_1_4) ==> (NoPerm < FullPerm ==> invRecv9(self_1_4) == self_1_4) && QPMask[null, Ticket_state(self_1_4)] == Mask[null, Ticket_state(self_1_4)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 4 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall self_1_4: Ref :: + { QPMask[null, Ticket_state(self_1_4)] } + !((((issubtype((typeof(invRecv9(self_1_4)): PyTypeDomainType), Ticket): bool) && Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv9(self_1_4))) && NoPerm < FullPerm) && qpRange9(self_1_4)) ==> QPMask[null, Ticket_state(self_1_4)] == Mask[null, Ticket_state(self_1_4)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + havoc QPMask; + assert {:msg " While statement might fail. Quantified resource lambda46_30$t.Ticket_discount_code might not be injective. (testsfunctionalverificationexamplescav_example.py.vpr@716.15--716.803) [2509]"} + (forall lambda46_30$t_21: Ref, lambda46_30$t_21_1: Ref :: + + (((lambda46_30$t_21 != lambda46_30$t_21_1 && ((issubtype((typeof(lambda46_30$t_21): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_21) && code_1 != null))) && ((issubtype((typeof(lambda46_30$t_21_1): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_21_1) && code_1 != null))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> lambda46_30$t_21 != lambda46_30$t_21_1 + ); + + // -- Define Inverse Function + assume (forall lambda46_30$t_21: Ref :: + { Heap[lambda46_30$t_21, Ticket_discount_code] } { QPMask[lambda46_30$t_21, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_21) } + ((issubtype((typeof(lambda46_30$t_21): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_21) && code_1 != null)) && NoPerm < FullPerm ==> qpRange10(lambda46_30$t_21) && invRecv10(lambda46_30$t_21) == lambda46_30$t_21 + ); + assume (forall o_4: Ref :: + { invRecv10(o_4) } + (((issubtype((typeof(invRecv10(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv10(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange10(o_4) ==> invRecv10(o_4) == o_4 + ); + + // -- Assume set of fields is nonNull + assume (forall lambda46_30$t_21: Ref :: + { Heap[lambda46_30$t_21, Ticket_discount_code] } { QPMask[lambda46_30$t_21, Ticket_discount_code] } { Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_21) } + (issubtype((typeof(lambda46_30$t_21): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_21) && code_1 != null) ==> lambda46_30$t_21 != null + ); + + // -- Define permissions + assume (forall o_4: Ref :: + { QPMask[o_4, Ticket_discount_code] } + ((((issubtype((typeof(invRecv10(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv10(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange10(o_4) ==> (NoPerm < FullPerm ==> invRecv10(o_4) == o_4) && QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code] + FullPerm) && (!((((issubtype((typeof(invRecv10(o_4)): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], invRecv10(o_4)) && code_1 != null)) && NoPerm < FullPerm) && qpRange10(o_4)) ==> QPMask[o_4, Ticket_discount_code] == Mask[o_4, Ticket_discount_code]) + ); + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + f_6 != Ticket_discount_code ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (forall lambda46_30$t_22: Ref :: + { Seq#ContainsTrigger(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_22) } { Seq#Contains(Heap[_checkDefined#frame(EmptyFrame, res, 7562610), list_acc], lambda46_30$t_22) } + (issubtype((typeof(lambda46_30$t_22): PyTypeDomainType), Ticket): bool) && (Seq#Contains(Heap[_checkDefined(Heap, res, 7562610), list_acc], lambda46_30$t_22) && code_1 != null) ==> (issubtype((typeof(Heap[lambda46_30$t_22, Ticket_discount_code]): PyTypeDomainType), str): bool) + ); + if (iter_err == null) { + assume state(Heap, Mask); + assume int___sub__(Heap, list___len__(Heap, _checkDefined(Heap, seats, 495873779059)), list___len__(Heap, _checkDefined(Heap, res, 7562610))) > 0; + } + perm := FullPerm; + Mask[null, MustTerminate(_cthread_160)] := Mask[null, MustTerminate(_cthread_160)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 101 + // // LoopInfo(None,Set()) + // exhale perm(MustTerminate(_cthread_160)) > none ==> + // acc(MustTerminate(_cthread_160), perm(MustTerminate(_cthread_160)) - + // _loop_original_must_terminate) -- testsfunctionalverificationexamplescav_example.py.vpr@753.3--753.154 + if (NoPerm < Mask[null, MustTerminate(_cthread_160)]) { + assert {:msg " Exhale might fail. Fraction perm(MustTerminate(_cthread_160)) - _loop_original_must_terminate might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@753.10--753.154) [2510]"} + Mask[null, MustTerminate(_cthread_160)] - _loop_original_must_terminate >= NoPerm; + perm := Mask[null, MustTerminate(_cthread_160)] - _loop_original_must_terminate; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access MustTerminate(_cthread_160) (testsfunctionalverificationexamplescav_example.py.vpr@753.10--753.154) [2511]"} + perm <= Mask[null, MustTerminate(_cthread_160)]; + } + Mask[null, MustTerminate(_cthread_160)] := Mask[null, MustTerminate(_cthread_160)] - perm; + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Translating statement: // id = 102 + // _cwl_160 := Iterator___del__(_cthread_160, _method_measures_160, _residue_161, + // iter) -- testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87 + PreCallHeap := Heap; + PreCallMask := Mask; + havoc _cwl_160; + + // -- Exhaling precondition + assert {:msg " The precondition of method Iterator___del__ might not hold. Assertion _cthread_160 != null might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2512]"} + _cthread_160 != null; + assert {:msg " The precondition of method Iterator___del__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2513]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + assert {:msg " The precondition of method Iterator___del__ might not hold. Assertion issubtype(typeof(_cthread_160), Thread_0()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2514]"} + (issubtype((typeof(_cthread_160): PyTypeDomainType), Thread_0): bool); + assert {:msg " The precondition of method Iterator___del__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2515]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " The precondition of method Iterator___del__ might not hold. There might be insufficient permission to access iter.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2516]"} + perm <= Mask[iter, list_acc]; + } + Mask[iter, list_acc] := Mask[iter, list_acc] - perm; + assert {:msg " The precondition of method Iterator___del__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2517]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " The precondition of method Iterator___del__ might not hold. There might be insufficient permission to access iter.__container (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2518]"} + perm <= Mask[iter, __container]; + } + Mask[iter, __container] := Mask[iter, __container] - perm; + assert {:msg " The precondition of method Iterator___del__ might not hold. Assertion Measure$check(_method_measures_160, _cthread_160, 1) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2519]"} + Measure$check(Heap, _method_measures_160, _cthread_160, 1); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + + // -- Inhaling postcondition + assume state(Heap, Mask); + assume (forall _r_17: Ref :: + { Mask[_r_17, MustReleaseBounded] } + HasDirectPerm(Mask, _r_17, MustReleaseBounded) ==> Level(Heap, _r_17) <= _cwl_160 + ); + assume state(Heap, Mask); + assume (forall _r_17_1: Ref :: + { Mask[_r_17_1, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_17_1, MustReleaseUnbounded) ==> Level(Heap, _r_17_1) <= _cwl_160 + ); + assume _residue_161 <= _cwl_160; + perm := 1 / 20; + assert {:msg " Method call might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2520]"} + perm >= NoPerm; + assume perm > NoPerm ==> iter != null; + Mask[iter, __container] := Mask[iter, __container] + perm; + assume state(Heap, Mask); + if ((issubtype((typeof(Heap[iter, __container]): PyTypeDomainType), (list((list_arg((typeof(Heap[iter, __container]): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool)) { + perm := 1 / 20; + assert {:msg " Method call might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2521]"} + perm >= NoPerm; + assume perm > NoPerm ==> Heap[iter, __container] != null; + Mask[Heap[iter, __container], list_acc] := Mask[Heap[iter, __container], list_acc] + perm; + assume state(Heap, Mask); + } + if ((issubtype((typeof(Heap[iter, __container]): PyTypeDomainType), (dict((dict_arg((typeof(Heap[iter, __container]): PyTypeDomainType), 0): PyTypeDomainType), (dict_arg((typeof(Heap[iter, __container]): PyTypeDomainType), 1): PyTypeDomainType)): PyTypeDomainType)): bool)) { + perm := 1 / 20; + assert {:msg " Method call might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2522]"} + perm >= NoPerm; + assume perm > NoPerm ==> Heap[iter, __container] != null; + Mask[Heap[iter, __container], dict_acc] := Mask[Heap[iter, __container], dict_acc] + perm; + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " Method call might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2523]"} + perm >= NoPerm; + assume perm > NoPerm ==> Heap[iter, __container] != null; + Mask[Heap[iter, __container], dict_acc2] := Mask[Heap[iter, __container], dict_acc2] + perm; + assume state(Heap, Mask); + } + if ((issubtype((typeof(Heap[iter, __container]): PyTypeDomainType), (set((set_arg((typeof(Heap[iter, __container]): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool)) { + perm := 1 / 20; + assert {:msg " Method call might fail. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@754.3--754.87) [2524]"} + perm >= NoPerm; + assume perm > NoPerm ==> Heap[iter, __container] != null; + Mask[Heap[iter, __container], set_acc] := Mask[Heap[iter, __container], set_acc] + perm; + assume state(Heap, Mask); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 103 + // _res := null -- testsfunctionalverificationexamplescav_example.py.vpr@755.3--755.15 + _res := null; + assume state(Heap, Mask); + + // -- Translating statement: // id = 104 + // _err := null -- testsfunctionalverificationexamplescav_example.py.vpr@756.3--756.15 + _err := null; + assume state(Heap, Mask); + + // -- Translating statement: // id = 105 + // label post_loop -- testsfunctionalverificationexamplescav_example.py.vpr@757.3--757.18 + post_loop: + Labelpost_loopMask := Mask; + Labelpost_loopHeap := Heap; + post_loop_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 106 + // _res := null -- testsfunctionalverificationexamplescav_example.py.vpr@758.3--758.15 + _res := null; + assume state(Heap, Mask); + + // -- Translating statement: // id = 107 + // _err := null -- testsfunctionalverificationexamplescav_example.py.vpr@759.3--759.15 + _err := null; + assume state(Heap, Mask); + + // -- Translating statement: // id = 108 + // _res := _checkDefined(res, 7562610) -- testsfunctionalverificationexamplescav_example.py.vpr@760.3--760.38 + + // -- Check definedness of _checkDefined(res, 7562610) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function _checkDefined might not hold. Assertion _isDefined(7562610) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@760.11--760.38) [2525]"} + _isDefined(Heap, 7562610); + // Stop execution + assume false; + } + _res := _checkDefined(Heap, res, 7562610); + assume state(Heap, Mask); + + // -- Translating statement: // id = 109 + // goto __end -- testsfunctionalverificationexamplescav_example.py.vpr@761.3--761.13 + goto __end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 110 + // goto __end -- testsfunctionalverificationexamplescav_example.py.vpr@762.3--762.13 + goto __end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 111 + // label __end -- testsfunctionalverificationexamplescav_example.py.vpr@763.3--763.14 + __end: + Label__endMask := Mask; + Label__endHeap := Heap; + __end_lblGuard := true; + assume state(Heap, Mask); + + // -- Exhaling postcondition + if (_err == null) { + assert {:msg " Postcondition of order_tickets might not hold. Assertion issubtype(typeof(_res), list(Ticket())) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@632.11--632.67) [2526]"} + (issubtype((typeof(_res): PyTypeDomainType), (list(Ticket): PyTypeDomainType)): bool); + } + if (_err != null) { + assert {:msg " Postcondition of order_tickets might not hold. Assertion issubtype(typeof(_err), SoldoutException()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@634.11--634.71) [2527]"} + (issubtype((typeof(_err): PyTypeDomainType), SoldoutException): bool); + } + assert {:msg " Postcondition of order_tickets might not hold. Assertion (forperm _r_4: Ref [MustInvokeBounded(_r_4)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@635.11--635.255) [2528]"} + (forall _r_4_8: Ref :: + { Mask[null, MustInvokeBounded(_r_4_8)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_4_8)) ==> false + ); + assert {:msg " Postcondition of order_tickets might not hold. Assertion (forperm _r_4: Ref [MustInvokeUnbounded(_r_4)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@635.11--635.255) [2529]"} + (forall _r_4_9: Ref :: + { Mask[null, MustInvokeUnbounded(_r_4_9)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_4_9)) ==> false + ); + assert {:msg " Postcondition of order_tickets might not hold. Assertion (forperm _r_4: Ref [_r_4.MustReleaseBounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@635.11--635.255) [2530]"} + (forall _r_4_10: Ref :: + { Mask[_r_4_10, MustReleaseBounded] } + HasDirectPerm(Mask, _r_4_10, MustReleaseBounded) ==> false + ); + assert {:msg " Postcondition of order_tickets might not hold. Assertion (forperm _r_4: Ref [_r_4.MustReleaseUnbounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@635.11--635.255) [2531]"} + (forall _r_4_11: Ref :: + { Mask[_r_4_11, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_4_11, MustReleaseUnbounded) ==> false + ); +} + +// ================================================== +// Translation of method Ticket___init__ +// ================================================== + +procedure Ticket___init__(_cthread_156: Ref, _caller_measures_156: (Seq Measure$DomainType), _residue_156: Perm, self: Ref, show: Ref, row: Ref, seat: Ref) returns (_current_wait_level_156: Perm) + modifies Heap, Mask; +{ + var __end_lblGuard: bool; + var perm: Perm; + var _r_8_4: Ref; + var _r_8_5: Ref; + var _r_8_6: Ref; + var _r_8_7: Ref; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_6_2: Ref; + var _r_6_3: Ref; + var _r_7: Ref; + var _r_7_2: Ref; + var _r_7_4: Ref; + var _r_7_6: Ref; + var _err: Ref; + var self_2: Ref; + var show_0: Ref; + var row_1: Ref; + var seat_1: Ref; + var _method_measures_156: (Seq Measure$DomainType); + var ExhaleHeap: HeapType; + var ln_1: int; + var ln_3: int; + var freshVersion: FrameType; + var Label__endMask: MaskType; + var Label__endHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + __end_lblGuard := false; + + // -- Assumptions about method arguments + assume Heap[_cthread_156, $allocated]; + assume Heap[self, $allocated]; + assume Heap[show, $allocated]; + assume Heap[row, $allocated]; + assume Heap[seat, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_156 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_156): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume self != null; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self, 2036589462893379814238060391131476)] := Mask[null, _MaySet(self, 2036589462893379814238060391131476)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self, 564017441487491594152276)] := Mask[null, _MaySet(self, 564017441487491594152276)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self, 140695336058778200607779156)] := Mask[null, _MaySet(self, 140695336058778200607779156)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (issubtype((typeof(self): PyTypeDomainType), Ticket): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(show): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(row): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(seat): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume self != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_156, _cthread_156, 1) || perm(MustTerminate(_cthread_156)) == none && ((forperm _r_8: Ref [MustInvokeBounded(_r_8)] :: false) && ((forperm _r_8: Ref [MustInvokeUnbounded(_r_8)] :: false) && ((forperm _r_8: Ref [_r_8.MustReleaseBounded] :: false) && (forperm _r_8: Ref [_r_8.MustReleaseUnbounded] :: false)))) + if (*) { + // Stop execution + assume false; + } + if (!Measure$check(Heap, _caller_measures_156, _cthread_156, 1)) { + if (Mask[null, MustTerminate(_cthread_156)] == NoPerm) { + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeBounded(_r_8_4))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_8) (testsfunctionalverificationexamplescav_example.py.vpr@780.12--780.359) [2532]"} + HasDirectPerm(Mask, null, MustInvokeBounded(_r_8_4)); + } + assume false; + } + if ((forall _r_8_1: Ref :: + { Mask[null, MustInvokeBounded(_r_8_1)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_8_1)) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_8_5))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_8) (testsfunctionalverificationexamplescav_example.py.vpr@780.12--780.359) [2533]"} + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_8_5)); + } + assume false; + } + if ((forall _r_8_3: Ref :: + { Mask[null, MustInvokeUnbounded(_r_8_3)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_8_3)) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, _r_8_6, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_8.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@780.12--780.359) [2534]"} + HasDirectPerm(Mask, _r_8_6, MustReleaseBounded); + } + assume false; + } + if ((forall _r_8_5_1: Ref :: + { Mask[_r_8_5_1, MustReleaseBounded] } + HasDirectPerm(Mask, _r_8_5_1, MustReleaseBounded) ==> false + )) { + if (*) { + if (HasDirectPerm(Mask, _r_8_7, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_8.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@780.12--780.359) [2535]"} + HasDirectPerm(Mask, _r_8_7, MustReleaseUnbounded); + } + assume false; + } + } + } + } + } + } + assume Measure$check(Heap, _caller_measures_156, _cthread_156, 1) || (Mask[null, MustTerminate(_cthread_156)] == NoPerm && ((forall _r_8_7_1: Ref :: + { Mask[null, MustInvokeBounded(_r_8_7_1)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_8_7_1)) ==> false + ) && ((forall _r_8_8: Ref :: + { Mask[null, MustInvokeUnbounded(_r_8_8)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_8_8)) ==> false + ) && ((forall _r_8_9: Ref :: + { Mask[_r_8_9, MustReleaseBounded] } + HasDirectPerm(Mask, _r_8_9, MustReleaseBounded) ==> false + ) && (forall _r_8_10: Ref :: + { Mask[_r_8_10, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_8_10, MustReleaseUnbounded) ==> false + ))))); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_156 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_156): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume self != null; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self, 2036589462893379814238060391131476)] := Mask[null, _MaySet(self, 2036589462893379814238060391131476)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self, 564017441487491594152276)] := Mask[null, _MaySet(self, 564017441487491594152276)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self, 140695336058778200607779156)] := Mask[null, _MaySet(self, 140695336058778200607779156)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (issubtype((typeof(self): PyTypeDomainType), Ticket): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(show): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(row): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(seat): PyTypeDomainType), vint): bool); + assume state(Heap, Mask); + assume self != null; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, MustTerminate(_cthread_156)] := Mask[null, MustTerminate(_cthread_156)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_6: Ref [_r_6.MustReleaseBounded] :: Level(_r_6) <= _current_wait_level_156) + if (*) { + if (HasDirectPerm(PostMask, _r_6_2, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_6.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@781.11--781.244) [2536]"} + HasDirectPerm(PostMask, _r_6_2, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_6_1_1: Ref :: + { PostMask[_r_6_1_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_6_1_1, MustReleaseBounded) ==> Level(PostHeap, _r_6_1_1) <= _current_wait_level_156 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_6: Ref [_r_6.MustReleaseUnbounded] :: Level(_r_6) <= _current_wait_level_156) + if (*) { + if (HasDirectPerm(PostMask, _r_6_3, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_6.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@781.11--781.244) [2537]"} + HasDirectPerm(PostMask, _r_6_3, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_6_3_1: Ref :: + { PostMask[_r_6_3_1, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_6_3_1, MustReleaseUnbounded) ==> Level(PostHeap, _r_6_3_1) <= _current_wait_level_156 + ); + assume _residue_156 <= _current_wait_level_156; + assume state(PostHeap, PostMask); + perm := FullPerm; + PostMask[null, Ticket_state(self)] := PostMask[null, Ticket_state(self)] + perm; + assume state(PostHeap, PostMask); + perm := FullPerm; + PostMask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] := PostMask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + perm := FullPerm; + PostMask[null, Ticket_state(self)] := PostMask[null, Ticket_state(self)] + perm; + assume state(PostHeap, PostMask); + perm := FullPerm; + PostMask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] := PostMask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_7: Ref [MustInvokeBounded(_r_7)] :: false) + if (*) { + if (HasDirectPerm(PostMask, null, MustInvokeBounded(_r_7))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_7) (testsfunctionalverificationexamplescav_example.py.vpr@783.11--783.255) [2538]"} + HasDirectPerm(PostMask, null, MustInvokeBounded(_r_7)); + } + assume false; + } + assume (forall _r_7_1: Ref :: + { PostMask[null, MustInvokeBounded(_r_7_1)] } + HasDirectPerm(PostMask, null, MustInvokeBounded(_r_7_1)) ==> false + ); + + // -- Check definedness of (forperm _r_7: Ref [MustInvokeUnbounded(_r_7)] :: false) + if (*) { + if (HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_7_2))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_7) (testsfunctionalverificationexamplescav_example.py.vpr@783.11--783.255) [2539]"} + HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_7_2)); + } + assume false; + } + assume (forall _r_7_3: Ref :: + { PostMask[null, MustInvokeUnbounded(_r_7_3)] } + HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_7_3)) ==> false + ); + + // -- Check definedness of (forperm _r_7: Ref [_r_7.MustReleaseBounded] :: false) + if (*) { + if (HasDirectPerm(PostMask, _r_7_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_7.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@783.11--783.255) [2540]"} + HasDirectPerm(PostMask, _r_7_4, MustReleaseBounded); + } + assume false; + } + assume (forall _r_7_5: Ref :: + { PostMask[_r_7_5, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_7_5, MustReleaseBounded) ==> false + ); + + // -- Check definedness of (forperm _r_7: Ref [_r_7.MustReleaseUnbounded] :: false) + if (*) { + if (HasDirectPerm(PostMask, _r_7_6, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_7.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@783.11--783.255) [2541]"} + HasDirectPerm(PostMask, _r_7_6, MustReleaseUnbounded); + } + assume false; + } + assume (forall _r_7_7: Ref :: + { PostMask[_r_7_7, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_7_7, MustReleaseUnbounded) ==> false + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Assumptions about local variables + assume Heap[_err, $allocated]; + assume Heap[self_2, $allocated]; + assume Heap[show_0, $allocated]; + assume Heap[row_1, $allocated]; + assume Heap[seat_1, $allocated]; + + // -- Translating statement: // id = 1 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 2 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 3 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 4 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 5 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 6 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 7 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 8 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 9 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 10 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 11 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 12 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 13 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 14 + // _method_measures_156 := Seq(Measure$create(true, _cthread_156, 1)) -- testsfunctionalverificationexamplescav_example.py.vpr@792.3--792.69 + _method_measures_156 := Seq#Singleton((Measure$create(true, _cthread_156, 1): Measure$DomainType)); + assume state(Heap, Mask); + + // -- Translating statement: // id = 15 + // inhale typeof(self) == Ticket() -- testsfunctionalverificationexamplescav_example.py.vpr@793.3--793.34 + assume (typeof(self): PyTypeDomainType) == Ticket; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 16 + // _err := null -- testsfunctionalverificationexamplescav_example.py.vpr@794.3--794.15 + _err := null; + assume state(Heap, Mask); + + // -- Translating statement: // id = 17 + // self_2 := self -- testsfunctionalverificationexamplescav_example.py.vpr@795.3--795.17 + self_2 := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 18 + // show_0 := show -- testsfunctionalverificationexamplescav_example.py.vpr@796.3--796.17 + show_0 := show; + assume state(Heap, Mask); + + // -- Translating statement: // id = 19 + // row_1 := row -- testsfunctionalverificationexamplescav_example.py.vpr@797.3--797.15 + row_1 := row; + assume state(Heap, Mask); + + // -- Translating statement: // id = 20 + // seat_1 := seat -- testsfunctionalverificationexamplescav_example.py.vpr@798.3--798.17 + seat_1 := seat; + assume state(Heap, Mask); + + // -- Translating statement: if (perm(_MaySet(self_2, 2036589462893379814238060391131476)) > none) -- testsfunctionalverificationexamplescav_example.py.vpr@799.3--802.4 + if (NoPerm < Mask[null, _MaySet(self_2, 2036589462893379814238060391131476)]) { + + // -- Translating statement: // id = 21 + // exhale acc(_MaySet(self_2, 2036589462893379814238060391131476), write) -- testsfunctionalverificationexamplescav_example.py.vpr@800.5--800.75 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access _MaySet(self_2, 2036589462893379814238060391131476) (testsfunctionalverificationexamplescav_example.py.vpr@800.12--800.75) [2543]"} + perm <= Mask[null, _MaySet(self_2, 2036589462893379814238060391131476)]; + } + Mask[null, _MaySet(self_2, 2036589462893379814238060391131476)] := Mask[null, _MaySet(self_2, 2036589462893379814238060391131476)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Translating statement: // id = 22 + // inhale acc(self_2.Ticket_show_id, write) -- testsfunctionalverificationexamplescav_example.py.vpr@801.5--801.45 + perm := FullPerm; + assume self_2 != null; + Mask[self_2, Ticket_show_id] := Mask[self_2, Ticket_show_id] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 23 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 24 + // self_2.Ticket_show_id := show_0 -- testsfunctionalverificationexamplescav_example.py.vpr@803.3--803.34 + assert {:msg " Assignment might fail. There might be insufficient permission to access self_2.Ticket_show_id (testsfunctionalverificationexamplescav_example.py.vpr@803.3--803.34) [2545]"} + FullPerm == Mask[self_2, Ticket_show_id]; + Heap[self_2, Ticket_show_id] := show_0; + assume state(Heap, Mask); + + // -- Translating statement: if (perm(_MaySet(self_2, 564017441487491594152276)) > none) -- testsfunctionalverificationexamplescav_example.py.vpr@804.3--807.4 + if (NoPerm < Mask[null, _MaySet(self_2, 564017441487491594152276)]) { + + // -- Translating statement: // id = 25 + // exhale acc(_MaySet(self_2, 564017441487491594152276), write) -- testsfunctionalverificationexamplescav_example.py.vpr@805.5--805.65 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access _MaySet(self_2, 564017441487491594152276) (testsfunctionalverificationexamplescav_example.py.vpr@805.12--805.65) [2547]"} + perm <= Mask[null, _MaySet(self_2, 564017441487491594152276)]; + } + Mask[null, _MaySet(self_2, 564017441487491594152276)] := Mask[null, _MaySet(self_2, 564017441487491594152276)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Translating statement: // id = 26 + // inhale acc(self_2.Ticket_row, write) -- testsfunctionalverificationexamplescav_example.py.vpr@806.5--806.41 + perm := FullPerm; + assume self_2 != null; + Mask[self_2, Ticket_row] := Mask[self_2, Ticket_row] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 27 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 28 + // self_2.Ticket_row := tuple___getitem__(tuple___create2__(row_1, seat_1, int(), + // int(), 0), 0) -- testsfunctionalverificationexamplescav_example.py.vpr@808.3--808.95 + + // -- Check definedness of tuple___getitem__(tuple___create2__(row_1, seat_1, int(), int(), 0), 0) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___create2__ might not hold. Assertion issubtype(typeof(row_1), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@808.42--808.91) [2549]"} + (issubtype((typeof(row_1): PyTypeDomainType), vint): bool); + assert {:msg " Precondition of function tuple___create2__ might not hold. Assertion issubtype(typeof(seat_1), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@808.42--808.91) [2550]"} + (issubtype((typeof(seat_1): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(tuple___create2__(row_1, seat_1, int(), int(), 0))) in (0 >= 0 ==> 0 < ln) && (0 < 0 ==> 0 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@808.24--808.95) [2551]"} + 0 < tuple___len__(Heap, tuple___create2__(Heap, row_1, seat_1, vint, vint, 0)); + + // -- Free assumptions (exhale module) + ln_1 := tuple___len__(Heap, tuple___create2__(Heap, row_1, seat_1, vint, vint, 0)); + // Stop execution + assume false; + } + assert {:msg " Assignment might fail. There might be insufficient permission to access self_2.Ticket_row (testsfunctionalverificationexamplescav_example.py.vpr@808.3--808.95) [2552]"} + FullPerm == Mask[self_2, Ticket_row]; + Heap[self_2, Ticket_row] := tuple___getitem__(Heap, tuple___create2__(Heap, row_1, seat_1, vint, vint, 0), 0); + assume state(Heap, Mask); + + // -- Translating statement: if (perm(_MaySet(self_2, 140695336058778200607779156)) > none) -- testsfunctionalverificationexamplescav_example.py.vpr@809.3--812.4 + if (NoPerm < Mask[null, _MaySet(self_2, 140695336058778200607779156)]) { + + // -- Translating statement: // id = 29 + // exhale acc(_MaySet(self_2, 140695336058778200607779156), write) -- testsfunctionalverificationexamplescav_example.py.vpr@810.5--810.68 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access _MaySet(self_2, 140695336058778200607779156) (testsfunctionalverificationexamplescav_example.py.vpr@810.12--810.68) [2554]"} + perm <= Mask[null, _MaySet(self_2, 140695336058778200607779156)]; + } + Mask[null, _MaySet(self_2, 140695336058778200607779156)] := Mask[null, _MaySet(self_2, 140695336058778200607779156)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Translating statement: // id = 30 + // inhale acc(self_2.Ticket_seat, write) -- testsfunctionalverificationexamplescav_example.py.vpr@811.5--811.42 + perm := FullPerm; + assume self_2 != null; + Mask[self_2, Ticket_seat] := Mask[self_2, Ticket_seat] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 31 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 32 + // self_2.Ticket_seat := tuple___getitem__(tuple___create2__(row_1, seat_1, int(), + // int(), 0), 1) -- testsfunctionalverificationexamplescav_example.py.vpr@813.3--813.96 + + // -- Check definedness of tuple___getitem__(tuple___create2__(row_1, seat_1, int(), int(), 0), 1) + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___create2__ might not hold. Assertion issubtype(typeof(row_1), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@813.43--813.92) [2556]"} + (issubtype((typeof(row_1): PyTypeDomainType), vint): bool); + assert {:msg " Precondition of function tuple___create2__ might not hold. Assertion issubtype(typeof(seat_1), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@813.43--813.92) [2557]"} + (issubtype((typeof(seat_1): PyTypeDomainType), vint): bool); + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function tuple___getitem__ might not hold. Assertion (let ln == (tuple___len__(tuple___create2__(row_1, seat_1, int(), int(), 0))) in (1 >= 0 ==> 1 < ln) && (1 < 0 ==> 1 >= -ln)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@813.25--813.96) [2558]"} + 1 < tuple___len__(Heap, tuple___create2__(Heap, row_1, seat_1, vint, vint, 0)); + + // -- Free assumptions (exhale module) + ln_3 := tuple___len__(Heap, tuple___create2__(Heap, row_1, seat_1, vint, vint, 0)); + // Stop execution + assume false; + } + assert {:msg " Assignment might fail. There might be insufficient permission to access self_2.Ticket_seat (testsfunctionalverificationexamplescav_example.py.vpr@813.3--813.96) [2559]"} + FullPerm == Mask[self_2, Ticket_seat]; + Heap[self_2, Ticket_seat] := tuple___getitem__(Heap, tuple___create2__(Heap, row_1, seat_1, vint, vint, 0), 1); + assume state(Heap, Mask); + + // -- Translating statement: // id = 33 + // fold acc(Ticket_state(self_2), write) -- testsfunctionalverificationexamplescav_example.py.vpr@814.3--814.40 + assert {:msg " Folding Ticket_state(self_2) might fail. Assertion issubtype(typeof(self_2), Ticket()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@814.3--814.40) [2561]"} + (issubtype((typeof(self_2): PyTypeDomainType), Ticket): bool); + if ((issubtype((typeof(self_2): PyTypeDomainType), Ticket): bool)) { + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding Ticket_state(self_2) might fail. There might be insufficient permission to access self_2.Ticket_show_id (testsfunctionalverificationexamplescav_example.py.vpr@814.3--814.40) [2563]"} + perm <= Mask[self_2, Ticket_show_id]; + } + Mask[self_2, Ticket_show_id] := Mask[self_2, Ticket_show_id] - perm; + assert {:msg " Folding Ticket_state(self_2) might fail. Assertion issubtype(typeof(self_2.Ticket_show_id), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@814.3--814.40) [2564]"} + (issubtype((typeof(Heap[self_2, Ticket_show_id]): PyTypeDomainType), vint): bool); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding Ticket_state(self_2) might fail. There might be insufficient permission to access self_2.Ticket_row (testsfunctionalverificationexamplescav_example.py.vpr@814.3--814.40) [2566]"} + perm <= Mask[self_2, Ticket_row]; + } + Mask[self_2, Ticket_row] := Mask[self_2, Ticket_row] - perm; + assert {:msg " Folding Ticket_state(self_2) might fail. Assertion issubtype(typeof(self_2.Ticket_row), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@814.3--814.40) [2567]"} + (issubtype((typeof(Heap[self_2, Ticket_row]): PyTypeDomainType), vint): bool); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Folding Ticket_state(self_2) might fail. There might be insufficient permission to access self_2.Ticket_seat (testsfunctionalverificationexamplescav_example.py.vpr@814.3--814.40) [2569]"} + perm <= Mask[self_2, Ticket_seat]; + } + Mask[self_2, Ticket_seat] := Mask[self_2, Ticket_seat] - perm; + assert {:msg " Folding Ticket_state(self_2) might fail. Assertion issubtype(typeof(self_2.Ticket_seat), int()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@814.3--814.40) [2570]"} + (issubtype((typeof(Heap[self_2, Ticket_seat]): PyTypeDomainType), vint): bool); + } + perm := FullPerm; + Mask[null, Ticket_state(self_2)] := Mask[null, Ticket_state(self_2)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume Ticket_state#trigger(Heap, Ticket_state(self_2)); + assume Heap[null, Ticket_state(self_2)] == FrameFragment((if (issubtype((typeof(self_2): PyTypeDomainType), Ticket): bool) then CombineFrames(FrameFragment(Heap[self_2, Ticket_show_id]), CombineFrames(FrameFragment(Heap[self_2, Ticket_row]), FrameFragment(Heap[self_2, Ticket_seat]))) else EmptyFrame)); + if (!HasDirectPerm(Mask, null, Ticket_state(self_2))) { + Heap[null, Ticket_state#sm(self_2)] := ZeroPMask; + havoc freshVersion; + Heap[null, Ticket_state(self_2)] := freshVersion; + } + if ((issubtype((typeof(self_2): PyTypeDomainType), Ticket): bool)) { + Heap[null, Ticket_state#sm(self_2)][self_2, Ticket_show_id] := true; + Heap[null, Ticket_state#sm(self_2)][self_2, Ticket_row] := true; + Heap[null, Ticket_state#sm(self_2)][self_2, Ticket_seat] := true; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 34 + // goto __end -- testsfunctionalverificationexamplescav_example.py.vpr@815.3--815.13 + goto __end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 35 + // label __end -- testsfunctionalverificationexamplescav_example.py.vpr@816.3--816.14 + __end: + Label__endMask := Mask; + Label__endHeap := Heap; + __end_lblGuard := true; + assume state(Heap, Mask); + + // -- Exhaling postcondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of Ticket___init__ might not hold. There might be insufficient permission to access Ticket_state(self) (testsfunctionalverificationexamplescav_example.py.vpr@782.11--782.120) [2572]"} + perm <= Mask[null, Ticket_state(self)]; + } + Mask[null, Ticket_state(self)] := Mask[null, Ticket_state(self)] - perm; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of Ticket___init__ might not hold. There might be insufficient permission to access _MaySet(self, 578847845651634811226368290157834565233854867796) (testsfunctionalverificationexamplescav_example.py.vpr@782.11--782.120) [2573]"} + perm <= Mask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)]; + } + Mask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(self, 578847845651634811226368290157834565233854867796)] - perm; + assert {:msg " Postcondition of Ticket___init__ might not hold. Assertion (forperm _r_7: Ref [MustInvokeBounded(_r_7)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@783.11--783.255) [2574]"} + (forall _r_7_8: Ref :: + { Mask[null, MustInvokeBounded(_r_7_8)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_7_8)) ==> false + ); + assert {:msg " Postcondition of Ticket___init__ might not hold. Assertion (forperm _r_7: Ref [MustInvokeUnbounded(_r_7)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@783.11--783.255) [2575]"} + (forall _r_7_9: Ref :: + { Mask[null, MustInvokeUnbounded(_r_7_9)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_7_9)) ==> false + ); + assert {:msg " Postcondition of Ticket___init__ might not hold. Assertion (forperm _r_7: Ref [_r_7.MustReleaseBounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@783.11--783.255) [2576]"} + (forall _r_7_10: Ref :: + { Mask[_r_7_10, MustReleaseBounded] } + HasDirectPerm(Mask, _r_7_10, MustReleaseBounded) ==> false + ); + assert {:msg " Postcondition of Ticket___init__ might not hold. Assertion (forperm _r_7: Ref [_r_7.MustReleaseUnbounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@783.11--783.255) [2577]"} + (forall _r_7_11: Ref :: + { Mask[_r_7_11, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_7_11, MustReleaseUnbounded) ==> false + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method Ticket_set_discount +// ================================================== + +procedure Ticket_set_discount(_cthread_157: Ref, _caller_measures_157: (Seq Measure$DomainType), _residue_157: Perm, self_0: Ref, code: Ref) returns (_current_wait_level_157: Perm) + modifies Heap, Mask; +{ + var __end_lblGuard: bool; + var perm: Perm; + var _r_11: Ref; + var _r_11_2: Ref; + var _r_11_4: Ref; + var _r_11_6: Ref; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_9: Ref; + var _r_9_2: Ref; + var _r_10: Ref; + var _r_10_2: Ref; + var _r_10_4: Ref; + var _r_10_6: Ref; + var _err: Ref; + var self_3: Ref; + var code_2: Ref; + var _method_measures_157: (Seq Measure$DomainType); + var ExhaleHeap: HeapType; + var Label__endMask: MaskType; + var Label__endHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + __end_lblGuard := false; + + // -- Assumptions about method arguments + assume Heap[_cthread_157, $allocated]; + assume Heap[self_0, $allocated]; + assume Heap[code, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_157 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_157): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(self_0): PyTypeDomainType), Ticket): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(code): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + assume self_0 != null; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self_0, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(self_0, 578847845651634811226368290157834565233854867796)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume Mask[null, MustTerminate(_cthread_157)] == NoPerm; + + // -- Check definedness of (forperm _r_11: Ref [MustInvokeBounded(_r_11)] :: false) + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeBounded(_r_11))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_11) (testsfunctionalverificationexamplescav_example.py.vpr@826.12--826.311) [2578]"} + HasDirectPerm(Mask, null, MustInvokeBounded(_r_11)); + } + assume false; + } + assume (forall _r_11_1: Ref :: + { Mask[null, MustInvokeBounded(_r_11_1)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_11_1)) ==> false + ); + + // -- Check definedness of (forperm _r_11: Ref [MustInvokeUnbounded(_r_11)] :: false) + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_11_2))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_11) (testsfunctionalverificationexamplescav_example.py.vpr@826.12--826.311) [2579]"} + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_11_2)); + } + assume false; + } + assume (forall _r_11_3: Ref :: + { Mask[null, MustInvokeUnbounded(_r_11_3)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_11_3)) ==> false + ); + + // -- Check definedness of (forperm _r_11: Ref [_r_11.MustReleaseBounded] :: false) + if (*) { + if (HasDirectPerm(Mask, _r_11_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_11.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@826.12--826.311) [2580]"} + HasDirectPerm(Mask, _r_11_4, MustReleaseBounded); + } + assume false; + } + assume (forall _r_11_5: Ref :: + { Mask[_r_11_5, MustReleaseBounded] } + HasDirectPerm(Mask, _r_11_5, MustReleaseBounded) ==> false + ); + + // -- Check definedness of (forperm _r_11: Ref [_r_11.MustReleaseUnbounded] :: false) + if (*) { + if (HasDirectPerm(Mask, _r_11_6, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_11.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@826.12--826.311) [2581]"} + HasDirectPerm(Mask, _r_11_6, MustReleaseUnbounded); + } + assume false; + } + assume (forall _r_11_7: Ref :: + { Mask[_r_11_7, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_11_7, MustReleaseUnbounded) ==> false + ); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_157 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_157): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(self_0): PyTypeDomainType), Ticket): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(code): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + assume self_0 != null; + assume state(Heap, Mask); + perm := FullPerm; + Mask[null, _MaySet(self_0, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(self_0, 578847845651634811226368290157834565233854867796)] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_9: Ref [_r_9.MustReleaseBounded] :: Level(_r_9) <= _current_wait_level_157) + if (*) { + if (HasDirectPerm(PostMask, _r_9, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_9.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@827.11--827.244) [2582]"} + HasDirectPerm(PostMask, _r_9, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_9_1: Ref :: + { PostMask[_r_9_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_9_1, MustReleaseBounded) ==> Level(PostHeap, _r_9_1) <= _current_wait_level_157 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_9: Ref [_r_9.MustReleaseUnbounded] :: Level(_r_9) <= _current_wait_level_157) + if (*) { + if (HasDirectPerm(PostMask, _r_9_2, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_9.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@827.11--827.244) [2583]"} + HasDirectPerm(PostMask, _r_9_2, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_9_3: Ref :: + { PostMask[_r_9_3, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_9_3, MustReleaseUnbounded) ==> Level(PostHeap, _r_9_3) <= _current_wait_level_157 + ); + assume _residue_157 <= _current_wait_level_157; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_10: Ref [MustInvokeBounded(_r_10)] :: false) + if (*) { + if (HasDirectPerm(PostMask, null, MustInvokeBounded(_r_10))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_10) (testsfunctionalverificationexamplescav_example.py.vpr@828.11--828.263) [2584]"} + HasDirectPerm(PostMask, null, MustInvokeBounded(_r_10)); + } + assume false; + } + assume (forall _r_10_1: Ref :: + { PostMask[null, MustInvokeBounded(_r_10_1)] } + HasDirectPerm(PostMask, null, MustInvokeBounded(_r_10_1)) ==> false + ); + + // -- Check definedness of (forperm _r_10: Ref [MustInvokeUnbounded(_r_10)] :: false) + if (*) { + if (HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_10_2))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_10) (testsfunctionalverificationexamplescav_example.py.vpr@828.11--828.263) [2585]"} + HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_10_2)); + } + assume false; + } + assume (forall _r_10_3: Ref :: + { PostMask[null, MustInvokeUnbounded(_r_10_3)] } + HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_10_3)) ==> false + ); + + // -- Check definedness of (forperm _r_10: Ref [_r_10.MustReleaseBounded] :: false) + if (*) { + if (HasDirectPerm(PostMask, _r_10_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_10.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@828.11--828.263) [2586]"} + HasDirectPerm(PostMask, _r_10_4, MustReleaseBounded); + } + assume false; + } + assume (forall _r_10_5: Ref :: + { PostMask[_r_10_5, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_10_5, MustReleaseBounded) ==> false + ); + + // -- Check definedness of (forperm _r_10: Ref [_r_10.MustReleaseUnbounded] :: false) + if (*) { + if (HasDirectPerm(PostMask, _r_10_6, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_10.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@828.11--828.263) [2587]"} + HasDirectPerm(PostMask, _r_10_6, MustReleaseUnbounded); + } + assume false; + } + assume (forall _r_10_7: Ref :: + { PostMask[_r_10_7, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_10_7, MustReleaseUnbounded) ==> false + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Assumptions about local variables + assume Heap[_err, $allocated]; + assume Heap[self_3, $allocated]; + assume Heap[code_2, $allocated]; + + // -- Translating statement: // id = 1 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 2 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 3 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 4 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 5 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 6 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 7 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 8 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 9 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 10 + // _method_measures_157 := Seq[Measure$]() -- testsfunctionalverificationexamplescav_example.py.vpr@835.3--835.42 + _method_measures_157 := (Seq#Empty(): Seq Measure$DomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 11 + // inhale typeof(self_0) == Ticket() -- testsfunctionalverificationexamplescav_example.py.vpr@836.3--836.36 + assume (typeof(self_0): PyTypeDomainType) == Ticket; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 12 + // _err := null -- testsfunctionalverificationexamplescav_example.py.vpr@837.3--837.15 + _err := null; + assume state(Heap, Mask); + + // -- Translating statement: // id = 13 + // self_3 := self_0 -- testsfunctionalverificationexamplescav_example.py.vpr@838.3--838.19 + self_3 := self_0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 14 + // code_2 := code -- testsfunctionalverificationexamplescav_example.py.vpr@839.3--839.17 + code_2 := code; + assume state(Heap, Mask); + + // -- Translating statement: if (perm(_MaySet(self_3, 578847845651634811226368290157834565233854867796)) > none) -- testsfunctionalverificationexamplescav_example.py.vpr@840.3--843.4 + if (NoPerm < Mask[null, _MaySet(self_3, 578847845651634811226368290157834565233854867796)]) { + + // -- Translating statement: // id = 15 + // exhale acc(_MaySet(self_3, 578847845651634811226368290157834565233854867796), write) -- testsfunctionalverificationexamplescav_example.py.vpr@841.5--841.89 + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Exhale might fail. There might be insufficient permission to access _MaySet(self_3, 578847845651634811226368290157834565233854867796) (testsfunctionalverificationexamplescav_example.py.vpr@841.12--841.89) [2589]"} + perm <= Mask[null, _MaySet(self_3, 578847845651634811226368290157834565233854867796)]; + } + Mask[null, _MaySet(self_3, 578847845651634811226368290157834565233854867796)] := Mask[null, _MaySet(self_3, 578847845651634811226368290157834565233854867796)] - perm; + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; + assume state(Heap, Mask); + + // -- Translating statement: // id = 16 + // inhale acc(self_3.Ticket_discount_code, write) -- testsfunctionalverificationexamplescav_example.py.vpr@842.5--842.51 + perm := FullPerm; + assume self_3 != null; + Mask[self_3, Ticket_discount_code] := Mask[self_3, Ticket_discount_code] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 17 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 18 + // self_3.Ticket_discount_code := code_2 -- testsfunctionalverificationexamplescav_example.py.vpr@844.3--844.40 + assert {:msg " Assignment might fail. There might be insufficient permission to access self_3.Ticket_discount_code (testsfunctionalverificationexamplescav_example.py.vpr@844.3--844.40) [2591]"} + FullPerm == Mask[self_3, Ticket_discount_code]; + Heap[self_3, Ticket_discount_code] := code_2; + assume state(Heap, Mask); + + // -- Translating statement: // id = 19 + // goto __end -- testsfunctionalverificationexamplescav_example.py.vpr@845.3--845.13 + goto __end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 20 + // label __end -- testsfunctionalverificationexamplescav_example.py.vpr@846.3--846.14 + __end: + Label__endMask := Mask; + Label__endHeap := Heap; + __end_lblGuard := true; + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of Ticket_set_discount might not hold. Assertion (forperm _r_10: Ref [MustInvokeBounded(_r_10)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@828.11--828.263) [2592]"} + (forall _r_10_8: Ref :: + { Mask[null, MustInvokeBounded(_r_10_8)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_10_8)) ==> false + ); + assert {:msg " Postcondition of Ticket_set_discount might not hold. Assertion (forperm _r_10: Ref [MustInvokeUnbounded(_r_10)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@828.11--828.263) [2593]"} + (forall _r_10_9: Ref :: + { Mask[null, MustInvokeUnbounded(_r_10_9)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_10_9)) ==> false + ); + assert {:msg " Postcondition of Ticket_set_discount might not hold. Assertion (forperm _r_10: Ref [_r_10.MustReleaseBounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@828.11--828.263) [2594]"} + (forall _r_10_10: Ref :: + { Mask[_r_10_10, MustReleaseBounded] } + HasDirectPerm(Mask, _r_10_10, MustReleaseBounded) ==> false + ); + assert {:msg " Postcondition of Ticket_set_discount might not hold. Assertion (forperm _r_10: Ref [_r_10.MustReleaseUnbounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@828.11--828.263) [2595]"} + (forall _r_10_11: Ref :: + { Mask[_r_10_11, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_10_11, MustReleaseUnbounded) ==> false + ); +} + +// ================================================== +// Translation of method main +// ================================================== + +procedure main(_cthread_161: Ref, _caller_measures_161: (Seq Measure$DomainType), _residue_162: Perm) returns (_current_wait_level_161: Perm) + modifies Heap, Mask; +{ + var __end_lblGuard: bool; + var _r_14: Ref; + var _r_14_2: Ref; + var _r_14_4: Ref; + var _r_14_6: Ref; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_12: Ref; + var _r_12_2: Ref; + var _r_13: Ref; + var _r_13_2: Ref; + var _r_13_4: Ref; + var _r_13_6: Ref; + var _method_measures_161: (Seq Measure$DomainType); + var module_defined_0: bool; + var module_names_0: (Set _NameDomainType); + var perm: Perm; + var Label__endMask: MaskType; + var Label__endHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + __end_lblGuard := false; + + // -- Assumptions about method arguments + assume Heap[_cthread_161, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_161 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_161): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume Mask[null, MustTerminate(_cthread_161)] == NoPerm; + + // -- Check definedness of (forperm _r_14: Ref [MustInvokeBounded(_r_14)] :: false) + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeBounded(_r_14))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_14) (testsfunctionalverificationexamplescav_example.py.vpr@852.12--852.311) [2596]"} + HasDirectPerm(Mask, null, MustInvokeBounded(_r_14)); + } + assume false; + } + assume (forall _r_14_1: Ref :: + { Mask[null, MustInvokeBounded(_r_14_1)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_14_1)) ==> false + ); + + // -- Check definedness of (forperm _r_14: Ref [MustInvokeUnbounded(_r_14)] :: false) + if (*) { + if (HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_14_2))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_14) (testsfunctionalverificationexamplescav_example.py.vpr@852.12--852.311) [2597]"} + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_14_2)); + } + assume false; + } + assume (forall _r_14_3: Ref :: + { Mask[null, MustInvokeUnbounded(_r_14_3)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_14_3)) ==> false + ); + + // -- Check definedness of (forperm _r_14: Ref [_r_14.MustReleaseBounded] :: false) + if (*) { + if (HasDirectPerm(Mask, _r_14_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_14.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@852.12--852.311) [2598]"} + HasDirectPerm(Mask, _r_14_4, MustReleaseBounded); + } + assume false; + } + assume (forall _r_14_5: Ref :: + { Mask[_r_14_5, MustReleaseBounded] } + HasDirectPerm(Mask, _r_14_5, MustReleaseBounded) ==> false + ); + + // -- Check definedness of (forperm _r_14: Ref [_r_14.MustReleaseUnbounded] :: false) + if (*) { + if (HasDirectPerm(Mask, _r_14_6, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_14.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@852.12--852.311) [2599]"} + HasDirectPerm(Mask, _r_14_6, MustReleaseUnbounded); + } + assume false; + } + assume (forall _r_14_7: Ref :: + { Mask[_r_14_7, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_14_7, MustReleaseUnbounded) ==> false + ); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_161 != null; + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_161): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_12: Ref [_r_12.MustReleaseBounded] :: Level(_r_12) <= _current_wait_level_161) + if (*) { + if (HasDirectPerm(PostMask, _r_12, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_12.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@853.11--853.250) [2600]"} + HasDirectPerm(PostMask, _r_12, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_12_1: Ref :: + { PostMask[_r_12_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_12_1, MustReleaseBounded) ==> Level(PostHeap, _r_12_1) <= _current_wait_level_161 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_12: Ref [_r_12.MustReleaseUnbounded] :: Level(_r_12) <= _current_wait_level_161) + if (*) { + if (HasDirectPerm(PostMask, _r_12_2, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_12.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@853.11--853.250) [2601]"} + HasDirectPerm(PostMask, _r_12_2, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_12_3: Ref :: + { PostMask[_r_12_3, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_12_3, MustReleaseUnbounded) ==> Level(PostHeap, _r_12_3) <= _current_wait_level_161 + ); + assume _residue_162 <= _current_wait_level_161; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_13: Ref [MustInvokeBounded(_r_13)] :: false) + if (*) { + if (HasDirectPerm(PostMask, null, MustInvokeBounded(_r_13))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeBounded(_r_13) (testsfunctionalverificationexamplescav_example.py.vpr@854.11--854.263) [2602]"} + HasDirectPerm(PostMask, null, MustInvokeBounded(_r_13)); + } + assume false; + } + assume (forall _r_13_1: Ref :: + { PostMask[null, MustInvokeBounded(_r_13_1)] } + HasDirectPerm(PostMask, null, MustInvokeBounded(_r_13_1)) ==> false + ); + + // -- Check definedness of (forperm _r_13: Ref [MustInvokeUnbounded(_r_13)] :: false) + if (*) { + if (HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_13_2))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access MustInvokeUnbounded(_r_13) (testsfunctionalverificationexamplescav_example.py.vpr@854.11--854.263) [2603]"} + HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_13_2)); + } + assume false; + } + assume (forall _r_13_3: Ref :: + { PostMask[null, MustInvokeUnbounded(_r_13_3)] } + HasDirectPerm(PostMask, null, MustInvokeUnbounded(_r_13_3)) ==> false + ); + + // -- Check definedness of (forperm _r_13: Ref [_r_13.MustReleaseBounded] :: false) + if (*) { + if (HasDirectPerm(PostMask, _r_13_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_13.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@854.11--854.263) [2604]"} + HasDirectPerm(PostMask, _r_13_4, MustReleaseBounded); + } + assume false; + } + assume (forall _r_13_5: Ref :: + { PostMask[_r_13_5, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_13_5, MustReleaseBounded) ==> false + ); + + // -- Check definedness of (forperm _r_13: Ref [_r_13.MustReleaseUnbounded] :: false) + if (*) { + if (HasDirectPerm(PostMask, _r_13_6, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_13.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@854.11--854.263) [2605]"} + HasDirectPerm(PostMask, _r_13_6, MustReleaseUnbounded); + } + assume false; + } + assume (forall _r_13_7: Ref :: + { PostMask[_r_13_7, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_13_7, MustReleaseUnbounded) ==> false + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: // id = 1 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 2 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 3 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 4 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 5 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 6 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 7 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 8 + // _method_measures_161 := Seq[Measure$]() -- testsfunctionalverificationexamplescav_example.py.vpr@860.3--860.42 + _method_measures_161 := (Seq#Empty(): Seq Measure$DomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 9 + // module_defined_0 := true -- testsfunctionalverificationexamplescav_example.py.vpr@861.3--861.27 + module_defined_0 := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 10 + // module_names_0 := Set[_Name]() -- testsfunctionalverificationexamplescav_example.py.vpr@862.3--862.33 + module_names_0 := (Set#Empty(): Set _NameDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 11 + // module_names_0 := (module_names_0 union Set(_single(6872323072689856351))) -- testsfunctionalverificationexamplescav_example.py.vpr@863.3--863.77 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(6872323072689856351): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 12 + // inhale acc(__file__()._val, 99 / 100) && + // (issubtype(typeof(__file__()._val), str()) && + // issubtype(typeof(__file__()._val), str())) -- testsfunctionalverificationexamplescav_example.py.vpr@864.3--864.130 + assume state(Heap, Mask); + + // -- Check definedness of acc(__file__()._val, 99 / 100) + if (*) { + // Stop execution + assume false; + } + perm := 99 / 100; + assert {:msg " Inhale might fail. Fraction 99 / 100 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@864.10--864.130) [2606]"} + perm >= NoPerm; + assume perm > NoPerm ==> __file__(Heap) != null; + Mask[__file__(Heap), _val] := Mask[__file__(Heap), _val] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of issubtype(typeof(__file__()._val), str()) + assert {:msg " Inhale might fail. There might be insufficient permission to access __file__()._val (testsfunctionalverificationexamplescav_example.py.vpr@864.10--864.130) [2607]"} + HasDirectPerm(Mask, __file__(Heap), _val); + if (*) { + // Stop execution + assume false; + } + assume (issubtype((typeof(Heap[__file__(Heap), _val]): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + + // -- Check definedness of issubtype(typeof(__file__()._val), str()) + assert {:msg " Inhale might fail. There might be insufficient permission to access __file__()._val (testsfunctionalverificationexamplescav_example.py.vpr@864.10--864.130) [2608]"} + HasDirectPerm(Mask, __file__(Heap), _val); + if (*) { + // Stop execution + assume false; + } + assume (issubtype((typeof(Heap[__file__(Heap), _val]): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 13 + // module_names_0 := (module_names_0 union Set(_single(6872323076851130207))) -- testsfunctionalverificationexamplescav_example.py.vpr@865.3--865.77 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(6872323076851130207): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 14 + // inhale acc(__name__()._val, 99 / 100) && + // (issubtype(typeof(__name__()._val), str()) && + // (issubtype(typeof(__name__()._val), str()) && + // str___eq__(str___create__(8, 6872332955275845471), __name__()._val))) -- testsfunctionalverificationexamplescav_example.py.vpr@866.3--866.201 + assume state(Heap, Mask); + + // -- Check definedness of acc(__name__()._val, 99 / 100) + if (*) { + // Stop execution + assume false; + } + perm := 99 / 100; + assert {:msg " Inhale might fail. Fraction 99 / 100 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@866.10--866.201) [2609]"} + perm >= NoPerm; + assume perm > NoPerm ==> __name__(Heap) != null; + Mask[__name__(Heap), _val] := Mask[__name__(Heap), _val] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of issubtype(typeof(__name__()._val), str()) + assert {:msg " Inhale might fail. There might be insufficient permission to access __name__()._val (testsfunctionalverificationexamplescav_example.py.vpr@866.10--866.201) [2610]"} + HasDirectPerm(Mask, __name__(Heap), _val); + if (*) { + // Stop execution + assume false; + } + assume (issubtype((typeof(Heap[__name__(Heap), _val]): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + + // -- Check definedness of issubtype(typeof(__name__()._val), str()) + assert {:msg " Inhale might fail. There might be insufficient permission to access __name__()._val (testsfunctionalverificationexamplescav_example.py.vpr@866.10--866.201) [2611]"} + HasDirectPerm(Mask, __name__(Heap), _val); + if (*) { + // Stop execution + assume false; + } + assume (issubtype((typeof(Heap[__name__(Heap), _val]): PyTypeDomainType), str): bool); + assume state(Heap, Mask); + + // -- Check definedness of str___eq__(str___create__(8, 6872332955275845471), __name__()._val) + if (*) { + // Stop execution + assume false; + } + assert {:msg " Inhale might fail. There might be insufficient permission to access __name__()._val (testsfunctionalverificationexamplescav_example.py.vpr@866.10--866.201) [2612]"} + HasDirectPerm(Mask, __name__(Heap), _val); + if (*) { + // Stop execution + assume false; + } + if (*) { + // Exhale precondition of function application + assert {:msg " Precondition of function str___eq__ might not hold. Assertion issubtype(typeof(str___create__(8, 6872332955275845471)), str()) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@866.134--866.201) [2613]"} + (issubtype((typeof(str___create__(Heap, 8, 6872332955275845471)): PyTypeDomainType), str): bool); + // Stop execution + assume false; + } + assume str___eq__(Heap, str___create__(Heap, 8, 6872332955275845471), Heap[__name__(Heap), _val]); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 15 + // module_names_0 := (module_names_0 union + // Set(_single(8038062462289584464661321053517))) -- testsfunctionalverificationexamplescav_example.py.vpr@867.3--867.89 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(8038062462289584464661321053517): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 16 + // module_names_0 := (module_names_0 union Set(_single(1953720652))) -- testsfunctionalverificationexamplescav_example.py.vpr@868.3--868.68 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(1953720652): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 17 + // module_names_0 := (module_names_0 union Set(_single(435611006292))) -- testsfunctionalverificationexamplescav_example.py.vpr@869.3--869.70 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(435611006292): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 18 + // module_names_0 := (module_names_0 union + // Set(_single(146793563365898239306910909426909867859))) -- testsfunctionalverificationexamplescav_example.py.vpr@870.3--870.97 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(146793563365898239306910909426909867859): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 19 + // module_names_0 := (module_names_0 union + // Set(_single(2129761664003936118119))) -- testsfunctionalverificationexamplescav_example.py.vpr@871.3--871.80 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(2129761664003936118119): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 20 + // module_names_0 := (module_names_0 union Set(_single(6872339552563453791))) -- testsfunctionalverificationexamplescav_example.py.vpr@872.3--872.77 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(6872339552563453791): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 21 + // module_names_0 := (module_names_0 union + // Set(_single(36033797551066912423438214515))) -- testsfunctionalverificationexamplescav_example.py.vpr@873.3--873.87 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(36033797551066912423438214515): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 22 + // module_names_0 := (module_names_0 union Set(_single(127978942196052))) -- testsfunctionalverificationexamplescav_example.py.vpr@874.3--874.73 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(127978942196052): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 23 + // module_names_0 := (module_names_0 union + // Set(_single(9147261558914496062541770551919))) -- testsfunctionalverificationexamplescav_example.py.vpr@875.3--875.89 + module_names_0 := Set#Union(module_names_0, Set#Singleton((_single(9147261558914496062541770551919): _NameDomainType))); + assume state(Heap, Mask); + + // -- Translating statement: // id = 24 + // goto __end -- testsfunctionalverificationexamplescav_example.py.vpr@876.3--876.13 + goto __end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 25 + // label __end -- testsfunctionalverificationexamplescav_example.py.vpr@877.3--877.14 + __end: + Label__endMask := Mask; + Label__endHeap := Heap; + __end_lblGuard := true; + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of main might not hold. Assertion (forperm _r_13: Ref [MustInvokeBounded(_r_13)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@854.11--854.263) [2614]"} + (forall _r_13_8: Ref :: + { Mask[null, MustInvokeBounded(_r_13_8)] } + HasDirectPerm(Mask, null, MustInvokeBounded(_r_13_8)) ==> false + ); + assert {:msg " Postcondition of main might not hold. Assertion (forperm _r_13: Ref [MustInvokeUnbounded(_r_13)] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@854.11--854.263) [2615]"} + (forall _r_13_9: Ref :: + { Mask[null, MustInvokeUnbounded(_r_13_9)] } + HasDirectPerm(Mask, null, MustInvokeUnbounded(_r_13_9)) ==> false + ); + assert {:msg " Postcondition of main might not hold. Assertion (forperm _r_13: Ref [_r_13.MustReleaseBounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@854.11--854.263) [2616]"} + (forall _r_13_10: Ref :: + { Mask[_r_13_10, MustReleaseBounded] } + HasDirectPerm(Mask, _r_13_10, MustReleaseBounded) ==> false + ); + assert {:msg " Postcondition of main might not hold. Assertion (forperm _r_13: Ref [_r_13.MustReleaseUnbounded] :: false) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@854.11--854.263) [2617]"} + (forall _r_13_11: Ref :: + { Mask[_r_13_11, MustReleaseUnbounded] } + HasDirectPerm(Mask, _r_13_11, MustReleaseUnbounded) ==> false + ); +} + +// ================================================== +// Translation of method Iterator___next__ +// ================================================== + +procedure Iterator___next__(_cthread_149: Ref, _caller_measures_149: (Seq Measure$DomainType), _residue_149: Perm, self: Ref) returns (_current_wait_level_149: Perm, _res: Ref, _err: Ref) + modifies Heap, Mask; +{ + var perm: Perm; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_15_4: Ref; + var _r_15_5: Ref; + var r_2: Ref; + var r_4: Ref; + var r_4_1: Ref; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[_cthread_149, $allocated]; + assume Heap[self, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_149 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_149, _cthread_149, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_149, _cthread_149, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_149): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + perm := 1 / 40; + assert {:msg " Contract might not be well-formed. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@884.12--884.38) [2618]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + assume self != null; + Mask[self, __iter_index] := Mask[self, __iter_index] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + assume self != null; + Mask[self, __previous] := Mask[self, __previous] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_149, _cthread_149, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_149, _cthread_149, 1); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_149 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_149, _cthread_149, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_149, _cthread_149, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_149): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + perm := 1 / 40; + assert {:msg " Contract might not be well-formed. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@884.12--884.38) [2619]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + assume self != null; + Mask[self, __iter_index] := Mask[self, __iter_index] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := FullPerm; + assume self != null; + Mask[self, __previous] := Mask[self, __previous] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_15: Ref [_r_15.MustReleaseBounded] :: Level(_r_15) <= _current_wait_level_149) + if (*) { + if (HasDirectPerm(PostMask, _r_15_4, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_15.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@888.11--888.250) [2620]"} + HasDirectPerm(PostMask, _r_15_4, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_15_1: Ref :: + { PostMask[_r_15_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_15_1, MustReleaseBounded) ==> Level(PostHeap, _r_15_1) <= _current_wait_level_149 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_15: Ref [_r_15.MustReleaseUnbounded] :: Level(_r_15) <= _current_wait_level_149) + if (*) { + if (HasDirectPerm(PostMask, _r_15_5, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_15.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@888.11--888.250) [2621]"} + HasDirectPerm(PostMask, _r_15_5, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_15_3: Ref :: + { PostMask[_r_15_3, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_15_3, MustReleaseUnbounded) ==> Level(PostHeap, _r_15_3) <= _current_wait_level_149 + ); + assume _residue_149 <= _current_wait_level_149; + assume state(PostHeap, PostMask); + perm := 1 / 40; + assert {:msg " Contract might not be well-formed. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2622]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + PostMask[self, list_acc] := PostMask[self, list_acc] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of self.list_acc == old(self.list_acc) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2623]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2624]"} + HasDirectPerm(old(Mask), self, list_acc); + assume Seq#Equal(PostHeap[self, list_acc], old(Heap)[self, list_acc]); + assume state(PostHeap, PostMask); + perm := FullPerm; + assume self != null; + PostMask[self, __iter_index] := PostMask[self, __iter_index] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of self.__iter_index <= |self.list_acc| + 1 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@891.11--891.51) [2625]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@891.11--891.51) [2626]"} + HasDirectPerm(PostMask, self, list_acc); + assume PostHeap[self, __iter_index] <= Seq#Length(PostHeap[self, list_acc]) + 1; + assume state(PostHeap, PostMask); + + // -- Check definedness of old(self.__iter_index == |self.list_acc|) == (_err != null) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@892.11--892.70) [2627]"} + HasDirectPerm(old(Mask), self, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@892.11--892.70) [2628]"} + HasDirectPerm(old(Mask), self, list_acc); + assume (old(Heap)[self, __iter_index] == Seq#Length(old(Heap)[self, list_acc])) == (_err != null); + assume state(PostHeap, PostMask); + perm := FullPerm; + assume self != null; + PostMask[self, __previous] := PostMask[self, __previous] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + if (_err == null) { + + // -- Check definedness of self.__iter_index == old(self.__iter_index) + 1 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@894.11--894.75) [2629]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@894.11--894.75) [2630]"} + HasDirectPerm(old(Mask), self, __iter_index); + assume PostHeap[self, __iter_index] == old(Heap)[self, __iter_index] + 1; + } + assume state(PostHeap, PostMask); + if (_err == null) { + + // -- Check definedness of self.__iter_index > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@895.11--895.49) [2631]"} + HasDirectPerm(PostMask, self, __iter_index); + assume PostHeap[self, __iter_index] > 0; + } + assume state(PostHeap, PostMask); + if (_err == null) { + + // -- Check definedness of self.__previous == self.list_acc[..self.__iter_index - 1] + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@896.11--896.85) [2632]"} + HasDirectPerm(PostMask, self, __previous); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@896.11--896.85) [2633]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@896.11--896.85) [2634]"} + HasDirectPerm(PostMask, self, __iter_index); + assume Seq#Equal(PostHeap[self, __previous], Seq#Take(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 1)); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of |self.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@897.11--897.56) [2635]"} + HasDirectPerm(PostMask, self, list_acc); + if (Seq#Length(PostHeap[self, list_acc]) > 0) { + + // -- Check definedness of self.__iter_index > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@897.11--897.56) [2636]"} + HasDirectPerm(PostMask, self, __iter_index); + assume PostHeap[self, __iter_index] > 0; + } + assume state(PostHeap, PostMask); + if (_err != null) { + + // -- Check definedness of self.__previous == self.list_acc + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@898.11--898.60) [2637]"} + HasDirectPerm(PostMask, self, __previous); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@898.11--898.60) [2638]"} + HasDirectPerm(PostMask, self, list_acc); + assume Seq#Equal(PostHeap[self, __previous], PostHeap[self, list_acc]); + } + assume state(PostHeap, PostMask); + if (_err != null) { + + // -- Check definedness of self.__iter_index == |self.list_acc| + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@899.11--899.64) [2639]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@899.11--899.64) [2640]"} + HasDirectPerm(PostMask, self, list_acc); + assume PostHeap[self, __iter_index] == Seq#Length(PostHeap[self, list_acc]); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of |self.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2641]"} + HasDirectPerm(PostMask, self, list_acc); + if (Seq#Length(PostHeap[self, list_acc]) > 0) { + + // -- Check definedness of _res == self.list_acc[self.__iter_index - 1] + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2642]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2643]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 1] into self.list_acc might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2644]"} + PostHeap[self, __iter_index] - 1 >= 0; + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 1] into self.list_acc might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2645]"} + PostHeap[self, __iter_index] - 1 < Seq#Length(PostHeap[self, list_acc]); + assume _res == Seq#Index(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 1); + + // -- Check definedness of (_res in self.list_acc) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2646]"} + HasDirectPerm(PostMask, self, list_acc); + assume Seq#Contains(PostHeap[self, list_acc], _res); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of |self.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@901.11--901.89) [2647]"} + HasDirectPerm(PostMask, self, list_acc); + if (Seq#Length(PostHeap[self, list_acc]) > 0) { + assume (issubtype((typeof(_res): PyTypeDomainType), (Iterator_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): bool); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall r: Ref :: { (r in self.__previous) } (r in self.__previous) == ((r in old(self.__previous)) || (self.__iter_index > 1 && (r == self.list_acc[self.__iter_index - 2] && _err == null) || self.__iter_index > 0 && (_err != null && r == self.list_acc[self.__iter_index - 1])))) + if (*) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2648]"} + HasDirectPerm(PostMask, self, __previous); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2649]"} + HasDirectPerm(old(Mask), self, __previous); + if (!Seq#Contains(old(Heap)[self, __previous], r_2)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2650]"} + HasDirectPerm(PostMask, self, __iter_index); + if (PostHeap[self, __iter_index] > 1) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2651]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2652]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 2] into self.list_acc might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2653]"} + PostHeap[self, __iter_index] - 2 >= 0; + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 2] into self.list_acc might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2654]"} + PostHeap[self, __iter_index] - 2 < Seq#Length(PostHeap[self, list_acc]); + } + if (!(PostHeap[self, __iter_index] > 1 && (r_2 == Seq#Index(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 2) && _err == null))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2655]"} + HasDirectPerm(PostMask, self, __iter_index); + if (PostHeap[self, __iter_index] > 0) { + if (_err != null) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2656]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2657]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 1] into self.list_acc might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2658]"} + PostHeap[self, __iter_index] - 1 >= 0; + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 1] into self.list_acc might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2659]"} + PostHeap[self, __iter_index] - 1 < Seq#Length(PostHeap[self, list_acc]); + } + } + } + } + assume false; + } + assume (forall r_3: Ref :: + { Seq#ContainsTrigger(PostHeap[self, __previous], r_3) } { Seq#Contains(PostHeap[self, __previous], r_3) } + Seq#Contains(PostHeap[self, __previous], r_3) == (Seq#Contains(old(Heap)[self, __previous], r_3) || ((PostHeap[self, __iter_index] > 1 && (r_3 == Seq#Index(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 2) && _err == null)) || (PostHeap[self, __iter_index] > 0 && (_err != null && r_3 == Seq#Index(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 1))))) + ); + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + perm := 1 / 40; + assert {:msg " Contract might not be well-formed. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2660]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + PostMask[self, list_acc] := PostMask[self, list_acc] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of self.list_acc == old(self.list_acc) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2661]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2662]"} + HasDirectPerm(old(Mask), self, list_acc); + assume Seq#Equal(PostHeap[self, list_acc], old(Heap)[self, list_acc]); + assume state(PostHeap, PostMask); + perm := FullPerm; + assume self != null; + PostMask[self, __iter_index] := PostMask[self, __iter_index] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of self.__iter_index <= |self.list_acc| + 1 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@891.11--891.51) [2663]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@891.11--891.51) [2664]"} + HasDirectPerm(PostMask, self, list_acc); + assume PostHeap[self, __iter_index] <= Seq#Length(PostHeap[self, list_acc]) + 1; + assume state(PostHeap, PostMask); + + // -- Check definedness of old(self.__iter_index == |self.list_acc|) == (_err != null) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@892.11--892.70) [2665]"} + HasDirectPerm(old(Mask), self, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@892.11--892.70) [2666]"} + HasDirectPerm(old(Mask), self, list_acc); + assume (old(Heap)[self, __iter_index] == Seq#Length(old(Heap)[self, list_acc])) == (_err != null); + assume state(PostHeap, PostMask); + perm := FullPerm; + assume self != null; + PostMask[self, __previous] := PostMask[self, __previous] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + if (_err == null) { + + // -- Check definedness of self.__iter_index == old(self.__iter_index) + 1 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@894.11--894.75) [2667]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@894.11--894.75) [2668]"} + HasDirectPerm(old(Mask), self, __iter_index); + assume PostHeap[self, __iter_index] == old(Heap)[self, __iter_index] + 1; + } + assume state(PostHeap, PostMask); + if (_err == null) { + + // -- Check definedness of self.__iter_index > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@895.11--895.49) [2669]"} + HasDirectPerm(PostMask, self, __iter_index); + assume PostHeap[self, __iter_index] > 0; + } + assume state(PostHeap, PostMask); + if (_err == null) { + + // -- Check definedness of self.__previous == self.list_acc[..self.__iter_index - 1] + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@896.11--896.85) [2670]"} + HasDirectPerm(PostMask, self, __previous); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@896.11--896.85) [2671]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@896.11--896.85) [2672]"} + HasDirectPerm(PostMask, self, __iter_index); + assume Seq#Equal(PostHeap[self, __previous], Seq#Take(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 1)); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of |self.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@897.11--897.56) [2673]"} + HasDirectPerm(PostMask, self, list_acc); + if (Seq#Length(PostHeap[self, list_acc]) > 0) { + + // -- Check definedness of self.__iter_index > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@897.11--897.56) [2674]"} + HasDirectPerm(PostMask, self, __iter_index); + assume PostHeap[self, __iter_index] > 0; + } + assume state(PostHeap, PostMask); + if (_err != null) { + + // -- Check definedness of self.__previous == self.list_acc + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@898.11--898.60) [2675]"} + HasDirectPerm(PostMask, self, __previous); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@898.11--898.60) [2676]"} + HasDirectPerm(PostMask, self, list_acc); + assume Seq#Equal(PostHeap[self, __previous], PostHeap[self, list_acc]); + } + assume state(PostHeap, PostMask); + if (_err != null) { + + // -- Check definedness of self.__iter_index == |self.list_acc| + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@899.11--899.64) [2677]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@899.11--899.64) [2678]"} + HasDirectPerm(PostMask, self, list_acc); + assume PostHeap[self, __iter_index] == Seq#Length(PostHeap[self, list_acc]); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of |self.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2679]"} + HasDirectPerm(PostMask, self, list_acc); + if (Seq#Length(PostHeap[self, list_acc]) > 0) { + + // -- Check definedness of _res == self.list_acc[self.__iter_index - 1] + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2680]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2681]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 1] into self.list_acc might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2682]"} + PostHeap[self, __iter_index] - 1 >= 0; + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 1] into self.list_acc might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2683]"} + PostHeap[self, __iter_index] - 1 < Seq#Length(PostHeap[self, list_acc]); + assume _res == Seq#Index(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 1); + + // -- Check definedness of (_res in self.list_acc) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2684]"} + HasDirectPerm(PostMask, self, list_acc); + assume Seq#Contains(PostHeap[self, list_acc], _res); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of |self.list_acc| > 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@901.11--901.89) [2685]"} + HasDirectPerm(PostMask, self, list_acc); + if (Seq#Length(PostHeap[self, list_acc]) > 0) { + assume (issubtype((typeof(_res): PyTypeDomainType), (Iterator_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): bool); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of (forall r: Ref :: { (r in self.__previous) } (r in self.__previous) == ((r in old(self.__previous)) || (self.__iter_index > 1 && (r == self.list_acc[self.__iter_index - 2] && _err == null) || self.__iter_index > 0 && (_err != null && r == self.list_acc[self.__iter_index - 1])))) + if (*) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2686]"} + HasDirectPerm(PostMask, self, __previous); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2687]"} + HasDirectPerm(old(Mask), self, __previous); + if (!Seq#Contains(old(Heap)[self, __previous], r_4)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2688]"} + HasDirectPerm(PostMask, self, __iter_index); + if (PostHeap[self, __iter_index] > 1) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2689]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2690]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 2] into self.list_acc might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2691]"} + PostHeap[self, __iter_index] - 2 >= 0; + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 2] into self.list_acc might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2692]"} + PostHeap[self, __iter_index] - 2 < Seq#Length(PostHeap[self, list_acc]); + } + if (!(PostHeap[self, __iter_index] > 1 && (r_4 == Seq#Index(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 2) && _err == null))) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2693]"} + HasDirectPerm(PostMask, self, __iter_index); + if (PostHeap[self, __iter_index] > 0) { + if (_err != null) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2694]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2695]"} + HasDirectPerm(PostMask, self, __iter_index); + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 1] into self.list_acc might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2696]"} + PostHeap[self, __iter_index] - 1 >= 0; + assert {:msg " Contract might not be well-formed. Index self.list_acc[self.__iter_index - 1] into self.list_acc might exceed sequence length. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2697]"} + PostHeap[self, __iter_index] - 1 < Seq#Length(PostHeap[self, list_acc]); + } + } + } + } + assume false; + } + assume (forall r_1_1: Ref :: + { Seq#ContainsTrigger(PostHeap[self, __previous], r_1_1) } { Seq#Contains(PostHeap[self, __previous], r_1_1) } + Seq#Contains(PostHeap[self, __previous], r_1_1) == (Seq#Contains(old(Heap)[self, __previous], r_1_1) || ((PostHeap[self, __iter_index] > 1 && (r_1_1 == Seq#Index(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 2) && _err == null)) || (PostHeap[self, __iter_index] > 0 && (_err != null && r_1_1 == Seq#Index(PostHeap[self, list_acc], PostHeap[self, __iter_index] - 1))))) + ); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: inhale false -- testsfunctionalverificationexamplescav_example.py.vpr@905.3--905.15 + assume false; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of Iterator___next__ might not hold. Fraction 1 / 40 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2698]"} + 1 / 40 >= NoPerm; + perm := 1 / 40; + if (perm != NoPerm) { + assert {:msg " Postcondition of Iterator___next__ might not hold. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2699]"} + perm <= Mask[self, list_acc]; + } + Mask[self, list_acc] := Mask[self, list_acc] - perm; + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion self.list_acc == old(self.list_acc) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@889.11--889.76) [2700]"} + Seq#Equal(Heap[self, list_acc], old(Heap)[self, list_acc]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of Iterator___next__ might not hold. There might be insufficient permission to access self.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@890.11--890.40) [2701]"} + perm <= Mask[self, __iter_index]; + } + Mask[self, __iter_index] := Mask[self, __iter_index] - perm; + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion self.__iter_index <= |self.list_acc| + 1 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@891.11--891.51) [2702]"} + Heap[self, __iter_index] <= Seq#Length(Heap[self, list_acc]) + 1; + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion old(self.__iter_index == |self.list_acc|) == (_err != null) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@892.11--892.70) [2703]"} + (old(Heap)[self, __iter_index] == Seq#Length(old(Heap)[self, list_acc])) == (_err != null); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of Iterator___next__ might not hold. There might be insufficient permission to access self.__previous (testsfunctionalverificationexamplescav_example.py.vpr@893.11--893.38) [2704]"} + perm <= Mask[self, __previous]; + } + Mask[self, __previous] := Mask[self, __previous] - perm; + if (_err == null) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion self.__iter_index == old(self.__iter_index) + 1 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@894.11--894.75) [2705]"} + Heap[self, __iter_index] == old(Heap)[self, __iter_index] + 1; + } + if (_err == null) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion self.__iter_index > 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@895.11--895.49) [2706]"} + Heap[self, __iter_index] > 0; + } + if (_err == null) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion self.__previous == self.list_acc[..self.__iter_index - 1] might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@896.11--896.85) [2707]"} + Seq#Equal(Heap[self, __previous], Seq#Take(Heap[self, list_acc], Heap[self, __iter_index] - 1)); + } + if (Seq#Length(Heap[self, list_acc]) > 0) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion self.__iter_index > 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@897.11--897.56) [2708]"} + Heap[self, __iter_index] > 0; + } + if (_err != null) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion self.__previous == self.list_acc might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@898.11--898.60) [2709]"} + Seq#Equal(Heap[self, __previous], Heap[self, list_acc]); + } + if (_err != null) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion self.__iter_index == |self.list_acc| might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@899.11--899.64) [2710]"} + Heap[self, __iter_index] == Seq#Length(Heap[self, list_acc]); + } + if (Seq#Length(Heap[self, list_acc]) > 0) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion _res == self.list_acc[self.__iter_index - 1] might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2711]"} + _res == Seq#Index(Heap[self, list_acc], Heap[self, __iter_index] - 1); + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion (_res in self.list_acc) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@900.11--900.106) [2712]"} + Seq#Contains(Heap[self, list_acc], _res); + } + if (Seq#Length(Heap[self, list_acc]) > 0) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion issubtype(typeof(_res), Iterator_arg(typeof(self), 0)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@901.11--901.89) [2713]"} + (issubtype((typeof(_res): PyTypeDomainType), (Iterator_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): bool); + } + if (*) { + assert {:msg " Postcondition of Iterator___next__ might not hold. Assertion (r in self.__previous) == ((r in old(self.__previous)) || (self.__iter_index > 1 && (r == self.list_acc[self.__iter_index - 2] && _err == null) || self.__iter_index > 0 && (_err != null && r == self.list_acc[self.__iter_index - 1]))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@902.12--902.289) [2714]"} + Seq#Contains(Heap[self, __previous], r_4_1) == (Seq#Contains(old(Heap)[self, __previous], r_4_1) || ((Heap[self, __iter_index] > 1 && (r_4_1 == Seq#Index(Heap[self, list_acc], Heap[self, __iter_index] - 2) && _err == null)) || (Heap[self, __iter_index] > 0 && (_err != null && r_4_1 == Seq#Index(Heap[self, list_acc], Heap[self, __iter_index] - 1))))); + assume false; + } + assume (forall r_5_1: Ref :: + { Seq#ContainsTrigger(Heap[self, __previous], r_5_1) } { Seq#Contains(Heap[self, __previous], r_5_1) } + Seq#Contains(Heap[self, __previous], r_5_1) == (Seq#Contains(old(Heap)[self, __previous], r_5_1) || ((Heap[self, __iter_index] > 1 && (r_5_1 == Seq#Index(Heap[self, list_acc], Heap[self, __iter_index] - 2) && _err == null)) || (Heap[self, __iter_index] > 0 && (_err != null && r_5_1 == Seq#Index(Heap[self, list_acc], Heap[self, __iter_index] - 1))))) + ); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method Iterator___del__ +// ================================================== + +procedure Iterator___del__(_cthread_150: Ref, _caller_measures_150: (Seq Measure$DomainType), _residue_150: Perm, self: Ref) returns (_current_wait_level_150: Perm) + modifies Heap, Mask; +{ + var perm: Perm; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_17_2: Ref; + var _r_17_3: Ref; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[_cthread_150, $allocated]; + assume Heap[self, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_150 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_150, _cthread_150, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_150, _cthread_150, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_150): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@912.12--912.38) [2715]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@913.12--913.41) [2716]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + Mask[self, __container] := Mask[self, __container] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_150, _cthread_150, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_150, _cthread_150, 1); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_150 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_150, _cthread_150, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_150, _cthread_150, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_150): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@912.12--912.38) [2717]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@913.12--913.41) [2718]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + Mask[self, __container] := Mask[self, __container] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_17: Ref [_r_17.MustReleaseBounded] :: Level(_r_17) <= _current_wait_level_150) + if (*) { + if (HasDirectPerm(PostMask, _r_17_2, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_17.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@915.11--915.250) [2719]"} + HasDirectPerm(PostMask, _r_17_2, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_17_1: Ref :: + { PostMask[_r_17_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_17_1, MustReleaseBounded) ==> Level(PostHeap, _r_17_1) <= _current_wait_level_150 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_17: Ref [_r_17.MustReleaseUnbounded] :: Level(_r_17) <= _current_wait_level_150) + if (*) { + if (HasDirectPerm(PostMask, _r_17_3, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_17.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@915.11--915.250) [2720]"} + HasDirectPerm(PostMask, _r_17_3, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_17_3_1: Ref :: + { PostMask[_r_17_3_1, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_17_3_1, MustReleaseUnbounded) ==> Level(PostHeap, _r_17_3_1) <= _current_wait_level_150 + ); + assume _residue_150 <= _current_wait_level_150; + assume state(PostHeap, PostMask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@916.11--916.40) [2721]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + PostMask[self, __container] := PostMask[self, __container] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of issubtype(typeof(self.__container), list(list_arg(typeof(self.__container), 0))) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2722]"} + HasDirectPerm(PostMask, self, __container); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2723]"} + HasDirectPerm(PostMask, self, __container); + if ((issubtype((typeof(PostHeap[self, __container]): PyTypeDomainType), (list((list_arg((typeof(PostHeap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool)) { + + // -- Check definedness of acc(self.__container.list_acc, 1 / 20) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2724]"} + HasDirectPerm(PostMask, self, __container); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2725]"} + perm >= NoPerm; + assume perm > NoPerm ==> PostHeap[self, __container] != null; + PostMask[PostHeap[self, __container], list_acc] := PostMask[PostHeap[self, __container], list_acc] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of issubtype(typeof(self.__container), dict(dict_arg(typeof(self.__container), 0), dict_arg(typeof(self.__container), 1))) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2726]"} + HasDirectPerm(PostMask, self, __container); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2727]"} + HasDirectPerm(PostMask, self, __container); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2728]"} + HasDirectPerm(PostMask, self, __container); + if ((issubtype((typeof(PostHeap[self, __container]): PyTypeDomainType), (dict((dict_arg((typeof(PostHeap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType), (dict_arg((typeof(PostHeap[self, __container]): PyTypeDomainType), 1): PyTypeDomainType)): PyTypeDomainType)): bool)) { + + // -- Check definedness of acc(self.__container.dict_acc, 1 / 20) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2729]"} + HasDirectPerm(PostMask, self, __container); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2730]"} + perm >= NoPerm; + assume perm > NoPerm ==> PostHeap[self, __container] != null; + PostMask[PostHeap[self, __container], dict_acc] := PostMask[PostHeap[self, __container], dict_acc] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of acc(self.__container.dict_acc2, 1 / 20) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2731]"} + HasDirectPerm(PostMask, self, __container); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2732]"} + perm >= NoPerm; + assume perm > NoPerm ==> PostHeap[self, __container] != null; + PostMask[PostHeap[self, __container], dict_acc2] := PostMask[PostHeap[self, __container], dict_acc2] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of issubtype(typeof(self.__container), set(set_arg(typeof(self.__container), 0))) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2733]"} + HasDirectPerm(PostMask, self, __container); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2734]"} + HasDirectPerm(PostMask, self, __container); + if ((issubtype((typeof(PostHeap[self, __container]): PyTypeDomainType), (set((set_arg((typeof(PostHeap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool)) { + + // -- Check definedness of acc(self.__container.set_acc, 1 / 20) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2735]"} + HasDirectPerm(PostMask, self, __container); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2736]"} + perm >= NoPerm; + assume perm > NoPerm ==> PostHeap[self, __container] != null; + PostMask[PostHeap[self, __container], set_acc] := PostMask[PostHeap[self, __container], set_acc] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@916.11--916.40) [2737]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + PostMask[self, __container] := PostMask[self, __container] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of issubtype(typeof(self.__container), list(list_arg(typeof(self.__container), 0))) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2738]"} + HasDirectPerm(PostMask, self, __container); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2739]"} + HasDirectPerm(PostMask, self, __container); + if ((issubtype((typeof(PostHeap[self, __container]): PyTypeDomainType), (list((list_arg((typeof(PostHeap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool)) { + + // -- Check definedness of acc(self.__container.list_acc, 1 / 20) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2740]"} + HasDirectPerm(PostMask, self, __container); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2741]"} + perm >= NoPerm; + assume perm > NoPerm ==> PostHeap[self, __container] != null; + PostMask[PostHeap[self, __container], list_acc] := PostMask[PostHeap[self, __container], list_acc] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of issubtype(typeof(self.__container), dict(dict_arg(typeof(self.__container), 0), dict_arg(typeof(self.__container), 1))) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2742]"} + HasDirectPerm(PostMask, self, __container); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2743]"} + HasDirectPerm(PostMask, self, __container); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2744]"} + HasDirectPerm(PostMask, self, __container); + if ((issubtype((typeof(PostHeap[self, __container]): PyTypeDomainType), (dict((dict_arg((typeof(PostHeap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType), (dict_arg((typeof(PostHeap[self, __container]): PyTypeDomainType), 1): PyTypeDomainType)): PyTypeDomainType)): bool)) { + + // -- Check definedness of acc(self.__container.dict_acc, 1 / 20) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2745]"} + HasDirectPerm(PostMask, self, __container); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2746]"} + perm >= NoPerm; + assume perm > NoPerm ==> PostHeap[self, __container] != null; + PostMask[PostHeap[self, __container], dict_acc] := PostMask[PostHeap[self, __container], dict_acc] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of acc(self.__container.dict_acc2, 1 / 20) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2747]"} + HasDirectPerm(PostMask, self, __container); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2748]"} + perm >= NoPerm; + assume perm > NoPerm ==> PostHeap[self, __container] != null; + PostMask[PostHeap[self, __container], dict_acc2] := PostMask[PostHeap[self, __container], dict_acc2] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + + // -- Check definedness of issubtype(typeof(self.__container), set(set_arg(typeof(self.__container), 0))) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2749]"} + HasDirectPerm(PostMask, self, __container); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2750]"} + HasDirectPerm(PostMask, self, __container); + if ((issubtype((typeof(PostHeap[self, __container]): PyTypeDomainType), (set((set_arg((typeof(PostHeap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool)) { + + // -- Check definedness of acc(self.__container.set_acc, 1 / 20) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2751]"} + HasDirectPerm(PostMask, self, __container); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2752]"} + perm >= NoPerm; + assume perm > NoPerm ==> PostHeap[self, __container] != null; + PostMask[PostHeap[self, __container], set_acc] := PostMask[PostHeap[self, __container], set_acc] + perm; + assume state(PostHeap, PostMask); + } + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: inhale false -- testsfunctionalverificationexamplescav_example.py.vpr@922.3--922.15 + assume false; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of Iterator___del__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@916.11--916.40) [2753]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Postcondition of Iterator___del__ might not hold. There might be insufficient permission to access self.__container (testsfunctionalverificationexamplescav_example.py.vpr@916.11--916.40) [2754]"} + perm <= Mask[self, __container]; + } + Mask[self, __container] := Mask[self, __container] - perm; + if ((issubtype((typeof(Heap[self, __container]): PyTypeDomainType), (list((list_arg((typeof(Heap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool)) { + assert {:msg " Postcondition of Iterator___del__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2755]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Postcondition of Iterator___del__ might not hold. There might be insufficient permission to access self.__container.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@917.11--917.134) [2756]"} + perm <= Mask[Heap[self, __container], list_acc]; + } + Mask[Heap[self, __container], list_acc] := Mask[Heap[self, __container], list_acc] - perm; + } + if ((issubtype((typeof(Heap[self, __container]): PyTypeDomainType), (dict((dict_arg((typeof(Heap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType), (dict_arg((typeof(Heap[self, __container]): PyTypeDomainType), 1): PyTypeDomainType)): PyTypeDomainType)): bool)) { + assert {:msg " Postcondition of Iterator___del__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2757]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Postcondition of Iterator___del__ might not hold. There might be insufficient permission to access self.__container.dict_acc (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2758]"} + perm <= Mask[Heap[self, __container], dict_acc]; + } + Mask[Heap[self, __container], dict_acc] := Mask[Heap[self, __container], dict_acc] - perm; + assert {:msg " Postcondition of Iterator___del__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2759]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Postcondition of Iterator___del__ might not hold. There might be insufficient permission to access self.__container.dict_acc2 (testsfunctionalverificationexamplescav_example.py.vpr@918.11--918.216) [2760]"} + perm <= Mask[Heap[self, __container], dict_acc2]; + } + Mask[Heap[self, __container], dict_acc2] := Mask[Heap[self, __container], dict_acc2] - perm; + } + if ((issubtype((typeof(Heap[self, __container]): PyTypeDomainType), (set((set_arg((typeof(Heap[self, __container]): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool)) { + assert {:msg " Postcondition of Iterator___del__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2761]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Postcondition of Iterator___del__ might not hold. There might be insufficient permission to access self.__container.set_acc (testsfunctionalverificationexamplescav_example.py.vpr@919.11--919.131) [2762]"} + perm <= Mask[Heap[self, __container], set_acc]; + } + Mask[Heap[self, __container], set_acc] := Mask[Heap[self, __container], set_acc] - perm; + } + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method list___init__ +// ================================================== + +procedure list___init__(_cthread_8: Ref, _caller_measures_8: (Seq Measure$DomainType), _residue_8: Perm) returns (_current_wait_level_8: Perm, res: Ref) + modifies Heap, Mask; +{ + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_19_2: Ref; + var _r_19_3: Ref; + var perm: Perm; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[_cthread_8, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_8 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_8, _cthread_8, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_8, _cthread_8, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_8): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_8, _cthread_8, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_8, _cthread_8, 1); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_8 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_8, _cthread_8, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_8, _cthread_8, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_8): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_19: Ref [_r_19.MustReleaseBounded] :: Level(_r_19) <= _current_wait_level_8) + if (*) { + if (HasDirectPerm(PostMask, _r_19_2, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_19.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@930.11--930.242) [2763]"} + HasDirectPerm(PostMask, _r_19_2, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_19_1: Ref :: + { PostMask[_r_19_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_19_1, MustReleaseBounded) ==> Level(PostHeap, _r_19_1) <= _current_wait_level_8 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_19: Ref [_r_19.MustReleaseUnbounded] :: Level(_r_19) <= _current_wait_level_8) + if (*) { + if (HasDirectPerm(PostMask, _r_19_3, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_19.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@930.11--930.242) [2764]"} + HasDirectPerm(PostMask, _r_19_3, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_19_3_1: Ref :: + { PostMask[_r_19_3_1, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_19_3_1, MustReleaseUnbounded) ==> Level(PostHeap, _r_19_3_1) <= _current_wait_level_8 + ); + assume _residue_8 <= _current_wait_level_8; + assume state(PostHeap, PostMask); + perm := FullPerm; + assume res != null; + PostMask[res, list_acc] := PostMask[res, list_acc] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of res.list_acc == Seq[Ref]() + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@932.11--932.37) [2765]"} + HasDirectPerm(PostMask, res, list_acc); + assume Seq#Equal(PostHeap[res, list_acc], (Seq#Empty(): Seq Ref)); + assume state(PostHeap, PostMask); + assume (typeof(res): PyTypeDomainType) == (list((list_arg((typeof(res): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType); + assume state(PostHeap, PostMask); + assume (Low(res): bool); + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + perm := FullPerm; + assume res != null; + PostMask[res, list_acc] := PostMask[res, list_acc] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of res.list_acc == Seq[Ref]() + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@932.11--932.37) [2766]"} + HasDirectPerm(PostMask, res, list_acc); + assume Seq#Equal(PostHeap[res, list_acc], (Seq#Empty(): Seq Ref)); + assume state(PostHeap, PostMask); + assume (typeof(res): PyTypeDomainType) == (list((list_arg((typeof(res): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType); + assume state(PostHeap, PostMask); + assume (Low(res): bool); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: inhale false -- testsfunctionalverificationexamplescav_example.py.vpr@937.3--937.15 + assume false; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of list___init__ might not hold. There might be insufficient permission to access res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@931.11--931.35) [2767]"} + perm <= Mask[res, list_acc]; + } + Mask[res, list_acc] := Mask[res, list_acc] - perm; + assert {:msg " Postcondition of list___init__ might not hold. Assertion res.list_acc == Seq[Ref]() might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@932.11--932.37) [2768]"} + Seq#Equal(Heap[res, list_acc], (Seq#Empty(): Seq Ref)); + assert {:msg " Postcondition of list___init__ might not hold. Assertion typeof(res) == list(list_arg(typeof(res), 0)) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@933.11--933.56) [2769]"} + (typeof(res): PyTypeDomainType) == (list((list_arg((typeof(res): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType); + assert {:msg " Postcondition of list___init__ might not hold. Assertion (Low(res): Bool) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@934.11--934.19) [2770]"} + (Low(res): bool); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method list_append +// ================================================== + +procedure list_append(_cthread_9: Ref, _caller_measures_9: (Seq Measure$DomainType), _residue_9: Perm, self: Ref, item: Ref) returns (_current_wait_level_9: Perm) + modifies Heap, Mask; +{ + var perm: Perm; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_21_2: Ref; + var _r_21_3: Ref; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[_cthread_9, $allocated]; + assume Heap[self, $allocated]; + assume Heap[item, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_9 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_9, _cthread_9, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_9, _cthread_9, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_9): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(self): PyTypeDomainType), (list((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(Heap, Mask); + perm := FullPerm; + assume self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (issubtype((typeof(item): PyTypeDomainType), (list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_9, _cthread_9, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_9, _cthread_9, 1); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_9 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_9, _cthread_9, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_9, _cthread_9, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_9): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(self): PyTypeDomainType), (list((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(Heap, Mask); + perm := FullPerm; + assume self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume (issubtype((typeof(item): PyTypeDomainType), (list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): bool); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_21: Ref [_r_21.MustReleaseBounded] :: Level(_r_21) <= _current_wait_level_9) + if (*) { + if (HasDirectPerm(PostMask, _r_21_2, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_21.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@948.11--948.242) [2771]"} + HasDirectPerm(PostMask, _r_21_2, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_21_1: Ref :: + { PostMask[_r_21_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_21_1, MustReleaseBounded) ==> Level(PostHeap, _r_21_1) <= _current_wait_level_9 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_21: Ref [_r_21.MustReleaseUnbounded] :: Level(_r_21) <= _current_wait_level_9) + if (*) { + if (HasDirectPerm(PostMask, _r_21_3, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_21.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@948.11--948.242) [2772]"} + HasDirectPerm(PostMask, _r_21_3, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_21_3_1: Ref :: + { PostMask[_r_21_3_1, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_21_3_1, MustReleaseUnbounded) ==> Level(PostHeap, _r_21_3_1) <= _current_wait_level_9 + ); + assume _residue_9 <= _current_wait_level_9; + assume state(PostHeap, PostMask); + perm := FullPerm; + assume self != null; + PostMask[self, list_acc] := PostMask[self, list_acc] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of self.list_acc == old(self.list_acc) ++ Seq(item) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@950.11--950.59) [2773]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@950.11--950.59) [2774]"} + HasDirectPerm(old(Mask), self, list_acc); + assume Seq#Equal(PostHeap[self, list_acc], Seq#Append(old(Heap)[self, list_acc], Seq#Singleton(item))); + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + perm := FullPerm; + assume self != null; + PostMask[self, list_acc] := PostMask[self, list_acc] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of self.list_acc == old(self.list_acc) ++ Seq(item) + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@950.11--950.59) [2775]"} + HasDirectPerm(PostMask, self, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@950.11--950.59) [2776]"} + HasDirectPerm(old(Mask), self, list_acc); + assume Seq#Equal(PostHeap[self, list_acc], Seq#Append(old(Heap)[self, list_acc], Seq#Singleton(item))); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: inhale false -- testsfunctionalverificationexamplescav_example.py.vpr@953.3--953.15 + assume false; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of list_append might not hold. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@949.11--949.36) [2777]"} + perm <= Mask[self, list_acc]; + } + Mask[self, list_acc] := Mask[self, list_acc] - perm; + assert {:msg " Postcondition of list_append might not hold. Assertion self.list_acc == old(self.list_acc) ++ Seq(item) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@950.11--950.59) [2778]"} + Seq#Equal(Heap[self, list_acc], Seq#Append(old(Heap)[self, list_acc], Seq#Singleton(item))); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} + +// ================================================== +// Translation of method list___iter__ +// ================================================== + +procedure list___iter__(_cthread_13: Ref, _caller_measures_13: (Seq Measure$DomainType), _residue_13: Perm, self: Ref) returns (_current_wait_level_13: Perm, _res: Ref) + modifies Heap, Mask; +{ + var perm: Perm; + var PostHeap: HeapType; + var PostMask: MaskType; + var _r_23_2: Ref; + var _r_23_3: Ref; + var ExhaleHeap: HeapType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Assumptions about method arguments + assume Heap[_cthread_13, $allocated]; + assume Heap[self, $allocated]; + + // -- Checked inhaling of precondition + + // -- Do welldefinedness check of the exhale part. + if (*) { + assume _cthread_13 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_13, _cthread_13, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_13, _cthread_13, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_13): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(self): PyTypeDomainType), (list((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(Heap, Mask); + perm := 1 / 10; + assert {:msg " Contract might not be well-formed. Fraction 1 / 10 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@961.12--961.38) [2779]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_13, _cthread_13, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_13, _cthread_13, 1); + assume state(Heap, Mask); + assume false; + } + + // -- Normally inhale the inhale part. + assume _cthread_13 != null; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Check definedness of Measure$check(_caller_measures_13, _cthread_13, 1) + if (*) { + // Stop execution + assume false; + } + assume Measure$check(Heap, _caller_measures_13, _cthread_13, 1); + assume state(Heap, Mask); + assume (issubtype((typeof(_cthread_13): PyTypeDomainType), Thread_0): bool); + assume state(Heap, Mask); + assume (issubtype((typeof(self): PyTypeDomainType), (list((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(Heap, Mask); + perm := 1 / 10; + assert {:msg " Contract might not be well-formed. Fraction 1 / 10 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@961.12--961.38) [2780]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + Mask[self, list_acc] := Mask[self, list_acc] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + PostHeap := Heap; + PostMask := Mask; + havoc PostHeap; + PostMask := ZeroMask; + assume state(PostHeap, PostMask); + if (*) { + // Checked inhaling of postcondition to check definedness + + // -- Do welldefinedness check of the inhale part. + if (*) { + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_23: Ref [_r_23.MustReleaseBounded] :: Level(_r_23) <= _current_wait_level_13) + if (*) { + if (HasDirectPerm(PostMask, _r_23_2, MustReleaseBounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_23.MustReleaseBounded (testsfunctionalverificationexamplescav_example.py.vpr@963.11--963.246) [2781]"} + HasDirectPerm(PostMask, _r_23_2, MustReleaseBounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_23_1: Ref :: + { PostMask[_r_23_1, MustReleaseBounded] } + HasDirectPerm(PostMask, _r_23_1, MustReleaseBounded) ==> Level(PostHeap, _r_23_1) <= _current_wait_level_13 + ); + assume state(PostHeap, PostMask); + + // -- Check definedness of (forperm _r_23: Ref [_r_23.MustReleaseUnbounded] :: Level(_r_23) <= _current_wait_level_13) + if (*) { + if (HasDirectPerm(PostMask, _r_23_3, MustReleaseUnbounded)) { + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _r_23.MustReleaseUnbounded (testsfunctionalverificationexamplescav_example.py.vpr@963.11--963.246) [2782]"} + HasDirectPerm(PostMask, _r_23_3, MustReleaseUnbounded); + if (*) { + // Stop execution + assume false; + } + } + assume false; + } + assume (forall _r_23_3_1: Ref :: + { PostMask[_r_23_3_1, MustReleaseUnbounded] } + HasDirectPerm(PostMask, _r_23_3_1, MustReleaseUnbounded) ==> Level(PostHeap, _r_23_3_1) <= _current_wait_level_13 + ); + assume _residue_13 <= _current_wait_level_13; + assume state(PostHeap, PostMask); + assume _res != self; + assume state(PostHeap, PostMask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@965.11--965.37) [2783]"} + perm >= NoPerm; + assume perm > NoPerm ==> _res != null; + PostMask[_res, list_acc] := PostMask[_res, list_acc] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@966.11--966.37) [2784]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + PostMask[self, list_acc] := PostMask[self, list_acc] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of _res.list_acc == self.list_acc + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@967.11--967.41) [2785]"} + HasDirectPerm(PostMask, _res, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@967.11--967.41) [2786]"} + HasDirectPerm(PostMask, self, list_acc); + assume Seq#Equal(PostHeap[_res, list_acc], PostHeap[self, list_acc]); + assume state(PostHeap, PostMask); + perm := FullPerm; + assume _res != null; + PostMask[_res, __container] := PostMask[_res, __container] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of _res.__container == self + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _res.__container (testsfunctionalverificationexamplescav_example.py.vpr@968.11--968.67) [2787]"} + HasDirectPerm(PostMask, _res, __container); + assume PostHeap[_res, __container] == self; + assume state(PostHeap, PostMask); + perm := FullPerm; + assume _res != null; + PostMask[_res, __iter_index] := PostMask[_res, __iter_index] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of _res.__iter_index == 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _res.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@969.11--969.66) [2788]"} + HasDirectPerm(PostMask, _res, __iter_index); + assume PostHeap[_res, __iter_index] == 0; + assume state(PostHeap, PostMask); + perm := FullPerm; + assume _res != null; + PostMask[_res, __previous] := PostMask[_res, __previous] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of _res.__previous == Seq[Ref]() + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _res.__previous (testsfunctionalverificationexamplescav_example.py.vpr@970.11--970.71) [2789]"} + HasDirectPerm(PostMask, _res, __previous); + assume Seq#Equal(PostHeap[_res, __previous], (Seq#Empty(): Seq Ref)); + assume state(PostHeap, PostMask); + assume (issubtype((typeof(_res): PyTypeDomainType), (Iterator((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(PostHeap, PostMask); + assume false; + } + + // -- Normally inhale the exhale part. + assume state(PostHeap, PostMask); + assume _res != self; + assume state(PostHeap, PostMask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@965.11--965.37) [2790]"} + perm >= NoPerm; + assume perm > NoPerm ==> _res != null; + PostMask[_res, list_acc] := PostMask[_res, list_acc] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + perm := 1 / 20; + assert {:msg " Contract might not be well-formed. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@966.11--966.37) [2791]"} + perm >= NoPerm; + assume perm > NoPerm ==> self != null; + PostMask[self, list_acc] := PostMask[self, list_acc] + perm; + assume state(PostHeap, PostMask); + assume state(PostHeap, PostMask); + + // -- Check definedness of _res.list_acc == self.list_acc + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@967.11--967.41) [2792]"} + HasDirectPerm(PostMask, _res, list_acc); + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@967.11--967.41) [2793]"} + HasDirectPerm(PostMask, self, list_acc); + assume Seq#Equal(PostHeap[_res, list_acc], PostHeap[self, list_acc]); + assume state(PostHeap, PostMask); + perm := FullPerm; + assume _res != null; + PostMask[_res, __container] := PostMask[_res, __container] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of _res.__container == self + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _res.__container (testsfunctionalverificationexamplescav_example.py.vpr@968.11--968.67) [2794]"} + HasDirectPerm(PostMask, _res, __container); + assume PostHeap[_res, __container] == self; + assume state(PostHeap, PostMask); + perm := FullPerm; + assume _res != null; + PostMask[_res, __iter_index] := PostMask[_res, __iter_index] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of _res.__iter_index == 0 + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _res.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@969.11--969.66) [2795]"} + HasDirectPerm(PostMask, _res, __iter_index); + assume PostHeap[_res, __iter_index] == 0; + assume state(PostHeap, PostMask); + perm := FullPerm; + assume _res != null; + PostMask[_res, __previous] := PostMask[_res, __previous] + perm; + assume state(PostHeap, PostMask); + + // -- Check definedness of _res.__previous == Seq[Ref]() + assert {:msg " Contract might not be well-formed. There might be insufficient permission to access _res.__previous (testsfunctionalverificationexamplescav_example.py.vpr@970.11--970.71) [2796]"} + HasDirectPerm(PostMask, _res, __previous); + assume Seq#Equal(PostHeap[_res, __previous], (Seq#Empty(): Seq Ref)); + assume state(PostHeap, PostMask); + assume (issubtype((typeof(_res): PyTypeDomainType), (Iterator((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + assume state(PostHeap, PostMask); + // Stop execution + assume false; + } + + // -- Translating statement: inhale false -- testsfunctionalverificationexamplescav_example.py.vpr@974.3--974.15 + assume false; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Exhaling postcondition + assert {:msg " Postcondition of list___iter__ might not hold. Assertion _res != self might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@964.11--964.23) [2797]"} + _res != self; + assert {:msg " Postcondition of list___iter__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@965.11--965.37) [2798]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Postcondition of list___iter__ might not hold. There might be insufficient permission to access _res.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@965.11--965.37) [2799]"} + perm <= Mask[_res, list_acc]; + } + Mask[_res, list_acc] := Mask[_res, list_acc] - perm; + assert {:msg " Postcondition of list___iter__ might not hold. Fraction 1 / 20 might be negative. (testsfunctionalverificationexamplescav_example.py.vpr@966.11--966.37) [2800]"} + 1 / 20 >= NoPerm; + perm := 1 / 20; + if (perm != NoPerm) { + assert {:msg " Postcondition of list___iter__ might not hold. There might be insufficient permission to access self.list_acc (testsfunctionalverificationexamplescav_example.py.vpr@966.11--966.37) [2801]"} + perm <= Mask[self, list_acc]; + } + Mask[self, list_acc] := Mask[self, list_acc] - perm; + assert {:msg " Postcondition of list___iter__ might not hold. Assertion _res.list_acc == self.list_acc might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@967.11--967.41) [2802]"} + Seq#Equal(Heap[_res, list_acc], Heap[self, list_acc]); + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of list___iter__ might not hold. There might be insufficient permission to access _res.__container (testsfunctionalverificationexamplescav_example.py.vpr@968.11--968.67) [2803]"} + perm <= Mask[_res, __container]; + } + Mask[_res, __container] := Mask[_res, __container] - perm; + assert {:msg " Postcondition of list___iter__ might not hold. Assertion _res.__container == self might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@968.11--968.67) [2804]"} + Heap[_res, __container] == self; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of list___iter__ might not hold. There might be insufficient permission to access _res.__iter_index (testsfunctionalverificationexamplescav_example.py.vpr@969.11--969.66) [2805]"} + perm <= Mask[_res, __iter_index]; + } + Mask[_res, __iter_index] := Mask[_res, __iter_index] - perm; + assert {:msg " Postcondition of list___iter__ might not hold. Assertion _res.__iter_index == 0 might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@969.11--969.66) [2806]"} + Heap[_res, __iter_index] == 0; + perm := FullPerm; + if (perm != NoPerm) { + assert {:msg " Postcondition of list___iter__ might not hold. There might be insufficient permission to access _res.__previous (testsfunctionalverificationexamplescav_example.py.vpr@970.11--970.71) [2807]"} + perm <= Mask[_res, __previous]; + } + Mask[_res, __previous] := Mask[_res, __previous] - perm; + assert {:msg " Postcondition of list___iter__ might not hold. Assertion _res.__previous == Seq[Ref]() might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@970.11--970.71) [2808]"} + Seq#Equal(Heap[_res, __previous], (Seq#Empty(): Seq Ref)); + assert {:msg " Postcondition of list___iter__ might not hold. Assertion issubtype(typeof(_res), Iterator(list_arg(typeof(self), 0))) might not hold. (testsfunctionalverificationexamplescav_example.py.vpr@971.11--971.71) [2809]"} + (issubtype((typeof(_res): PyTypeDomainType), (Iterator((list_arg((typeof(self): PyTypeDomainType), 0): PyTypeDomainType)): PyTypeDomainType)): bool); + // Finish exhale + havoc ExhaleHeap; + assume IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask); + Heap := ExhaleHeap; +} diff --git a/Test/monomorphize/viper/testsresourcesexamplesauction.bpl b/Test/monomorphize/viper/testsresourcesexamplesauction.bpl new file mode 100644 index 000000000..53759b594 --- /dev/null +++ b/Test/monomorphize/viper/testsresourcesexamplesauction.bpl @@ -0,0 +1,12511 @@ +// RUN: %parallel-boogie /monomorphize /noVerify "%s" > "%t" + +// ================================================== +// Preamble of State module. +// ================================================== + +function state(Heap: HeapType, Mask: MaskType): bool; + +// ================================================== +// Preamble of Heap module. +// ================================================== + +type Ref; +var Heap: HeapType; +const null: Ref; +type Field A B; +type NormalField; +type HeapType = [Ref, Field A B]B; +const unique $allocated: Field NormalField bool; +axiom (forall o: Ref, f: (Field NormalField Ref), Heap: HeapType :: + { Heap[o, f] } + Heap[o, $allocated] ==> Heap[Heap[o, f], $allocated] +); +function succHeap(Heap0: HeapType, Heap1: HeapType): bool; +function succHeapTrans(Heap0: HeapType, Heap1: HeapType): bool; +function IdenticalOnKnownLocations(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IdenticalOnKnownLocationsLiberal(Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType): bool; +function IsPredicateField(f_1: (Field A B)): bool; +function IsWandField(f_1: (Field A B)): bool; +function getPredicateId(f_1: (Field A B)): int; +function SumHeap(Heap: HeapType, Heap1: HeapType, mask1: MaskType, Heap2: HeapType, mask2: MaskType): bool; +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref, f_2: (Field A B) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, f_2] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_1, f_2) ==> Heap[o_1, f_2] == ExhaleHeap[o_1, f_2] +); +// Frame all predicate mask locations of predicates with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f), ExhaleHeap[null, PredicateMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> Heap[null, PredicateMaskField(pm_f)] == ExhaleHeap[null, PredicateMaskField(pm_f)] +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsPredicateField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, PredicateMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// Frame all wand mask locations of wands with direct permission +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f), ExhaleHeap[null, WandMaskField(pm_f)] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> Heap[null, WandMaskField(pm_f)] == ExhaleHeap[null, WandMaskField(pm_f)] +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f: (Field C FrameType) :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), IsWandField(pm_f) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f) && IsWandField(pm_f) ==> (forall o2: Ref, f_2: (Field A B) :: + { ExhaleHeap[o2, f_2] } + Heap[null, WandMaskField(pm_f)][o2, f_2] ==> Heap[o2, f_2] == ExhaleHeap[o2, f_2] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_1: Ref :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask), ExhaleHeap[o_1, $allocated] } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> Heap[o_1, $allocated] ==> ExhaleHeap[o_1, $allocated] +); +// Updated Heaps are Successor Heaps +axiom (forall Heap: HeapType, o: Ref, f_3: (Field A B), v: B :: + { Heap[o, f_3:=v] } + succHeap(Heap, Heap[o, f_3:=v]) +); +// IdenticalOnKnownLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocations(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// IdenticalOnKnownLiberalLocations Heaps are Successor Heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> succHeap(Heap, ExhaleHeap) +); +// Successor Heaps are Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType :: + { succHeap(Heap0, Heap1) } + succHeap(Heap0, Heap1) ==> succHeapTrans(Heap0, Heap1) +); +// Transitivity of Transitive Successor Heaps +axiom (forall Heap0: HeapType, Heap1: HeapType, Heap2: HeapType :: + { succHeapTrans(Heap0, Heap1), succHeap(Heap1, Heap2) } + succHeapTrans(Heap0, Heap1) && succHeap(Heap1, Heap2) ==> succHeapTrans(Heap0, Heap2) +); +// Frame all locations with direct permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_2: Ref, f_4: (Field A B) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), ExhaleHeap[o_2, f_4] } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, o_2, f_4) ==> Heap[o_2, f_4] == ExhaleHeap[o_2, f_4] +); +// Frame all predicate mask locations of predicates with direct permission. But don't propagate information of locations that are not known-folded to allow for equating with multiple different (but compatible) heaps +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f_1: (Field C FrameType) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f_1), ExhaleHeap[null, PredicateMaskField(pm_f_1)] } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f_1) && IsPredicateField(pm_f_1) ==> (forall o2_1: Ref, f_4: (Field A B) :: + { ExhaleHeap[null, PredicateMaskField(pm_f_1)][o2_1, f_4] } + Heap[null, PredicateMaskField(pm_f_1)][o2_1, f_4] ==> ExhaleHeap[null, PredicateMaskField(pm_f_1)][o2_1, f_4] + ) +); +// Frame all locations with known folded permissions +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f_1: (Field C FrameType) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), IsPredicateField(pm_f_1) } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f_1) && IsPredicateField(pm_f_1) ==> (forall o2_1: Ref, f_4: (Field A B) :: + { ExhaleHeap[o2_1, f_4] } + Heap[null, PredicateMaskField(pm_f_1)][o2_1, f_4] ==> Heap[o2_1, f_4] == ExhaleHeap[o2_1, f_4] + ) +); +// Frame all wand mask locations of wands with direct permission (but don't propagate information about locations that are not known-folded) +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f_1: (Field C FrameType) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), IsWandField(pm_f_1), ExhaleHeap[null, WandMaskField(pm_f_1)] } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f_1) && IsWandField(pm_f_1) ==> (forall o2_1: Ref, f_4: (Field A B) :: + { ExhaleHeap[null, WandMaskField(pm_f_1)][o2_1, f_4] } + Heap[null, WandMaskField(pm_f_1)][o2_1, f_4] ==> ExhaleHeap[null, WandMaskField(pm_f_1)][o2_1, f_4] + ) +); +// Frame all locations in the footprint of magic wands +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, pm_f_1: (Field C FrameType) :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), IsWandField(pm_f_1) } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> HasDirectPerm(Mask, null, pm_f_1) && IsWandField(pm_f_1) ==> (forall o2_1: Ref, f_4: (Field A B) :: + { ExhaleHeap[o2_1, f_4] } + Heap[null, WandMaskField(pm_f_1)][o2_1, f_4] ==> Heap[o2_1, f_4] == ExhaleHeap[o2_1, f_4] + ) +); +// All previously-allocated references are still allocated +axiom (forall Heap: HeapType, ExhaleHeap: HeapType, Mask: MaskType, o_2: Ref :: + { IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask), ExhaleHeap[o_2, $allocated] } + IdenticalOnKnownLocationsLiberal(Heap, ExhaleHeap, Mask) ==> Heap[o_2, $allocated] ==> ExhaleHeap[o_2, $allocated] +); +// ================================================== +// Sum of heaps +// ================================================== + +axiom (forall Heap: HeapType, Heap1: HeapType, Mask1: MaskType, Heap2: HeapType, Mask2: MaskType :: + { SumHeap(Heap, Heap1, Mask1, Heap2, Mask2) } + SumHeap(Heap, Heap1, Mask1, Heap2, Mask2) <==> IdenticalOnKnownLocationsLiberal(Heap1, Heap, Mask1) && IdenticalOnKnownLocationsLiberal(Heap2, Heap, Mask2) +); + +// ================================================== +// Preamble of Permission module. +// ================================================== + +type Perm = real; +type MaskType = [Ref, Field A B]Perm; +var Mask: MaskType; +const ZeroMask: MaskType; +axiom (forall o_3: Ref, f_5: (Field A B) :: + { ZeroMask[o_3, f_5] } + ZeroMask[o_3, f_5] == NoPerm +); +type PMaskType = [Ref, Field A B]bool; +const ZeroPMask: PMaskType; +axiom (forall o_3: Ref, f_5: (Field A B) :: + { ZeroPMask[o_3, f_5] } + !ZeroPMask[o_3, f_5] +); +function PredicateMaskField(f_6: (Field A FrameType)): Field A PMaskType; +function WandMaskField(f_6: (Field A FrameType)): Field A PMaskType; +const NoPerm: Perm; +axiom NoPerm == 0.000000000; +const FullPerm: Perm; +axiom FullPerm == 1.000000000; +function Perm(a: real, b: real): Perm; +function GoodMask(Mask: MaskType): bool; +axiom (forall Heap: HeapType, Mask: MaskType :: + { state(Heap, Mask) } + state(Heap, Mask) ==> GoodMask(Mask) +); +axiom (forall Mask: MaskType, o_3: Ref, f_5: (Field A B) :: + { GoodMask(Mask), Mask[o_3, f_5] } + GoodMask(Mask) ==> Mask[o_3, f_5] >= NoPerm && ((GoodMask(Mask) && !IsPredicateField(f_5)) && !IsWandField(f_5) ==> Mask[o_3, f_5] <= FullPerm) +); +function HasDirectPerm(Mask: MaskType, o_3: Ref, f_5: (Field A B)): bool; +axiom (forall Mask: MaskType, o_3: Ref, f_5: (Field A B) :: + { HasDirectPerm(Mask, o_3, f_5) } + HasDirectPerm(Mask, o_3, f_5) <==> Mask[o_3, f_5] > NoPerm +); +function sumMask(ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType): bool; +axiom (forall ResultMask: MaskType, SummandMask1: MaskType, SummandMask2: MaskType, o_3: Ref, f_5: (Field A B) :: + { sumMask(ResultMask, SummandMask1, SummandMask2), ResultMask[o_3, f_5] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask1[o_3, f_5] } { sumMask(ResultMask, SummandMask1, SummandMask2), SummandMask2[o_3, f_5] } + sumMask(ResultMask, SummandMask1, SummandMask2) ==> ResultMask[o_3, f_5] == SummandMask1[o_3, f_5] + SummandMask2[o_3, f_5] +); +// ================================================== +// Function for trigger used in checks which are never triggered +// ================================================== + +function neverTriggered2(q$a_7: int, q$v_1: int): bool; +function neverTriggered4(q$a_16: int, q$v_4: int): bool; +function neverTriggered6(q$a_25: int, q$v_7: int): bool; +function neverTriggered8(q$a_36: int, q$v_9: int): bool; +function neverTriggered10(q$a_7: int, q$v_1: int): bool; +function neverTriggered12(q$a_18: int, q$v_3: int): bool; +function neverTriggered14(q$a_7: int, q$v_1: int): bool; +function neverTriggered16(q$a_7: int, q$v_1: int): bool; +// ================================================== +// Functions used as inverse of receiver expressions in quantified permissions during inhale and exhale +// ================================================== + +function invRecv1($tag: int, $to: int, $amount: int): int; +function invRecv2($tag: int, $to: int, $amount: int): int; +function invRecv3($tag_1: int, $to_1: int, $amount_1: int): int; +function invRecv4($tag_1: int, $to_1: int, $amount_1: int): int; +function invRecv5($tag_2: int, $to_2: int, $amount_2: int): int; +function invRecv6($tag_2: int, $to_2: int, $amount_2: int): int; +function invRecv7($tag_3: int, $to_3: int, $amount_3: int): int; +function invRecv8($tag_3: int, $to_3: int, $amount_3: int): int; +function invRecv9($tag: int, $to: int, $amount: int): int; +function invRecv10($tag: int, $to: int, $amount: int): int; +function invRecv11($tag_1: int, $to_1: int, $amount_1: int): int; +function invRecv12($tag_1: int, $to_1: int, $amount_1: int): int; +function invRecv13($tag: int, $to: int, $amount: int): int; +function invRecv14($tag: int, $to: int, $amount: int): int; +function invRecv15($tag: int, $to: int, $amount: int): int; +function invRecv16($tag: int, $to: int, $amount: int): int; +// ================================================== +// Functions used to represent the range of the projection of each QP instance onto its receiver expressions for quantified permissions during inhale and exhale +// ================================================== + +function qpRange2($tag: int, $to: int, $amount: int): bool; +function qpRange4($tag_1: int, $to_1: int, $amount_1: int): bool; +function qpRange6($tag_2: int, $to_2: int, $amount_2: int): bool; +function qpRange8($tag_3: int, $to_3: int, $amount_3: int): bool; +function qpRange10($tag: int, $to: int, $amount: int): bool; +function qpRange12($tag_1: int, $to_1: int, $amount_1: int): bool; +function qpRange14($tag: int, $to: int, $amount: int): bool; +function qpRange16($tag: int, $to: int, $amount: int): bool; + +// ================================================== +// Preamble of Function and predicate module. +// ================================================== + +// Function heights (higher height means its body is available earlier): +// - height 2: $pure$success_get +// - height 1: $pure$return_get +// - height 0: $range_sum +const AssumeFunctionsAbove: int; +// Declarations for function framing +type FrameType; +const EmptyFrame: FrameType; +function FrameFragment(t: T): FrameType; +function ConditionalFrame(p: Perm, f_7: FrameType): FrameType; +function dummyFunction(t: T): bool; +function CombineFrames(a_1: FrameType, b_1: FrameType): FrameType; +// ================================================== +// Definition of conditional frame fragments +// ================================================== + +axiom (forall p: Perm, f_7: FrameType :: + { ConditionalFrame(p, f_7) } + ConditionalFrame(p, f_7) == (if p > 0.000000000 then f_7 else EmptyFrame) +); +// Function for recording enclosure of one predicate instance in another +function InsidePredicate(p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType): bool; +// Transitivity of InsidePredicate +axiom (forall p: (Field A FrameType), v_1: FrameType, q: (Field B FrameType), w: FrameType, r: (Field C FrameType), u: FrameType :: + { InsidePredicate(p, v_1, q, w), InsidePredicate(q, w, r, u) } + InsidePredicate(p, v_1, q, w) && InsidePredicate(q, w, r, u) ==> InsidePredicate(p, v_1, r, u) +); +// Knowledge that two identical instances of the same predicate cannot be inside each other +axiom (forall p: (Field A FrameType), v_1: FrameType, w: FrameType :: + { InsidePredicate(p, v_1, p, w) } + !InsidePredicate(p, v_1, p, w) +); + +// ================================================== +// Preamble of Sequence module. +// ================================================== + + // diff 0 implemented (no difference) + // diff 1 implemented (fixes test5 in sequences.sil) + // diff 2 implemented (fixes m01 and m03 in quantifiedpermissions/issues/issue_0064) + // diff 3 implemented (no difference) + // diff 4 implemented (no difference) + // diff 5 implemented (fixes colourings0 in sequence-incompletenesses test case) + // diff 6 implemented (no difference) + // diff 7 implemented + // diff 8 implemented (allows for contains triggering, without destroying performance of e.g. functions/linkedlists test case) + // diff 11 implemented + // diff 13 implemented, for now (may reduce completeness, but there's a known matching loop when the first drop amount is 0); another option would be to add !=0 as an explicit condition + // diff 14 implemented: eliminate index over take/drop for trivial cases (to avoid matching loops when e.g. s[i..] == s is known) + // diff 16 implemented: remove general cases of equality-learning between take/drop/append subsequences; only allow when take/drop are at top level (this affects linkedlists test case) +// START BASICS +type Seq T; + +function Seq#Length(Seq T): int; +axiom (forall s: Seq T :: { Seq#Length(s) } 0 <= Seq#Length(s)); + +function Seq#Empty(): Seq T; +axiom (forall :: Seq#Length(Seq#Empty(): Seq T) == 0); +axiom (forall s: Seq T :: { Seq#Length(s) } Seq#Length(s) == 0 ==> s == Seq#Empty()); + +function Seq#Singleton(T): Seq T; +//axiom (forall t: T :: { Seq#Length(Seq#Singleton(t)) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Length(Seq#Singleton(t)) == 1);// (diff 2: changed trigger) + +function Seq#Append(Seq T, Seq T): Seq T; +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Length(Seq#Append(s0,s1)) } +s0 != Seq#Empty() && s1 != Seq#Empty() ==> //diff 11: consider removing constraints + Seq#Length(Seq#Append(s0,s1)) == Seq#Length(s0) + Seq#Length(s1)); + +//axiom (forall s: Seq T :: { Seq#Append(Seq#Empty(),s) } Seq#Append(Seq#Empty(),s) == s); // (diff 11: switched to double-quantified version) +//axiom (forall s: Seq T :: { Seq#Append(s,Seq#Empty()) } Seq#Append(s,Seq#Empty()) == s); // (diff 11: switched to double-quantified version) +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Append(s0,s1) } (s0 == Seq#Empty() ==> Seq#Append(s0,s1) == s1) && (s1 == Seq#Empty() ==> Seq#Append(s0,s1) == s0)); // diff 11: switched to double-quantified version + +function Seq#Index(Seq T, int): T; +//axiom (forall t: T :: { Seq#Index(Seq#Singleton(t), 0) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2 (old)) +axiom (forall t: T :: { Seq#Singleton(t) } Seq#Index(Seq#Singleton(t), 0) == t); // (diff 2: changed trigger) + +// END BASICS + +// START INDEX-APPEND-UPDATE + +// extra addition function used to force equalities into the e-graph +function Seq#Add(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Add(i,j)} Seq#Add(i,j) == i + j); +function Seq#Sub(int, int) : int; +axiom (forall i: int, j: int :: {Seq#Sub(i,j)} Seq#Sub(i,j) == i - j); + +// (diff 3 (old)) +//axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // {:weight 25} // AS: dropped weight +// s0 != Seq#Empty() && s1 != Seq#Empty() ==> +// ((n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n)) && +// (Seq#Length(s0) <= n ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, n - Seq#Length(s0))))); + +// (diff 3: split axiom, added constraints, replace arithmetic) // diff 11: consider removing constraints +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } { Seq#Index(s0, n), Seq#Append(s0,s1) } // AS: added alternative trigger + (s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= n && n < Seq#Length(s0) ==> Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s0, n))); +axiom (forall s0: Seq T, s1: Seq T, n: int :: { Seq#Index(Seq#Append(s0,s1), n) } // term below breaks loops + s0 != Seq#Empty() && s1 != Seq#Empty() && Seq#Length(s0) <= n && n < Seq#Length(Seq#Append(s0,s1)) ==> Seq#Add(Seq#Sub(n,Seq#Length(s0)),Seq#Length(s0)) == n && Seq#Index(Seq#Append(s0,s1), n) == Seq#Index(s1, Seq#Sub(n,Seq#Length(s0)))); +// AS: added "reverse triggering" versions of the axioms +axiom (forall s0: Seq T, s1: Seq T, m: int :: { Seq#Index(s1, m), Seq#Append(s0,s1)} // m == n-|s0|, n == m + |s0| + s0 != Seq#Empty() && s1 != Seq#Empty() && 0 <= m && m < Seq#Length(s1) ==> Seq#Sub(Seq#Add(m,Seq#Length(s0)),Seq#Length(s0)) == m && Seq#Index(Seq#Append(s0,s1), Seq#Add(m,Seq#Length(s0))) == Seq#Index(s1, m)); + +function Seq#Update(Seq T, int, T): Seq T; +axiom (forall s: Seq T, i: int, v: T :: { Seq#Length(Seq#Update(s,i,v)) } {Seq#Length(s),Seq#Update(s,i,v)} // (diff 4: added trigger) + 0 <= i && i < Seq#Length(s) ==> Seq#Length(Seq#Update(s,i,v)) == Seq#Length(s)); +axiom (forall s: Seq T, i: int, v: T, n: int :: { Seq#Index(Seq#Update(s,i,v),n) } { Seq#Index(s,n), Seq#Update(s,i,v) } // (diff 4: added trigger) + 0 <= n && n < Seq#Length(s) ==> + (i == n ==> Seq#Index(Seq#Update(s,i,v),n) == v) && + (i != n ==> Seq#Index(Seq#Update(s,i,v),n) == Seq#Index(s,n))); + +// END INDEX-APPEND-UPDATE + +// START TAKE/DROP + +function Seq#Take(s: Seq T, howMany: int): Seq T; +// AS: added triggers +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Take(s,n)) } { Seq#Take(s,n), Seq#Length(s)} // (diff 7: add trigger) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Take(s,n)) == n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Take(s,n)) == Seq#Length(s))) + && + (n < 0 ==> Seq#Length(Seq#Take(s,n)) == 0)); // (diff 7: added case for n < 0) + +// ** AS: 2nd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Take(s,n), j) } {Seq#Index(s,j), Seq#Take(s,n)} // (diff 0: (was already done)) : add trigger // {:weight 25} // AS: dropped weight + 0 <= j && j < n && j < Seq#Length(s) ==> + Seq#Index(Seq#Take(s,n), j) == Seq#Index(s, j)); + +function Seq#Drop(s: Seq T, howMany: int): Seq T; +axiom (forall s: Seq T, n: int :: { Seq#Length(Seq#Drop(s,n)) } {Seq#Length(s), Seq#Drop(s,n)} // (diff 5: added trigger, exchange arithmetic) + (0 <= n ==> + (n <= Seq#Length(s) ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s) - n) && + (Seq#Length(s) < n ==> Seq#Length(Seq#Drop(s,n)) == 0)) + && + (n < 0 ==> Seq#Length(Seq#Drop(s,n)) == Seq#Length(s)) // (diff 7: added cases for n < 0) + ); + +// ** AS: 3rd of 3 axioms which get instantiated very often in certain problems involving take/drop/append +// diff 5 (old) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// 0 <= n && 0 <= j && j < Seq#Length(s)-n ==> +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j+n)); +// +// diff already added // diff -1: try removing this axiom and checking effect +//axiom (forall s: Seq T, n: int, k: int :: { Seq#Drop(s,n), Seq#Index(s,k) } // AS: alternative triggering for above axiom +// 0 <= n && n <= k && k < Seq#Length(s) ==> +// Seq#Index(Seq#Drop(s,n), k-n) == Seq#Index(s, k)); + +// diff 5: split axiom, added triggering case, exhanged arithmetic + +axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight + 0 < n && 0 <= j && j < Seq#Length(s)-n ==> // diff 14: change 0 <= n to 0 < n + Seq#Sub(Seq#Add(j,n),n) == j && Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, Seq#Add(j,n))); + +axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } + 0 < n && n <= i && i < Seq#Length(s) ==> // diff 14: change 0 <= n to 0 < n + Seq#Add(Seq#Sub(i,n),n) == i && Seq#Index(Seq#Drop(s,n), Seq#Sub(i,n)) == Seq#Index(s, i)); // i = j + n, j = i - n + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, j: int :: { Seq#Index(Seq#Drop(s,n), j) } // {:weight 25} // AS: dropped weight +// n <= 0 && 0 <= j && j < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), j) == Seq#Index(s, j)); + +// (diff 6a: add axioms for the 0 > n case) +//axiom (forall s: Seq T, n: int, i: int :: { Seq#Drop(s,n), Seq#Index(s,i) } +// n <= 0 && 0 <= i && i < Seq#Length(s) ==> // diff 14: change n < 0 to n <= 0 +// Seq#Index(Seq#Drop(s,n), i) == Seq#Index(s, i)); // i = j + n, j = i - n + +// ** AS: We dropped the weak trigger on this axiom. One option is to strengthen the triggers: +//axiom (forall s, t: Seq T :: +// // { Seq#Append(s, t) } +// {Seq#Take(Seq#Append(s, t), Seq#Length(s))}{Seq#Drop(Seq#Append(s, t), Seq#Length(s))} +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s && +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// ** AS: another option is to split the axiom (for some reason, this seems in some cases to perform slightly less well (but this could be random): +//axiom (forall s, t: Seq T :: +// { Seq#Take(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Take(Seq#Append(s, t), Seq#Length(s)) == s); + +//axiom (forall s, t: Seq T :: +// { Seq#Drop(Seq#Append(s, t), Seq#Length(s)) } +// Seq#Drop(Seq#Append(s, t), Seq#Length(s)) == t); + +// (diff 6b: remove these?) +/* Removed: at present, Carbon doesn't generate Seq#Update (but desugars via take/drop/append) +// Commutability of Take and Drop with Update. +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Update(Seq#Take(s, n), i, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Take(Seq#Update(s, i, v), n) } + n <= i && i < Seq#Length(s) ==> Seq#Take(Seq#Update(s, i, v), n) == Seq#Take(s, n)); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= n && n <= i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); + 0 <= i && n <=i && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Update(Seq#Drop(s, n), i-n, v) ); +axiom (forall s: Seq T, i: int, v: T, n: int :: + { Seq#Drop(Seq#Update(s, i, v), n) } +// 0 <= i && i < n && n < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); + 0 <= i && i < n && i < Seq#Length(s) ==> Seq#Drop(Seq#Update(s, i, v), n) == Seq#Drop(s, n)); +*/ + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Take(s,n)} // diff 16: temporarily dropped general case of these + 0 < n && n <= Seq#Length(s) ==> Seq#Take(Seq#Append(s,t),n) == Seq#Take(s,n)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Take(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Take(Seq#Append(s,t),n) == Seq#Append(s,Seq#Take(t,Seq#Sub(n,Seq#Length(s))))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,Seq#Take(t,m)) } //{Seq#Append(s,t), Seq#Take(t,m)} // diff 16: temporarily dropped general case of these // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Take(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Append(s,Seq#Take(t,m))); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } //{Seq#Append(s,t), Seq#Drop(s,n)} // diff 16: temporarily dropped general case of these + 0 Seq#Drop(Seq#Append(s,t),n) == Seq#Append(Seq#Drop(s,n),t)); + +axiom (forall s: Seq T, t: Seq T, n:int :: + { Seq#Drop(Seq#Append(s,t),n) } + n > 0 && n > Seq#Length(s) ==> Seq#Add(Seq#Sub(n,Seq#Length(s)),Seq#Length(s)) == n && Seq#Drop(Seq#Append(s,t),n) == Seq#Drop(t,Seq#Sub(n,Seq#Length(s)))); + +// diff 16: temporarily dropped general case of these +//axiom (forall s: Seq T, t: Seq T, m:int :: +// { Seq#Append(s,t),Seq#Drop(t,m) } // reverse triggering version of above: m = n - |s|, n = m + |s| +// m > 0 ==> Seq#Sub(Seq#Add(m,Seq#Length(s)),Seq#Length(s)) == m && Seq#Drop(Seq#Append(s,t),Seq#Add(m,Seq#Length(s))) == Seq#Drop(t,m)); + +// Additional axioms about common things +axiom (forall s: Seq T, n: int :: { Seq#Drop(s, n) } // ** NEW + n <= 0 ==> Seq#Drop(s, n) == s); // (diff 1: try changing n==0 to n<=0 (should be ok)) +axiom (forall s: Seq T, n: int :: { Seq#Take(s, n) } // ** NEW + n <= 0 ==> Seq#Take(s, n) == Seq#Empty()); // (diff 1: try changing n==0 to n<=0 (should be ok)) +// diff 13: remove this? +//axiom (forall s: Seq T, m, n: int :: { Seq#Drop(Seq#Drop(s, m), n) } // ** NEW - AS: could have bad triggering behaviour? +// 0 <= m && 0 <= n && m+n <= Seq#Length(s) ==> +// Seq#Sub(Seq#Add(m,n),n) == m && Seq#Drop(Seq#Drop(s, m), n) == Seq#Drop(s, Seq#Add(m,n))); + +// END TAKE/DROP + +// START CONTAINS +// diff 8: skolemisation (old) +function Seq#Contains(Seq T, T): bool; +function Seq#ContainsTrigger(Seq T, T): bool; // usages of Contains inside quantifier triggers are replaced with this +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains // (diff 8: added) +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> + (0 <= Seq#Skolem(s,x) && Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x)); // (diff 8: skolem function) +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } // only trigger if interested in the Contains term + (0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x))); +axiom (forall s: Seq T, i:int :: { Seq#Index(s,i) } + (0 <= i && i < Seq#Length(s) ==> Seq#ContainsTrigger(s,Seq#Index(s,i)))); +// ** AS: made one change here - changed type of x from ref to T +/*axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x)); +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) <==> + (exists i: int :: { Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x)); +*/ +// diff 8: skolemisation (new) +/* +function Seq#Skolem(Seq T, T) : int; // skolem function for Seq#Contains +function Seq#SkolemContainsDrop(Seq T, int, T) : int; // skolem function for Seq#Contains over drop +function Seq#SkolemContainsTake(Seq T, int, T) : int; // skolem function for Seq#Contains over take + +function Seq#Contains(Seq T, T): bool; +axiom (forall s: Seq T, x: T :: { Seq#Contains(s,x) } + Seq#Contains(s,x) ==> s != Seq#Empty() && Seq#Length(s) > 0 && 0 <= Seq#Skolem(s,x) && + Seq#Skolem(s,x) < Seq#Length(s) && Seq#Index(s,Seq#Skolem(s,x)) == x); + +// AS: note: this is an unusual axiom, but is basically the original +// Consider writing a version without the (precise) first trigger? Also see later versions +axiom (forall s: Seq T, x: T, i:int :: { Seq#Contains(s,x), Seq#Index(s,i) } + 0 <= i && i < Seq#Length(s) && Seq#Index(s,i) == x ==> Seq#Contains(s,x)); + +// ** AS: made one change here - changed type of x from ref to T +axiom (forall x: T :: + { Seq#Contains(Seq#Empty(), x) } + !Seq#Contains(Seq#Empty(), x)); + +// AS: Consider dropping this axiom? +axiom (forall s0: Seq T, s1: Seq T, x: T :: + { Seq#Contains(Seq#Append(s0, s1), x) } { Seq#Contains(s0,x), Seq#Append(s0,s1)} { Seq#Contains(s1,x), Seq#Append(s0,s1)} // AS: added triggers + Seq#Contains(Seq#Append(s0, s1), x) <==> + Seq#Contains(s0, x) || Seq#Contains(s1, x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Take(s, n), x) } + Seq#Contains(Seq#Take(s, n), x) ==> + (Seq#Take(s, n) != Seq#Empty() && Seq#Length(Seq#Take(s, n)) > 0 && + 0 <= Seq#SkolemContainsTake(s, n, x) && Seq#SkolemContainsTake(s, n, x) < n && + Seq#SkolemContainsTake(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsTake(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Take(s, n), x), Seq#Index(s, i) } + 0 <= i && i < n && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Take(s, n), x)); + +// AS: split axioms +axiom (forall s: Seq T, n: int, x: T :: + { Seq#Contains(Seq#Drop(s, n), x) } + Seq#Contains(Seq#Drop(s, n), x) ==> + ( 0 <= Seq#SkolemContainsDrop(s, n, x) && n <= Seq#SkolemContainsDrop(s, n, x) && + Seq#SkolemContainsDrop(s, n, x) < Seq#Length(s) && + Seq#Index(s, Seq#SkolemContainsDrop(s, n, x)) == x)); + +axiom (forall s: Seq T, n: int, x: T, i:int :: + { Seq#Contains(Seq#Drop(s, n), x), Seq#Index(s, i) } + 0 <= n && n <= i && i < Seq#Length(s) && Seq#Index(s, i) == x ==> + Seq#Contains(Seq#Drop(s, n), x)); +*/ + +// END CONTAINS + +// START EQUALS + +// diff 9 : skolemise equals (old) +function Seq#Equal(Seq T, Seq T): bool; +/*axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) <==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); +*/ +// diff 9: skolemise equals (new) +// AS: split axiom +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + Seq#Equal(s0,s1) ==> + Seq#Length(s0) == Seq#Length(s1) && + (forall j: int :: { Seq#Index(s0,j) } { Seq#Index(s1,j) } + 0 <= j && j < Seq#Length(s0) ==> Seq#Index(s0,j) == Seq#Index(s1,j))); + +function Seq#SkolemDiff(Seq T, Seq T) : int; // skolem function for Seq#Equals + +axiom (forall s0: Seq T, s1: Seq T :: { Seq#Equal(s0,s1) } + (s0==s1 && Seq#Equal(s0,s1)) || (s0!=s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) != Seq#Length(s1)) || + (s0 != s1 && !Seq#Equal(s0,s1) && Seq#Length(s0) == Seq#Length(s1) && Seq#SkolemDiff(s0,s1) == Seq#SkolemDiff(s1,s0) && 0 <= Seq#SkolemDiff(s0,s1) && Seq#SkolemDiff(s0,s1) < Seq#Length(s0) && + Seq#Index(s0,Seq#SkolemDiff(s0,s1)) != Seq#Index(s1,Seq#SkolemDiff(s0,s1)))); + +axiom (forall a: Seq T, b: Seq T :: { Seq#Equal(a,b) } // extensionality axiom for sequences + Seq#Equal(a,b) ==> a == b); + + +// END EQUALS + + +// START EXTRAS + +// extra stuff not in current Dafny Prelude + +// diff 10: variant of trigger (maybe drop these?) +// old: +axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) <==> x==y); +// new: +/*axiom (forall x, y: T :: + { Seq#Contains(Seq#Singleton(x),y) } + Seq#Contains(Seq#Singleton(x),y) ==> x==y); + +axiom (forall x: T :: + { Seq#Singleton(x) } + Seq#Contains(Seq#Singleton(x),x)); +*/ + +function Seq#Range(min: int, max: int) returns (Seq int); +axiom (forall min: int, max: int :: { Seq#Length(Seq#Range(min, max)) } (min < max ==> Seq#Length(Seq#Range(min, max)) == max-min) && (max <= min ==> Seq#Length(Seq#Range(min, max)) == 0)); +axiom (forall min: int, max: int, j: int :: { Seq#Index(Seq#Range(min, max), j) } 0<=j && j Seq#Index(Seq#Range(min, max), j) == min + j); + +axiom (forall min: int, max: int, v: int :: {Seq#Contains(Seq#Range(min, max),v)} + (Seq#Contains(Seq#Range(min, max),v) <==> min <= v && v < max)); + +// END EXTRAS + + +// ================================================== +// Translation of domain $Math +// ================================================== + +// The type for domain $Math +type $MathDomainType; + +// Translation of domain function $sign +function $sign($a: int): int; + +// Translation of domain function $div +function $div($a: int, $b: int, $r: int): int; + +// Translation of domain function $mod +function $mod($a: int, $b: int, $r: int): int; + +// Translation of domain function $pow +function $pow($a: int, $b: int): int; + +// Translation of domain function $sqrt +function $sqrt($a: int): int; + +// Translation of domain function $floor +function $floor($a: int, $s: int): int; + +// Translation of domain function $ceil +function $ceil($a: int, $s: int): int; + +// Translation of domain function $shift +function $shift($a: int, $s: int): int; + +// Translation of domain function $bitwise_not +function $bitwise_not($a: int): int; + +// Translation of domain function $bitwise_and +function $bitwise_and($a: int, $b: int): int; + +// Translation of domain function $bitwise_or +function $bitwise_or($a: int, $b: int): int; + +// Translation of domain function $bitwise_xor +function $bitwise_xor($a: int, $b: int): int; + +// Translation of domain axiom $sign_ax +axiom ($sign(0): int) == 0 && (forall $a_1: int :: + { ($sign($a_1): int) } + ($a_1 > 0 ==> ($sign($a_1): int) == 1) && ($a_1 < 0 ==> ($sign($a_1): int) == -1) +); + +// Translation of domain axiom $div_ax +axiom (forall $a_1: int, $b_1: int, $r_1: int :: + { ($div($a_1, $b_1, $r_1): int) } + ($div($a_1, $b_1, $r_1): int) == $a_1 div $b_1 + (if $a_1 >= 0 || $a_1 mod $b_1 == 0 then 0 else ($sign($b_1): int)) +); + +// Translation of domain axiom $mod_ax +axiom (forall $a_1: int, $b_1: int, $r_1: int :: + { ($mod($a_1, $b_1, $r_1): int) } + ($mod($a_1, $b_1, $r_1): int) == $a_1 - ($div($a_1, $b_1, $r_1): int) * $b_1 +); + +// Translation of domain axiom $pow0N_ax +axiom (forall $a_1: int :: + { ($pow(0, $a_1): int) } + $a_1 != 0 ==> ($pow(0, $a_1): int) == 0 +); + +// Translation of domain axiom $powN0_ax +axiom (forall $a_1: int :: + { ($pow($a_1, 0): int) } + $a_1 != 0 ==> ($pow($a_1, 0): int) == 1 +); + +// Translation of domain axiom $pow_non_negative_ax +axiom (forall $a_1: int, $b_1: int :: + { ($pow($a_1, $b_1): int) } + $a_1 >= 0 ==> ($pow($a_1, $b_1): int) >= 0 +); + +// Translation of domain axiom $pow_non_negative_and_non_null_ax +axiom (forall $a_1: int, $b_1: int :: + { ($pow($a_1, $b_1): int) } + $a_1 > 0 && $b_1 >= 0 ==> ($pow($a_1, $b_1): int) > 0 +); + +// Translation of domain axiom $floor_ax +axiom (forall $a_1: int, $s_1: int :: + { ($floor($a_1, $s_1): int) } + $s_1 > 0 ==> ($floor($a_1, $s_1): int) == ($div((if $a_1 < 0 then $a_1 - ($s_1 - 1) else $a_1), $s_1, 0): int) +); + +// Translation of domain axiom $ceil_ax +axiom (forall $a_1: int, $s_1: int :: + { ($ceil($a_1, $s_1): int) } + $s_1 > 0 ==> ($ceil($a_1, $s_1): int) == ($div((if $a_1 < 0 then $a_1 else $a_1 + $s_1 - 1), $s_1, 0): int) +); + +// Translation of domain axiom $shift_ax +axiom (forall $a_1: int, $s_1: int :: + { ($shift($a_1, $s_1): int) } + ($shift($a_1, $s_1): int) >= 0 +); + +// Translation of domain axiom $bitwise_not_ax +axiom (forall $a_1: int :: + { ($bitwise_not($a_1): int) } + ($bitwise_not($a_1): int) >= 0 +); + +// Translation of domain axiom $bitwise_and_ax +axiom (forall $a_1: int, $b_1: int :: + { ($bitwise_and($a_1, $b_1): int) } + ($bitwise_and($a_1, $b_1): int) >= 0 +); + +// Translation of domain axiom $bitwise_or_ax +axiom (forall $a_1: int, $b_1: int :: + { ($bitwise_or($a_1, $b_1): int) } + ($bitwise_or($a_1, $b_1): int) >= 0 +); + +// Translation of domain axiom $bitwise_xor_ax +axiom (forall $a_1: int, $b_1: int :: + { ($bitwise_xor($a_1, $b_1): int) } + ($bitwise_xor($a_1, $b_1): int) >= 0 +); + +// ================================================== +// Translation of domain $Int +// ================================================== + +// The type for domain $Int +type $IntDomainType; + +// Translation of domain function $wrap +function $wrap(x: int): $IntDomainType; + +// Translation of domain function $unwrap +function $unwrap(x: $IntDomainType): int; + +// Translation of domain function $w_mul +function $w_mul(x: $IntDomainType, y: $IntDomainType): $IntDomainType; + +// Translation of domain function $w_mulI +function $w_mulI(x: $IntDomainType, y: $IntDomainType): $IntDomainType; + +// Translation of domain function $w_mulL +function $w_mulL(x: $IntDomainType, y: $IntDomainType): $IntDomainType; + +// Translation of domain function $w_abs +function $w_abs(x: $IntDomainType): int; + +// Translation of domain function $w_mod +function $w_mod($a: $IntDomainType, $b: $IntDomainType): $IntDomainType; + +// Translation of domain function $w_modL +function $w_modL($a: $IntDomainType, $b: $IntDomainType): $IntDomainType; + +// Translation of domain function $w_div +function $w_div($a: $IntDomainType, $b: $IntDomainType): $IntDomainType; + +// Translation of domain function $w_div_down +function $w_div_down($a: $IntDomainType, $b: $IntDomainType): $IntDomainType; + +// Translation of domain function $w_div_nat +function $w_div_nat($a: $IntDomainType, $b: $IntDomainType): $IntDomainType; + +// Translation of domain function $w_div_natL +function $w_div_natL($a: $IntDomainType, $b: $IntDomainType): $IntDomainType; + +// Translation of domain axiom $wrap_ax +axiom (forall i: int :: + { ($wrap(i): $IntDomainType) } + ($unwrap(($wrap(i): $IntDomainType)): int) == i +); + +// Translation of domain axiom $unwrap_ax +axiom (forall i: $IntDomainType :: + { ($wrap(($unwrap(i): int)): $IntDomainType) } + ($wrap(($unwrap(i): int)): $IntDomainType) == i +); + +// Translation of domain axiom $w_abs_ax_1 +axiom (forall i: $IntDomainType :: + { ($w_abs(i): int) } + ($unwrap(i): int) < 0 ==> ($w_abs(i): int) == -($unwrap(i): int) +); + +// Translation of domain axiom $w_abs_ax_2 +axiom (forall i: $IntDomainType :: + { ($w_abs(i): int) } + ($unwrap(i): int) >= 0 ==> ($w_abs(i): int) == ($unwrap(i): int) +); + +// Translation of domain axiom $w_mul_intermediate +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mul(i, j): $IntDomainType) } + ($w_mul(i, j): $IntDomainType) == ($w_mulI(i, j): $IntDomainType) +); + +// Translation of domain axiom $w_mul_limited +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mul(i, j): $IntDomainType) } + ($w_mul(i, j): $IntDomainType) == ($w_mulL(i, j): $IntDomainType) +); + +// Translation of domain axiom $w_mul_intermediate_to_limited +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mulI(i, j): $IntDomainType) } + ($w_mulI(i, j): $IntDomainType) == ($w_mulL(i, j): $IntDomainType) +); + +// Translation of domain axiom $w_mul_commutative +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mul(i, j): $IntDomainType) } + ($w_mul(i, j): $IntDomainType) == ($w_mulI(j, i): $IntDomainType) +); + +// Translation of domain axiom $w_mul_associative +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType :: + { ($w_mulI(i, ($w_mulI(j, k): $IntDomainType)): $IntDomainType) } + ($w_mulI(i, ($w_mulI(j, k): $IntDomainType)): $IntDomainType) == ($w_mulL(($w_mulL(i, j): $IntDomainType), k): $IntDomainType) +); + +// Translation of domain axiom $w_mul_distributive +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mulI(i, j): $IntDomainType), ($w_mulI(i, k): $IntDomainType), ($w_mulI(i, l): $IntDomainType) } + ($unwrap(j): int) == ($unwrap(k): int) + ($unwrap(l): int) ==> ($w_mulI(i, j): $IntDomainType) == ($wrap(($unwrap(($w_mulL(i, k): $IntDomainType)): int) + ($unwrap(($w_mulL(i, l): $IntDomainType)): int)): $IntDomainType) +); + +// Translation of domain axiom $w_mul_basic_sign_1 +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mulI(i, j): $IntDomainType) } + ($w_mulI(i, j): $IntDomainType) == ($w_mulL(($wrap(-($unwrap(i): int)): $IntDomainType), ($wrap(-($unwrap(j): int)): $IntDomainType)): $IntDomainType) +); + +// Translation of domain axiom $w_mul_basic_sign_2 +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mulI(i, j): $IntDomainType) } + ($w_mulI(i, j): $IntDomainType) == ($wrap(-($unwrap(($w_mulL(($wrap(-($unwrap(i): int)): $IntDomainType), j): $IntDomainType)): int)): $IntDomainType) +); + +// Translation of domain axiom $w_mul_basic_zero_1 +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mulI(i, j): $IntDomainType) } + ($unwrap(i): int) == 0 || ($unwrap(j): int) == 0 ==> ($unwrap(($w_mulI(i, j): $IntDomainType)): int) == 0 +); + +// Translation of domain axiom $w_mul_basic_zero_2 +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mulI(i, j): $IntDomainType) } + (($unwrap(i): int) > 0 && ($unwrap(j): int) > 0) || (($unwrap(i): int) < 0 && ($unwrap(j): int) < 0) ==> ($unwrap(($w_mulI(i, j): $IntDomainType)): int) > 0 +); + +// Translation of domain axiom $w_mul_basic_neutral +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mulI(i, j): $IntDomainType) } + ($unwrap(i): int) == 1 || ($unwrap(j): int) == 0 ==> ($w_mulI(i, j): $IntDomainType) == j +); + +// Translation of domain axiom $w_mul_basic_proportional +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mulI(i, j): $IntDomainType) } + (($w_abs(($w_mulI(i, j): $IntDomainType)): int) >= ($w_abs(j): int)) == (($w_abs(i): int) >= 1 || ($unwrap(j): int) == 0) +); + +// Translation of domain axiom $w_mul_order_1 +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mulI(i, ($w_mulI(j, l): $IntDomainType)): $IntDomainType), ($w_mulI(k, l): $IntDomainType) } + ($unwrap(($w_mulI(i, j): $IntDomainType)): int) > ($unwrap(k): int) && ($unwrap(l): int) > 0 ==> ($unwrap(($w_mulL(i, ($w_mulL(j, l): $IntDomainType)): $IntDomainType)): int) > ($unwrap(($w_mulI(k, l): $IntDomainType)): int) +); + +// Translation of domain axiom $w_mul_order_2 +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mulI(i, ($w_mulI(j, l): $IntDomainType)): $IntDomainType), ($w_mulI(k, l): $IntDomainType) } + ($unwrap(($w_mulI(i, j): $IntDomainType)): int) >= ($unwrap(k): int) && ($unwrap(l): int) > 0 ==> ($unwrap(($w_mulL(i, ($w_mulL(j, l): $IntDomainType)): $IntDomainType)): int) >= ($unwrap(($w_mulI(k, l): $IntDomainType)): int) +); + +// Translation of domain axiom $w_mul_order_3 +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mulI(i, ($w_mulI(j, l): $IntDomainType)): $IntDomainType), ($w_mulI(k, l): $IntDomainType) } + ($unwrap(($w_mulI(i, j): $IntDomainType)): int) > ($unwrap(k): int) && ($unwrap(l): int) < 0 ==> ($unwrap(($w_mulI(k, l): $IntDomainType)): int) > ($unwrap(($w_mulL(i, ($w_mulL(j, l): $IntDomainType)): $IntDomainType)): int) +); + +// Translation of domain axiom $w_mul_order_4 +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mulI(i, ($w_mulI(j, l): $IntDomainType)): $IntDomainType), ($w_mulI(k, l): $IntDomainType) } + ($unwrap(($w_mulI(i, j): $IntDomainType)): int) >= ($unwrap(k): int) && ($unwrap(l): int) < 0 ==> ($unwrap(($w_mulI(k, l): $IntDomainType)): int) >= ($unwrap(($w_mulL(i, ($w_mulL(j, l): $IntDomainType)): $IntDomainType)): int) +); + +// Translation of domain axiom $w_mul_monotonicity_1 +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mulI(i, k): $IntDomainType), ($w_mulI(j, l): $IntDomainType) } + ($w_abs(i): int) <= ($w_abs(j): int) && ($w_abs(k): int) <= ($w_abs(l): int) ==> ($w_abs(($w_mulI(i, k): $IntDomainType)): int) <= ($w_abs(($w_mulI(j, l): $IntDomainType)): int) +); + +// Translation of domain axiom $w_mul_monotonicity_2 +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mulI(i, k): $IntDomainType), ($w_mulI(j, l): $IntDomainType) } + ($w_abs(i): int) < ($w_abs(j): int) && (($w_abs(k): int) <= ($w_abs(l): int) && ($unwrap(l): int) != 0) ==> ($w_abs(($w_mulI(i, k): $IntDomainType)): int) < ($w_abs(($w_mulI(j, l): $IntDomainType)): int) +); + +// Translation of domain axiom $w_mul_monotonicity_3 +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mulI(i, k): $IntDomainType), ($w_mulI(j, l): $IntDomainType) } + ($w_abs(i): int) <= ($w_abs(j): int) && (($w_abs(k): int) < ($w_abs(l): int) && ($unwrap(j): int) != 0) ==> ($w_abs(($w_mulI(i, k): $IntDomainType)): int) < ($w_abs(($w_mulI(j, l): $IntDomainType)): int) +); + +// Translation of domain axiom $w_mod_limited +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType) } + ($w_mod(i, j): $IntDomainType) == ($w_modL(i, j): $IntDomainType) +); + +// Translation of domain axiom $w_mod_identity +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> i == j || i == ($wrap(0): $IntDomainType) ==> ($w_mod(i, j): $IntDomainType) == ($wrap(0): $IntDomainType) +); + +// Translation of domain axiom $w_mod_basic_1 +axiom (forall i: $IntDomainType, j: $IntDomainType, l: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType), ($w_mod(l, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($unwrap(i): int) == ($unwrap(l): int) + ($w_abs(j): int) && (($unwrap(l): int) >= 0 || ($unwrap(i): int) < 0) ==> ($w_mod(i, j): $IntDomainType) == ($w_modL(l, j): $IntDomainType) +); + +// Translation of domain axiom $w_mod_basic_2 +axiom (forall i: $IntDomainType, j: $IntDomainType, l: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType), ($w_mod(l, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($unwrap(i): int) == ($unwrap(l): int) - ($w_abs(j): int) && (($unwrap(l): int) <= 0 || ($unwrap(i): int) > 0) ==> ($w_mod(i, j): $IntDomainType) == ($w_modL(l, j): $IntDomainType) +); + +// Translation of domain axiom $w_mod_basic_3 +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> 0 <= ($w_abs(i): int) && ($w_abs(i): int) < ($w_abs(j): int) ==> ($w_mod(i, j): $IntDomainType) == i +); + +// Translation of domain axiom $w_mod_basic_4 +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($w_abs(($w_mod(i, j): $IntDomainType)): int) < ($w_abs(j): int) +); + +// Translation of domain axiom $w_mod_sign_1 +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($sign(($unwrap(($w_mod(i, j): $IntDomainType)): int)): int) == ($sign(($unwrap(i): int)): int) || ($sign(($unwrap(($w_mod(i, j): $IntDomainType)): int)): int) == 0 +); + +// Translation of domain axiom $w_mod_sign_2 +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType), ($w_mod(k, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($unwrap(i): int) == -($unwrap(k): int) ==> ($w_mod(i, j): $IntDomainType) == ($wrap(-($unwrap(($w_modL(k, j): $IntDomainType)): int)): $IntDomainType) +); + +// Translation of domain axiom $w_mod_sign_3 +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($w_mod(i, j): $IntDomainType) == ($w_mod(i, ($wrap(-($unwrap(j): int)): $IntDomainType)): $IntDomainType) +); + +// Translation of domain axiom $w_mod_mod +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($w_mod(i, j): $IntDomainType) == ($w_modL(($w_modL(i, j): $IntDomainType), j): $IntDomainType) +); + +// Translation of domain axiom $w_mod_decrease +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($w_abs(($w_mod(i, j): $IntDomainType)): int) <= ($w_abs(i): int) +); + +// Translation of domain axiom $w_mod_add +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType), ($w_mod(k, j): $IntDomainType), ($w_mod(l, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($unwrap(i): int) == ($unwrap(k): int) + ($unwrap(l): int) ==> ((($unwrap(i): int) >= 0 && ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) >= 0) || (($unwrap(i): int) <= 0 && ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) <= 0) ==> (($w_abs(j): int) <= ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) && (($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) < 2 * ($w_abs(j): int) && ($w_mod(i, j): $IntDomainType) == ($wrap(($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) - ($w_abs(j): int)): $IntDomainType))) || ((-($w_abs(j): int) < ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) && (($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) < ($w_abs(j): int) && ($w_mod(i, j): $IntDomainType) == ($wrap(($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int)): $IntDomainType))) || (-2 * ($w_abs(j): int) < ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) && (($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) <= -($w_abs(j): int) && ($w_mod(i, j): $IntDomainType) == ($wrap(($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) + ($w_abs(j): int)): $IntDomainType))))) && ((($unwrap(i): int) > 0 && ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) < 0) || (($unwrap(i): int) < 0 && ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) > 0) ==> (0 < ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) && (($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) < ($w_abs(j): int) && ($w_mod(i, j): $IntDomainType) == ($wrap(($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) - ($w_abs(j): int)): $IntDomainType))) || (-($w_abs(j): int) < ($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) && (($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) < 0 && ($w_mod(i, j): $IntDomainType) == ($wrap(($unwrap(($w_modL(k, j): $IntDomainType)): int) + ($unwrap(($w_modL(l, j): $IntDomainType)): int) + ($w_abs(j): int)): $IntDomainType)))) +); + +// Translation of domain axiom $w_mod_mul_basic +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_mod(($w_mul(i, j): $IntDomainType), j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($w_mod(($w_mul(i, j): $IntDomainType), j): $IntDomainType) == ($wrap(0): $IntDomainType) +); + +// Translation of domain axiom $w_mod_mul_mod_noop +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType :: + { ($w_mod(($w_mulI(i, k): $IntDomainType), j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($w_mod(($w_mulI(i, k): $IntDomainType), j): $IntDomainType) == ($w_modL(($w_mulL(($w_modL(i, j): $IntDomainType), k): $IntDomainType), j): $IntDomainType) && (($w_mod(($w_mulI(i, k): $IntDomainType), j): $IntDomainType) == ($w_modL(($w_mulL(i, ($w_modL(k, j): $IntDomainType)): $IntDomainType), j): $IntDomainType) && ($w_mod(($w_mulI(i, k): $IntDomainType), j): $IntDomainType) == ($w_modL(($w_mulL(($w_modL(i, j): $IntDomainType), ($w_modL(k, j): $IntDomainType)): $IntDomainType), j): $IntDomainType)) +); + +// Translation of domain axiom $w_mod_mul_vanish +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType :: + { ($w_mod(i, j): $IntDomainType), ($w_mulI(k, j): $IntDomainType) } + j != ($wrap(0): $IntDomainType) ==> ($w_mod(i, j): $IntDomainType) == ($w_modL(($wrap(($unwrap(($w_mulL(k, j): $IntDomainType)): int) + ($unwrap(i): int)): $IntDomainType), j): $IntDomainType) +); + +// Translation of domain axiom $w_div_div_down +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div(i, j): $IntDomainType) } + ($unwrap(j): int) != 0 ==> ($w_div(i, j): $IntDomainType) == (if ($unwrap(i): int) >= 0 then ($w_div_down(i, j): $IntDomainType) else ($wrap(-($unwrap(($w_div_down(($wrap(-($unwrap(i): int)): $IntDomainType), j): $IntDomainType)): int)): $IntDomainType)) +); + +// Translation of domain axiom $w_div_down_div_nat +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div_down(i, j): $IntDomainType) } + ($w_div_down(i, j): $IntDomainType) == (if ($unwrap(j): int) >= 0 then ($w_div_nat(i, j): $IntDomainType) else ($wrap(-($unwrap(($w_div_nat(i, ($wrap(-($unwrap(j): int)): $IntDomainType)): $IntDomainType)): int)): $IntDomainType)) +); + +// Translation of domain axiom $w_div_nat_limited +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div_nat(i, j): $IntDomainType) } + ($w_div_nat(i, j): $IntDomainType) == ($w_div_natL(i, j): $IntDomainType) +); + +// Translation of domain axiom $w_div_nat_neutral +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div_nat(i, j): $IntDomainType) } + ($unwrap(j): int) == 1 || ($unwrap(i): int) == 0 ==> ($w_div_nat(i, j): $IntDomainType) == i +); + +// Translation of domain axiom $w_div_nat_self +axiom (forall i: $IntDomainType :: + { ($w_div_nat(i, i): $IntDomainType) } + ($unwrap(i): int) > 0 ==> ($w_div_nat(i, i): $IntDomainType) == ($wrap(1): $IntDomainType) +); + +// Translation of domain axiom $w_div_nat_small +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div_nat(i, j): $IntDomainType) } + ($unwrap(i): int) >= 0 && ($unwrap(j): int) > 0 ==> (($unwrap(i): int) < ($unwrap(j): int)) == (($w_div_nat(i, j): $IntDomainType) == ($wrap(0): $IntDomainType)) +); + +// Translation of domain axiom $w_div_nat_dividend_add +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType, l: $IntDomainType :: + { ($w_div_nat(i, j): $IntDomainType), ($w_div_nat(k, j): $IntDomainType), ($w_div_nat(l, j): $IntDomainType) } + ($unwrap(i): int) >= 0 && (($unwrap(j): int) > 0 && (($unwrap(k): int) >= 0 && ($unwrap(l): int) >= 0)) ==> ($unwrap(i): int) == ($unwrap(k): int) + ($unwrap(l): int) ==> (0 <= ($unwrap(($w_mod(k, j): $IntDomainType)): int) + ($unwrap(($w_mod(l, j): $IntDomainType)): int) && (($unwrap(($w_mod(k, j): $IntDomainType)): int) + ($unwrap(($w_mod(l, j): $IntDomainType)): int) < ($unwrap(j): int) && ($w_div_nat(i, j): $IntDomainType) == ($wrap(($unwrap(($w_div_natL(k, j): $IntDomainType)): int) + ($unwrap(($w_div_natL(l, j): $IntDomainType)): int)): $IntDomainType))) || (($unwrap(j): int) <= ($unwrap(($w_mod(k, j): $IntDomainType)): int) + ($unwrap(($w_mod(l, j): $IntDomainType)): int) && (($unwrap(($w_mod(k, j): $IntDomainType)): int) + ($unwrap(($w_mod(l, j): $IntDomainType)): int) < 2 * ($unwrap(j): int) && ($w_div_nat(i, j): $IntDomainType) == ($wrap(($unwrap(($w_div_natL(k, j): $IntDomainType)): int) + ($unwrap(($w_div_natL(l, j): $IntDomainType)): int) + 1): $IntDomainType))) +); + +// Translation of domain axiom $w_div_nat_ordered_by_dividend +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType :: + { ($w_div_nat(i, j): $IntDomainType), ($w_div_nat(k, j): $IntDomainType) } + ($unwrap(i): int) >= 0 && (($unwrap(j): int) > 0 && ($unwrap(k): int) >= 0) ==> ($unwrap(i): int) <= ($unwrap(k): int) ==> ($unwrap(($w_div_nat(i, j): $IntDomainType)): int) <= ($unwrap(($w_div_natL(k, j): $IntDomainType)): int) +); + +// Translation of domain axiom $w_div_nat_ordered_by_divisor +axiom (forall i: $IntDomainType, j: $IntDomainType, k: $IntDomainType :: + { ($w_div_nat(i, j): $IntDomainType), ($w_div_nat(i, k): $IntDomainType) } + ($unwrap(i): int) >= 0 && (($unwrap(j): int) > 0 && ($unwrap(k): int) > 0) ==> ($unwrap(j): int) <= ($unwrap(k): int) ==> ($unwrap(($w_div_nat(i, j): $IntDomainType)): int) >= ($unwrap(($w_div_natL(i, k): $IntDomainType)): int) +); + +// Translation of domain axiom $w_div_nat_decrease +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div_nat(i, j): $IntDomainType) } + ($unwrap(i): int) > 0 && ($unwrap(j): int) > 1 ==> ($unwrap(($w_div_nat(i, j): $IntDomainType)): int) < ($unwrap(i): int) +); + +// Translation of domain axiom $w_div_nat_nonincrease +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div_nat(i, j): $IntDomainType) } + ($unwrap(i): int) >= 0 && ($unwrap(j): int) > 0 ==> ($unwrap(($w_div_nat(i, j): $IntDomainType)): int) <= ($unwrap(i): int) +); + +// Translation of domain axiom $w_div_mul +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div(($w_mulI(i, j): $IntDomainType), j): $IntDomainType) } + ($unwrap(j): int) != 0 ==> ($w_div(($w_mulI(i, j): $IntDomainType), j): $IntDomainType) == i +); + +// Translation of domain axiom $w_div_sign +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div(i, j): $IntDomainType) } + ($unwrap(j): int) != 0 ==> ($sign(($unwrap(($w_div(i, j): $IntDomainType)): int)): int) == ($sign(($unwrap(i): int)): int) * ($sign(($unwrap(j): int)): int) || ($sign(($unwrap(($w_div(i, j): $IntDomainType)): int)): int) == 0 +); + +// Translation of domain axiom $w_div_mod_mul +axiom (forall i: $IntDomainType, j: $IntDomainType :: + { ($w_div(i, j): $IntDomainType), ($w_mod(i, j): $IntDomainType) } + ($unwrap(j): int) != 0 ==> ($unwrap(i): int) == ($unwrap(($w_mulI(j, ($w_div(i, j): $IntDomainType)): $IntDomainType)): int) + ($unwrap(($w_mod(i, j): $IntDomainType)): int) +); + +// ================================================== +// Translation of domain $Array +// ================================================== + +// The type for domain $Array +type $ArrayDomainType $E; + +// Translation of domain function $array_init +function $array_init<$E>($e: $E, $c: int): Seq $E; + +// Translation of domain axiom $array_init_len_ax +axiom (forall <$E> $e_1: $E, $c_1: int :: + { ($array_init($e_1, $c_1): Seq $E) } + Seq#Length(($array_init($e_1, $c_1): Seq $E)) == $c_1 +); + +// Translation of domain axiom $array_init_val_ax +axiom (forall <$E> $e_1: $E, $c_1: int, $i: int :: + { (Seq#Index(($array_init($e_1, $c_1): Seq $E), $i): $E) } + 0 <= $i && $i < $c_1 ==> (Seq#Index(($array_init($e_1, $c_1): Seq $E), $i): $E) == $e_1 +); + +// ================================================== +// Translation of domain $Map +// ================================================== + +// The type for domain $Map +type $MapDomainType $K $V; + +// Translation of domain function $map_init +function $map_init<$V, $K>($v: $V): $MapDomainType $K $V; + +// Translation of domain function $map_eq +function $map_eq<$K, $V>($m: ($MapDomainType $K $V), $n: ($MapDomainType $K $V)): bool; + +// Translation of domain function $map_get +function $map_get<$K, $V>($m: ($MapDomainType $K $V), $k: $K): $V; + +// Translation of domain function $map_set +function $map_set<$K, $V>($m: ($MapDomainType $K $V), $k: $K, $v: $V): $MapDomainType $K $V; + +// Translation of domain axiom $map_init_ax +axiom (forall <$V, $K> $v_1: $V, $k_1: $K :: + { ($map_get(($map_init($v_1): $MapDomainType $K $V), $k_1): $V) } + ($map_get(($map_init($v_1): $MapDomainType $K $V), $k_1): $V) == $v_1 +); + +// Translation of domain axiom $map_eq_ax +axiom (forall <$K, $V> $m_1: ($MapDomainType $K $V), $n_1: ($MapDomainType $K $V) :: + { ($map_eq($m_1, $n_1): bool) } + ($map_eq($m_1, $n_1): bool) == ($m_1 == $n_1) && ($map_eq($m_1, $n_1): bool) == (forall $k_1: $K :: + { ($map_get($m_1, $k_1): $V), ($map_get($n_1, $k_1): $V) } + ($map_get($m_1, $k_1): $V) == ($map_get($n_1, $k_1): $V) + ) +); + +// Translation of domain axiom $map_set_ax +axiom (forall <$K, $V> $m_1: ($MapDomainType $K $V), $k_1: $K, $v_1: $V, $kk: $K :: + { ($map_get(($map_set($m_1, $k_1, $v_1): $MapDomainType $K $V), $kk): $V) } + ($map_get(($map_set($m_1, $k_1, $v_1): $MapDomainType $K $V), $kk): $V) == (if $k_1 == $kk then $v_1 else ($map_get($m_1, $kk): $V)) +); + +// ================================================== +// Translation of domain $MapInt +// ================================================== + +// The type for domain $MapInt +type $MapIntDomainType $K; + +// Translation of domain function $map_sum +function $map_sum<$K>($m: ($MapDomainType $K int)): int; + +// Translation of domain axiom $map_sum_init_ax +axiom ($map_sum(($map_init(0): $MapDomainType int int)): int) == 0; + +// Translation of domain axiom $map_sum_set_ax +axiom (forall <$K> $m_1: ($MapDomainType $K int), $k_1: $K, $v_1: int :: + { ($map_sum(($map_set($m_1, $k_1, $v_1): $MapDomainType $K int)): int) } + ($map_sum(($map_set($m_1, $k_1, $v_1): $MapDomainType $K int)): int) == ($map_sum($m_1): int) - ($map_get($m_1, $k_1): int) + $v_1 +); + +// ================================================== +// Translation of domain $Struct +// ================================================== + +// The type for domain $Struct +type $StructDomainType; + +// Translation of domain function $struct_loc +function $struct_loc($s: $StructDomainType, $m: int): int; + +// ================================================== +// Translation of domain $StructOps +// ================================================== + +// The type for domain $StructOps +type $StructOpsDomainType $T; + +// Translation of domain function $struct_get +function $struct_get<$T>($l: int): $T; + +// Translation of domain function $struct_set +function $struct_set<$T>($s: $StructDomainType, $m: int, $t: $T): $StructDomainType; + +// Translation of domain axiom $get_set_0_ax +axiom (forall <$T> $s_1: $StructDomainType, $m_1: int, $t_1: $T :: + { ($struct_loc(($struct_set($s_1, $m_1, $t_1): $StructDomainType), $m_1): int) } + ($struct_get(($struct_loc(($struct_set($s_1, $m_1, $t_1): $StructDomainType), $m_1): int)): $T) == $t_1 +); + +// Translation of domain axiom $get_set_1_ax +axiom (forall <$T> $s_1: $StructDomainType, $m_1: int, $n_1: int, $t_1: $T :: + { ($struct_loc(($struct_set($s_1, $n_1, $t_1): $StructDomainType), $m_1): int) } + $m_1 != $n_1 ==> ($struct_loc($s_1, $m_1): int) == ($struct_loc(($struct_set($s_1, $n_1, $t_1): $StructDomainType), $m_1): int) +); + +// ================================================== +// Translation of domain $Convert +// ================================================== + +// The type for domain $Convert +type $ConvertDomainType; + +// Translation of domain function $bytes32_to_signed_int +function $bytes32_to_signed_int($bb: (Seq int)): int; + +// Translation of domain function $bytes32_to_unsigned_int +function $bytes32_to_unsigned_int($bb: (Seq int)): int; + +// Translation of domain function $signed_int_to_bytes32 +function $signed_int_to_bytes32($i_1: int): Seq int; + +// Translation of domain function $unsigned_int_to_bytes32 +function $unsigned_int_to_bytes32($i_1: int): Seq int; + +// Translation of domain function $pad32 +function $pad32($bb: (Seq int)): Seq int; + +// Translation of domain axiom $bytes32_to_signed_int_ax +axiom (forall $bb_1: (Seq int) :: + { ($bytes32_to_signed_int($bb_1): int) } + Seq#Length($bb_1) <= 32 ==> -57896044618658097711785492504343953926634992332820282019728792003956564819968 <= ($bytes32_to_signed_int($bb_1): int) && ($bytes32_to_signed_int($bb_1): int) <= 57896044618658097711785492504343953926634992332820282019728792003956564819967 +); + +// Translation of domain axiom $bytes32_to_unsigned_int_ax +axiom (forall $bb_1: (Seq int) :: + { ($bytes32_to_unsigned_int($bb_1): int) } + Seq#Length($bb_1) <= 32 ==> 0 <= ($bytes32_to_unsigned_int($bb_1): int) && ($bytes32_to_unsigned_int($bb_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 +); + +// Translation of domain axiom $signed_int_to_bytes32_ax +axiom (forall $i: int :: + { ($signed_int_to_bytes32($i): Seq int) } + -57896044618658097711785492504343953926634992332820282019728792003956564819968 <= $i && $i <= 57896044618658097711785492504343953926634992332820282019728792003956564819967 ==> Seq#Length(($signed_int_to_bytes32($i): Seq int)) == 32 +); + +// Translation of domain axiom $unsigned_int_to_bytes32_ax +axiom (forall $i: int :: + { ($unsigned_int_to_bytes32($i): Seq int) } + -57896044618658097711785492504343953926634992332820282019728792003956564819968 <= $i && $i <= 57896044618658097711785492504343953926634992332820282019728792003956564819967 ==> Seq#Length(($unsigned_int_to_bytes32($i): Seq int)) == 32 +); + +// Translation of domain axiom $pad32_len_ax +axiom (forall $bb_1: (Seq int) :: + { ($pad32($bb_1): Seq int) } + Seq#Length(($pad32($bb_1): Seq int)) == 32 +); + +// Translation of domain axiom $pad32_vals_ax +axiom (forall $bb_1: (Seq int), $i: int :: + { Seq#Index(($pad32($bb_1): Seq int), $i) } + 0 <= $i && $i < Seq#Length(($pad32($bb_1): Seq int)) ==> Seq#Index(($pad32($bb_1): Seq int), $i) == (if $i < 32 - Seq#Length($bb_1) then 0 else Seq#Index($bb_1, $i - (32 - Seq#Length($bb_1)))) +); + +// ================================================== +// Translation of domain $Range +// ================================================== + +// The type for domain $Range +type $RangeDomainType; + +// Translation of domain function $range +function $range($f: int, $t: int): Seq int; + +// Translation of domain axiom $range_len_ax +axiom (forall $f_1: int, $t_1: int :: + { Seq#Length(($range($f_1, $t_1): Seq int)) } + Seq#Length(($range($f_1, $t_1): Seq int)) == $t_1 - $f_1 +); + +// Translation of domain axiom $range_lookup_ax +axiom (forall $f_1: int, $t_1: int, $i: int :: + { Seq#Index(($range($f_1, $t_1): Seq int), $i) } + 0 <= $i && $i < Seq#Length(($range($f_1, $t_1): Seq int)) ==> Seq#Index(($range($f_1, $t_1): Seq int), $i) == $f_1 + $i +); + +// ================================================== +// Translation of domain $Blockchain +// ================================================== + +// The type for domain $Blockchain +type $BlockchainDomainType; + +// Translation of domain function $blockhash +function $blockhash($no: int): Seq int; + +// Translation of domain function $method_id +function $method_id($bb: (Seq int), $l: int): Seq int; + +// Translation of domain function $keccak256 +function $keccak256($s: (Seq int)): Seq int; + +// Translation of domain function $sha256 +function $sha256($s: (Seq int)): Seq int; + +// Translation of domain function $ecrecover +function $ecrecover($s: (Seq int), v_2: int, r_1: int, s: int): int; + +// Translation of domain function $ecadd +function $ecadd($p: (Seq int), $q: (Seq int)): Seq int; + +// Translation of domain function $ecmul +function $ecmul($p: (Seq int), $s: int): Seq int; + +// Translation of domain axiom $blockhash_ax +axiom (forall $no_1: int :: + { ($blockhash($no_1): Seq int) } + Seq#Length(($blockhash($no_1): Seq int)) == 32 +); + +// Translation of domain axiom $method_id_ax +axiom (forall $bb_1: (Seq int), $l_1: int :: + { ($method_id($bb_1, $l_1): Seq int) } + Seq#Length(($method_id($bb_1, $l_1): Seq int)) == $l_1 +); + +// Translation of domain axiom $keccak256_ax +axiom (forall $s_1: (Seq int) :: + { ($keccak256($s_1): Seq int) } + Seq#Length(($keccak256($s_1): Seq int)) == 32 +); + +// Translation of domain axiom $sha256_ax +axiom (forall $s_1: (Seq int) :: + { ($sha256($s_1): Seq int) } + Seq#Length(($sha256($s_1): Seq int)) == 32 +); + +// Translation of domain axiom $ecadd_ax +axiom (forall $p_1: (Seq int), $q_1: (Seq int) :: + { ($ecadd($p_1, $q_1): Seq int) } + Seq#Length(($ecadd($p_1, $q_1): Seq int)) == 2 +); + +// Translation of domain axiom $ecmul_ax +axiom (forall $p_1: (Seq int), $s_1: int :: + { ($ecmul($p_1, $s_1): Seq int) } + Seq#Length(($ecmul($p_1, $s_1): Seq int)) == 2 +); + +// ================================================== +// Translation of domain $Contract +// ================================================== + +// The type for domain $Contract +type $ContractDomainType; + +// Translation of domain function $self_address +function $self_address(): int; + +// Translation of domain function $implements +function $implements($a: int, $i_1: int): bool; + +// Translation of domain axiom $self_address_ax +axiom ($self_address(): int) != 0; + +// ================================================== +// Translation of domain s$struct$self +// ================================================== + +// The type for domain s$struct$self +type s$struct$selfDomainType; + +// Translation of domain function s$struct$self$init +function s$struct$self$init($arg_0: int, $arg_1: int, $arg_2: int, $arg_3: int, $arg_4: int, $arg_5: bool, $arg_6: ($MapDomainType int int), $arg_7: int, $arg_8: int, $arg_9: bool, $arg_10: ($MapDomainType int int), $arg_11: ($MapDomainType int int), $arg_12: bool): $StructDomainType; + +// Translation of domain function s$struct$self$eq +function s$struct$self$eq($l: $StructDomainType, $r: $StructDomainType): bool; + +// Translation of domain axiom s$struct$self$init$ax +axiom (forall $arg_0_1: int, $arg_1_1: int, $arg_2_1: int, $arg_3_1: int, $arg_4_1: int, $arg_5_1: bool, $arg_6_1: ($MapDomainType int int), $arg_7_1: int, $arg_8_1: int, $arg_9_1: bool, $arg_10_1: ($MapDomainType int int), $arg_11_1: ($MapDomainType int int), $arg_12_1: bool :: + { (s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType) } + ($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), -1): int)): int) == 9122519725869122497593506884710 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 0): int)): int) == $arg_0_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 1): int)): int) == $arg_1_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 2): int)): int) == $arg_2_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 3): int)): int) == $arg_3_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 4): int)): int) == $arg_4_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 5): int)): bool) == $arg_5_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 6): int)): $MapDomainType int int) == $arg_6_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 7): int)): int) == $arg_7_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 8): int)): int) == $arg_8_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 9): int)): bool) == $arg_9_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 10): int)): $MapDomainType int int) == $arg_10_1 && (($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 11): int)): $MapDomainType int int) == $arg_11_1 && ($struct_get(($struct_loc((s$struct$self$init($arg_0_1, $arg_1_1, $arg_2_1, $arg_3_1, $arg_4_1, $arg_5_1, $arg_6_1, $arg_7_1, $arg_8_1, $arg_9_1, $arg_10_1, $arg_11_1, $arg_12_1): $StructDomainType), 12): int)): bool) == $arg_12_1)))))))))))) +); + +// Translation of domain axiom s$struct$self$eq$ax +axiom (forall $l_1: $StructDomainType, $r_1: $StructDomainType :: + { (s$struct$self$eq($l_1, $r_1): bool) } + (s$struct$self$eq($l_1, $r_1): bool) == ($l_1 == $r_1) && (s$struct$self$eq($l_1, $r_1): bool) == (($struct_get(($struct_loc($l_1, -1): int)): int) == ($struct_get(($struct_loc($r_1, -1): int)): int) && (($struct_get(($struct_loc($l_1, 0): int)): int) == ($struct_get(($struct_loc($r_1, 0): int)): int) && (($struct_get(($struct_loc($l_1, 1): int)): int) == ($struct_get(($struct_loc($r_1, 1): int)): int) && (($struct_get(($struct_loc($l_1, 2): int)): int) == ($struct_get(($struct_loc($r_1, 2): int)): int) && (($struct_get(($struct_loc($l_1, 3): int)): int) == ($struct_get(($struct_loc($r_1, 3): int)): int) && (($struct_get(($struct_loc($l_1, 4): int)): int) == ($struct_get(($struct_loc($r_1, 4): int)): int) && (($struct_get(($struct_loc($l_1, 5): int)): bool) == ($struct_get(($struct_loc($r_1, 5): int)): bool) && (($map_eq(($struct_get(($struct_loc($l_1, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($r_1, 6): int)): $MapDomainType int int)): bool) && (($struct_get(($struct_loc($l_1, 7): int)): int) == ($struct_get(($struct_loc($r_1, 7): int)): int) && (($struct_get(($struct_loc($l_1, 8): int)): int) == ($struct_get(($struct_loc($r_1, 8): int)): int) && (($struct_get(($struct_loc($l_1, 9): int)): bool) == ($struct_get(($struct_loc($r_1, 9): int)): bool) && (($map_eq(($struct_get(($struct_loc($l_1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($r_1, 10): int)): $MapDomainType int int)): bool) && (($map_eq(($struct_get(($struct_loc($l_1, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc($r_1, 11): int)): $MapDomainType int int)): bool) && ($struct_get(($struct_loc($l_1, 12): int)): bool) == ($struct_get(($struct_loc($r_1, 12): int)): bool)))))))))))))) +); + +// ================================================== +// Translation of domain s$resource$$creator +// ================================================== + +// The type for domain s$resource$$creator +type s$resource$$creatorDomainType; + +// Translation of domain function s$resource$$creator$init +function s$resource$$creator$init($arg_0: $StructDomainType): $StructDomainType; + +// Translation of domain function s$resource$$creator$eq +function s$resource$$creator$eq($l: $StructDomainType, $r: $StructDomainType): bool; + +// Translation of domain axiom s$resource$$creator$init$ax +axiom (forall $arg_0_1: $StructDomainType :: + { (s$resource$$creator$init($arg_0_1): $StructDomainType) } + ($struct_get(($struct_loc((s$resource$$creator$init($arg_0_1): $StructDomainType), -1): int)): int) == 2567760667165796382711201132846784524754120562 && ($struct_get(($struct_loc((s$resource$$creator$init($arg_0_1): $StructDomainType), 0): int)): $StructDomainType) == $arg_0_1 +); + +// Translation of domain axiom s$resource$$creator$eq$ax +axiom (forall $l_1: $StructDomainType, $r_1: $StructDomainType :: + { (s$resource$$creator$eq($l_1, $r_1): bool) } + (s$resource$$creator$eq($l_1, $r_1): bool) == ($l_1 == $r_1) && (s$resource$$creator$eq($l_1, $r_1): bool) == (($struct_get(($struct_loc($l_1, -1): int)): int) == ($struct_get(($struct_loc($r_1, -1): int)): int) && ($struct_get(($struct_loc($l_1, 0): int)): $StructDomainType) == ($struct_get(($struct_loc($r_1, 0): int)): $StructDomainType)) +); + +// ================================================== +// Translation of domain $Implements +// ================================================== + +// The type for domain $Implements +type $ImplementsDomainType; + +// Translation of domain axiom $Implements$ax +axiom true; + +// ================================================== +// Translation of function $range_sum +// ================================================== + +// Uninterpreted function definitions +function $range_sum(Heap: HeapType, $x: int, $y: int): int; +function $range_sum'(Heap: HeapType, $x: int, $y: int): int; +axiom (forall Heap: HeapType, $x: int, $y: int :: + { $range_sum(Heap, $x, $y) } + $range_sum(Heap, $x, $y) == $range_sum'(Heap, $x, $y) && dummyFunction($range_sum#triggerStateless($x, $y)) +); +axiom (forall Heap: HeapType, $x: int, $y: int :: + { $range_sum'(Heap, $x, $y) } + dummyFunction($range_sum#triggerStateless($x, $y)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, $x: int, $y: int :: + { state(Heap, Mask), $range_sum(Heap, $x, $y) } + state(Heap, Mask) && AssumeFunctionsAbove < 0 ==> $x <= $y ==> $range_sum(Heap, $x, $y) == (if $x >= 0 && $y >= 0 then (if $y >= 0 then ($y - 1) * $y div 2 else (-$y - 1) * -$y div 2) - (if $x >= 0 then ($x - 1) * $x div 2 else (-$x - 1) * -$x div 2) else (if !($x >= 0) && $y >= 0 then (if $y >= 0 then ($y - 1) * $y div 2 else (-$y - 1) * -$y div 2) - (if $x >= 0 then ($x - 1) * $x div 2 else (-$x - 1) * -$x div 2) + $x else (if $y >= 0 then ($y - 1) * $y div 2 else (-$y - 1) * -$y div 2) - $y - (if $x >= 0 then ($x - 1) * $x div 2 else (-$x - 1) * -$x div 2) + $x)) +); + +// Framing axioms +function $range_sum#frame(frame: FrameType, $x: int, $y: int): int; +axiom (forall Heap: HeapType, Mask: MaskType, $x: int, $y: int :: + { state(Heap, Mask), $range_sum'(Heap, $x, $y) } + state(Heap, Mask) ==> $range_sum'(Heap, $x, $y) == $range_sum#frame(EmptyFrame, $x, $y) +); + +// Trigger function (controlling recursive postconditions) +function $range_sum#trigger(frame: FrameType, $x: int, $y: int): bool; + +// State-independent trigger function +function $range_sum#triggerStateless($x: int, $y: int): int; + +// Check contract well-formedness and postcondition +procedure $range_sum#definedness($x: int, $y: int) returns (Result: int) + modifies Heap, Mask; +{ + var $x_ge_0_1: bool; + var $y_ge_0_1: bool; + var $x_exclusive_1: int; + var $y_exclusive_1: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 0; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume $x <= $y; + assume state(Heap, Mask); + + // -- Check definedness of function body + + // -- Check definedness of (let $x_ge_0 == ($x >= 0) in (let $y_ge_0 == ($y >= 0) in (let $x_exclusive == (($x_ge_0 ? ($x - 1) * $x / 2 : (-$x - 1) * -$x / 2)) in (let $y_exclusive == (($y_ge_0 ? ($y - 1) * $y / 2 : (-$y - 1) * -$y / 2)) in ($x_ge_0 && $y_ge_0 ? $y_exclusive - $x_exclusive : (!$x_ge_0 && $y_ge_0 ? $y_exclusive - $x_exclusive + $x : $y_exclusive - $y - $x_exclusive + $x)))))) + $x_ge_0_1 := $x >= 0; + $y_ge_0_1 := $y >= 0; + $x_exclusive_1 := (if $x_ge_0_1 then ($x - 1) * $x div 2 else (-$x - 1) * -$x div 2); + $y_exclusive_1 := (if $y_ge_0_1 then ($y - 1) * $y div 2 else (-$y - 1) * -$y div 2); + + // -- Translate function body + Result := (if $x >= 0 && $y >= 0 then (if $y >= 0 then ($y - 1) * $y div 2 else (-$y - 1) * -$y div 2) - (if $x >= 0 then ($x - 1) * $x div 2 else (-$x - 1) * -$x div 2) else (if !($x >= 0) && $y >= 0 then (if $y >= 0 then ($y - 1) * $y div 2 else (-$y - 1) * -$y div 2) - (if $x >= 0 then ($x - 1) * $x div 2 else (-$x - 1) * -$x div 2) + $x else (if $y >= 0 then ($y - 1) * $y div 2 else (-$y - 1) * -$y div 2) - $y - (if $x >= 0 then ($x - 1) * $x div 2 else (-$x - 1) * -$x div 2) + $x)); +} + +// ================================================== +// Translation of function $pure$success_get +// ================================================== + +// Uninterpreted function definitions +function $pure$success_get(Heap: HeapType, x_1: $StructDomainType): bool; +function $pure$success_get'(Heap: HeapType, x_1: $StructDomainType): bool; +axiom (forall Heap: HeapType, x_1: $StructDomainType :: + { $pure$success_get(Heap, x_1) } + $pure$success_get(Heap, x_1) == $pure$success_get'(Heap, x_1) && dummyFunction($pure$success_get#triggerStateless(x_1)) +); +axiom (forall Heap: HeapType, x_1: $StructDomainType :: + { $pure$success_get'(Heap, x_1) } + dummyFunction($pure$success_get#triggerStateless(x_1)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, x_1: $StructDomainType :: + { state(Heap, Mask), $pure$success_get(Heap, x_1) } + state(Heap, Mask) && AssumeFunctionsAbove < 2 ==> $pure$success_get(Heap, x_1) == ($struct_get(($struct_loc(x_1, 0): int)): bool) +); + +// Framing axioms +function $pure$success_get#frame(frame: FrameType, x_1: $StructDomainType): bool; +axiom (forall Heap: HeapType, Mask: MaskType, x_1: $StructDomainType :: + { state(Heap, Mask), $pure$success_get'(Heap, x_1) } + state(Heap, Mask) ==> $pure$success_get'(Heap, x_1) == $pure$success_get#frame(EmptyFrame, x_1) +); + +// Trigger function (controlling recursive postconditions) +function $pure$success_get#trigger(frame: FrameType, x_1: $StructDomainType): bool; + +// State-independent trigger function +function $pure$success_get#triggerStateless(x_1: $StructDomainType): bool; + +// Check contract well-formedness and postcondition +procedure $pure$success_get#definedness(x_1: $StructDomainType) returns (Result: bool) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 2; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translate function body + Result := ($struct_get(($struct_loc(x_1, 0): int)): bool); +} + +// ================================================== +// Translation of function $pure$return_get +// ================================================== + +// Uninterpreted function definitions +function $pure$return_get(Heap: HeapType, x_1: $StructDomainType): int; +function $pure$return_get'(Heap: HeapType, x_1: $StructDomainType): int; +axiom (forall Heap: HeapType, x_1: $StructDomainType :: + { $pure$return_get(Heap, x_1) } + $pure$return_get(Heap, x_1) == $pure$return_get'(Heap, x_1) && dummyFunction($pure$return_get#triggerStateless(x_1)) +); +axiom (forall Heap: HeapType, x_1: $StructDomainType :: + { $pure$return_get'(Heap, x_1) } + dummyFunction($pure$return_get#triggerStateless(x_1)) +); + +// Definitional axiom +axiom (forall Heap: HeapType, Mask: MaskType, x_1: $StructDomainType :: + { state(Heap, Mask), $pure$return_get(Heap, x_1) } + state(Heap, Mask) && AssumeFunctionsAbove < 1 ==> $pure$success_get(Heap, x_1) ==> $pure$return_get(Heap, x_1) == ($struct_loc(x_1, 1): int) +); + +// Framing axioms +function $pure$return_get#frame(frame: FrameType, x_1: $StructDomainType): int; +axiom (forall Heap: HeapType, Mask: MaskType, x_1: $StructDomainType :: + { state(Heap, Mask), $pure$return_get'(Heap, x_1) } + state(Heap, Mask) ==> $pure$return_get'(Heap, x_1) == $pure$return_get#frame(EmptyFrame, x_1) +); + +// Trigger function (controlling recursive postconditions) +function $pure$return_get#trigger(frame: FrameType, x_1: $StructDomainType): bool; + +// State-independent trigger function +function $pure$return_get#triggerStateless(x_1: $StructDomainType): int; + +// Check contract well-formedness and postcondition +procedure $pure$return_get#definedness(x_1: $StructDomainType) returns (Result: int) + modifies Heap, Mask; +{ + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == 1; + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Inhaling precondition (with checking) + assume state(Heap, Mask); + + // -- Check definedness of $pure$success_get(x) + if (*) { + // Stop execution + assume false; + } + assume $pure$success_get(Heap, x_1); + assume state(Heap, Mask); + + // -- Translate function body + Result := ($struct_loc(x_1, 1): int); +} + +// ================================================== +// Translation of predicate $failed +// ================================================== + +type PredicateType_$failed; +function $failed($address: int): Field PredicateType_$failed FrameType; +function $failed#sm($address: int): Field PredicateType_$failed PMaskType; +axiom (forall $address: int :: + { PredicateMaskField($failed($address)) } + PredicateMaskField($failed($address)) == $failed#sm($address) +); +axiom (forall $address: int :: + { $failed($address) } + IsPredicateField($failed($address)) +); +axiom (forall $address: int :: + { $failed($address) } + getPredicateId($failed($address)) == 0 +); +function $failed#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $failed#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $address: int, $address2: int :: + { $failed($address), $failed($address2) } + $failed($address) == $failed($address2) ==> $address == $address2 +); +axiom (forall $address: int, $address2: int :: + { $failed#sm($address), $failed#sm($address2) } + $failed#sm($address) == $failed#sm($address2) ==> $address == $address2 +); + +axiom (forall Heap: HeapType, $address: int :: + { $failed#trigger(Heap, $failed($address)) } + $failed#everUsed($failed($address)) +); + +// ================================================== +// Translation of predicate $failed_0 +// ================================================== + +type PredicateType_$failed_0; +function $failed_0($address: int): Field PredicateType_$failed_0 FrameType; +function $failed_0#sm($address: int): Field PredicateType_$failed_0 PMaskType; +axiom (forall $address: int :: + { PredicateMaskField($failed_0($address)) } + PredicateMaskField($failed_0($address)) == $failed_0#sm($address) +); +axiom (forall $address: int :: + { $failed_0($address) } + IsPredicateField($failed_0($address)) +); +axiom (forall $address: int :: + { $failed_0($address) } + getPredicateId($failed_0($address)) == 1 +); +function $failed_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $failed_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $address: int, $address2: int :: + { $failed_0($address), $failed_0($address2) } + $failed_0($address) == $failed_0($address2) ==> $address == $address2 +); +axiom (forall $address: int, $address2: int :: + { $failed_0#sm($address), $failed_0#sm($address2) } + $failed_0#sm($address) == $failed_0#sm($address2) ==> $address == $address2 +); + +axiom (forall Heap: HeapType, $address: int :: + { $failed_0#trigger(Heap, $failed_0($address)) } + $failed_0#everUsed($failed_0($address)) +); + +// ================================================== +// Translation of predicate $allocation +// ================================================== + +type PredicateType_$allocation; +function $allocation($resource: $StructDomainType, $address: int): Field PredicateType_$allocation FrameType; +function $allocation#sm($resource: $StructDomainType, $address: int): Field PredicateType_$allocation PMaskType; +axiom (forall $resource: $StructDomainType, $address: int :: + { PredicateMaskField($allocation($resource, $address)) } + PredicateMaskField($allocation($resource, $address)) == $allocation#sm($resource, $address) +); +axiom (forall $resource: $StructDomainType, $address: int :: + { $allocation($resource, $address) } + IsPredicateField($allocation($resource, $address)) +); +axiom (forall $resource: $StructDomainType, $address: int :: + { $allocation($resource, $address) } + getPredicateId($allocation($resource, $address)) == 2 +); +function $allocation#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $allocation#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $resource: $StructDomainType, $address: int, $resource2: $StructDomainType, $address2: int :: + { $allocation($resource, $address), $allocation($resource2, $address2) } + $allocation($resource, $address) == $allocation($resource2, $address2) ==> $resource == $resource2 && $address == $address2 +); +axiom (forall $resource: $StructDomainType, $address: int, $resource2: $StructDomainType, $address2: int :: + { $allocation#sm($resource, $address), $allocation#sm($resource2, $address2) } + $allocation#sm($resource, $address) == $allocation#sm($resource2, $address2) ==> $resource == $resource2 && $address == $address2 +); + +axiom (forall Heap: HeapType, $resource: $StructDomainType, $address: int :: + { $allocation#trigger(Heap, $allocation($resource, $address)) } + $allocation#everUsed($allocation($resource, $address)) +); + +// ================================================== +// Translation of predicate $allocation_0 +// ================================================== + +type PredicateType_$allocation_0; +function $allocation_0($resource: $StructDomainType, $address: int): Field PredicateType_$allocation_0 FrameType; +function $allocation_0#sm($resource: $StructDomainType, $address: int): Field PredicateType_$allocation_0 PMaskType; +axiom (forall $resource: $StructDomainType, $address: int :: + { PredicateMaskField($allocation_0($resource, $address)) } + PredicateMaskField($allocation_0($resource, $address)) == $allocation_0#sm($resource, $address) +); +axiom (forall $resource: $StructDomainType, $address: int :: + { $allocation_0($resource, $address) } + IsPredicateField($allocation_0($resource, $address)) +); +axiom (forall $resource: $StructDomainType, $address: int :: + { $allocation_0($resource, $address) } + getPredicateId($allocation_0($resource, $address)) == 3 +); +function $allocation_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $allocation_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $resource: $StructDomainType, $address: int, $resource2: $StructDomainType, $address2: int :: + { $allocation_0($resource, $address), $allocation_0($resource2, $address2) } + $allocation_0($resource, $address) == $allocation_0($resource2, $address2) ==> $resource == $resource2 && $address == $address2 +); +axiom (forall $resource: $StructDomainType, $address: int, $resource2: $StructDomainType, $address2: int :: + { $allocation_0#sm($resource, $address), $allocation_0#sm($resource2, $address2) } + $allocation_0#sm($resource, $address) == $allocation_0#sm($resource2, $address2) ==> $resource == $resource2 && $address == $address2 +); + +axiom (forall Heap: HeapType, $resource: $StructDomainType, $address: int :: + { $allocation_0#trigger(Heap, $allocation_0($resource, $address)) } + $allocation_0#everUsed($allocation_0($resource, $address)) +); + +// ================================================== +// Translation of predicate $offer +// ================================================== + +type PredicateType_$offer; +function $offer($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int): Field PredicateType_$offer FrameType; +function $offer#sm($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int): Field PredicateType_$offer PMaskType; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int :: + { PredicateMaskField($offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) } + PredicateMaskField($offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) == $offer#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int :: + { $offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) } + IsPredicateField($offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int :: + { $offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) } + getPredicateId($offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) == 4 +); +function $offer#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $offer#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_address2: int :: + { $offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address), $offer($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2) } + $offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) == $offer($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && $to_address == $to_address2)))) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_address2: int :: + { $offer#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address), $offer#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2) } + $offer#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) == $offer#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && $to_address == $to_address2)))) +); + +axiom (forall Heap: HeapType, $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int :: + { $offer#trigger(Heap, $offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) } + $offer#everUsed($offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) +); + +// ================================================== +// Translation of predicate $offer_0 +// ================================================== + +type PredicateType_$offer_0; +function $offer_0($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int): Field PredicateType_$offer_0 FrameType; +function $offer_0#sm($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int): Field PredicateType_$offer_0 PMaskType; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int :: + { PredicateMaskField($offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) } + PredicateMaskField($offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) == $offer_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int :: + { $offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) } + IsPredicateField($offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int :: + { $offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) } + getPredicateId($offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) == 5 +); +function $offer_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $offer_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_address2: int :: + { $offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address), $offer_0($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2) } + $offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) == $offer_0($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && $to_address == $to_address2)))) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_address2: int :: + { $offer_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address), $offer_0#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2) } + $offer_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address) == $offer_0#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && $to_address == $to_address2)))) +); + +axiom (forall Heap: HeapType, $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int :: + { $offer_0#trigger(Heap, $offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) } + $offer_0#everUsed($offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address)) +); + +// ================================================== +// Translation of predicate $trust +// ================================================== + +type PredicateType_$trust; +function $trust($address: int, $by_address: int): Field PredicateType_$trust FrameType; +function $trust#sm($address: int, $by_address: int): Field PredicateType_$trust PMaskType; +axiom (forall $address: int, $by_address: int :: + { PredicateMaskField($trust($address, $by_address)) } + PredicateMaskField($trust($address, $by_address)) == $trust#sm($address, $by_address) +); +axiom (forall $address: int, $by_address: int :: + { $trust($address, $by_address) } + IsPredicateField($trust($address, $by_address)) +); +axiom (forall $address: int, $by_address: int :: + { $trust($address, $by_address) } + getPredicateId($trust($address, $by_address)) == 6 +); +function $trust#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $trust#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $address: int, $by_address: int, $address2: int, $by_address2: int :: + { $trust($address, $by_address), $trust($address2, $by_address2) } + $trust($address, $by_address) == $trust($address2, $by_address2) ==> $address == $address2 && $by_address == $by_address2 +); +axiom (forall $address: int, $by_address: int, $address2: int, $by_address2: int :: + { $trust#sm($address, $by_address), $trust#sm($address2, $by_address2) } + $trust#sm($address, $by_address) == $trust#sm($address2, $by_address2) ==> $address == $address2 && $by_address == $by_address2 +); + +axiom (forall Heap: HeapType, $address: int, $by_address: int :: + { $trust#trigger(Heap, $trust($address, $by_address)) } + $trust#everUsed($trust($address, $by_address)) +); + +// ================================================== +// Translation of predicate $trust_0 +// ================================================== + +type PredicateType_$trust_0; +function $trust_0($address: int, $by_address: int): Field PredicateType_$trust_0 FrameType; +function $trust_0#sm($address: int, $by_address: int): Field PredicateType_$trust_0 PMaskType; +axiom (forall $address: int, $by_address: int :: + { PredicateMaskField($trust_0($address, $by_address)) } + PredicateMaskField($trust_0($address, $by_address)) == $trust_0#sm($address, $by_address) +); +axiom (forall $address: int, $by_address: int :: + { $trust_0($address, $by_address) } + IsPredicateField($trust_0($address, $by_address)) +); +axiom (forall $address: int, $by_address: int :: + { $trust_0($address, $by_address) } + getPredicateId($trust_0($address, $by_address)) == 7 +); +function $trust_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $trust_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $address: int, $by_address: int, $address2: int, $by_address2: int :: + { $trust_0($address, $by_address), $trust_0($address2, $by_address2) } + $trust_0($address, $by_address) == $trust_0($address2, $by_address2) ==> $address == $address2 && $by_address == $by_address2 +); +axiom (forall $address: int, $by_address: int, $address2: int, $by_address2: int :: + { $trust_0#sm($address, $by_address), $trust_0#sm($address2, $by_address2) } + $trust_0#sm($address, $by_address) == $trust_0#sm($address2, $by_address2) ==> $address == $address2 && $by_address == $by_address2 +); + +axiom (forall Heap: HeapType, $address: int, $by_address: int :: + { $trust_0#trigger(Heap, $trust_0($address, $by_address)) } + $trust_0#everUsed($trust_0($address, $by_address)) +); + +// ================================================== +// Translation of predicate $performs$create +// ================================================== + +type PredicateType_$performs$create; +function $performs$create($resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int): Field PredicateType_$performs$create FrameType; +function $performs$create#sm($resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int): Field PredicateType_$performs$create PMaskType; +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { PredicateMaskField($performs$create($resource, $from_address, $to_address, $amount)) } + PredicateMaskField($performs$create($resource, $from_address, $to_address, $amount)) == $performs$create#sm($resource, $from_address, $to_address, $amount) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$create($resource, $from_address, $to_address, $amount) } + IsPredicateField($performs$create($resource, $from_address, $to_address, $amount)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$create($resource, $from_address, $to_address, $amount) } + getPredicateId($performs$create($resource, $from_address, $to_address, $amount)) == 8 +); +function $performs$create#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$create#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $to_address2: int, $amount2: int :: + { $performs$create($resource, $from_address, $to_address, $amount), $performs$create($resource2, $from_address2, $to_address2, $amount2) } + $performs$create($resource, $from_address, $to_address, $amount) == $performs$create($resource2, $from_address2, $to_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $amount == $amount2)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $to_address2: int, $amount2: int :: + { $performs$create#sm($resource, $from_address, $to_address, $amount), $performs$create#sm($resource2, $from_address2, $to_address2, $amount2) } + $performs$create#sm($resource, $from_address, $to_address, $amount) == $performs$create#sm($resource2, $from_address2, $to_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $amount == $amount2)) +); + +axiom (forall Heap: HeapType, $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$create#trigger(Heap, $performs$create($resource, $from_address, $to_address, $amount)) } + $performs$create#everUsed($performs$create($resource, $from_address, $to_address, $amount)) +); + +// ================================================== +// Translation of predicate $performs$create_0 +// ================================================== + +type PredicateType_$performs$create_0; +function $performs$create_0($resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int): Field PredicateType_$performs$create_0 FrameType; +function $performs$create_0#sm($resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int): Field PredicateType_$performs$create_0 PMaskType; +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { PredicateMaskField($performs$create_0($resource, $from_address, $to_address, $amount)) } + PredicateMaskField($performs$create_0($resource, $from_address, $to_address, $amount)) == $performs$create_0#sm($resource, $from_address, $to_address, $amount) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$create_0($resource, $from_address, $to_address, $amount) } + IsPredicateField($performs$create_0($resource, $from_address, $to_address, $amount)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$create_0($resource, $from_address, $to_address, $amount) } + getPredicateId($performs$create_0($resource, $from_address, $to_address, $amount)) == 9 +); +function $performs$create_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$create_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $to_address2: int, $amount2: int :: + { $performs$create_0($resource, $from_address, $to_address, $amount), $performs$create_0($resource2, $from_address2, $to_address2, $amount2) } + $performs$create_0($resource, $from_address, $to_address, $amount) == $performs$create_0($resource2, $from_address2, $to_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $amount == $amount2)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $to_address2: int, $amount2: int :: + { $performs$create_0#sm($resource, $from_address, $to_address, $amount), $performs$create_0#sm($resource2, $from_address2, $to_address2, $amount2) } + $performs$create_0#sm($resource, $from_address, $to_address, $amount) == $performs$create_0#sm($resource2, $from_address2, $to_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $amount == $amount2)) +); + +axiom (forall Heap: HeapType, $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$create_0#trigger(Heap, $performs$create_0($resource, $from_address, $to_address, $amount)) } + $performs$create_0#everUsed($performs$create_0($resource, $from_address, $to_address, $amount)) +); + +// ================================================== +// Translation of predicate $performs$destroy +// ================================================== + +type PredicateType_$performs$destroy; +function $performs$destroy($resource: $StructDomainType, $from_address: int, $amount: int): Field PredicateType_$performs$destroy FrameType; +function $performs$destroy#sm($resource: $StructDomainType, $from_address: int, $amount: int): Field PredicateType_$performs$destroy PMaskType; +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int :: + { PredicateMaskField($performs$destroy($resource, $from_address, $amount)) } + PredicateMaskField($performs$destroy($resource, $from_address, $amount)) == $performs$destroy#sm($resource, $from_address, $amount) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int :: + { $performs$destroy($resource, $from_address, $amount) } + IsPredicateField($performs$destroy($resource, $from_address, $amount)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int :: + { $performs$destroy($resource, $from_address, $amount) } + getPredicateId($performs$destroy($resource, $from_address, $amount)) == 10 +); +function $performs$destroy#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$destroy#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $amount2: int :: + { $performs$destroy($resource, $from_address, $amount), $performs$destroy($resource2, $from_address2, $amount2) } + $performs$destroy($resource, $from_address, $amount) == $performs$destroy($resource2, $from_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && $amount == $amount2) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $amount2: int :: + { $performs$destroy#sm($resource, $from_address, $amount), $performs$destroy#sm($resource2, $from_address2, $amount2) } + $performs$destroy#sm($resource, $from_address, $amount) == $performs$destroy#sm($resource2, $from_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && $amount == $amount2) +); + +axiom (forall Heap: HeapType, $resource: $StructDomainType, $from_address: int, $amount: int :: + { $performs$destroy#trigger(Heap, $performs$destroy($resource, $from_address, $amount)) } + $performs$destroy#everUsed($performs$destroy($resource, $from_address, $amount)) +); + +// ================================================== +// Translation of predicate $performs$destroy_0 +// ================================================== + +type PredicateType_$performs$destroy_0; +function $performs$destroy_0($resource: $StructDomainType, $from_address: int, $amount: int): Field PredicateType_$performs$destroy_0 FrameType; +function $performs$destroy_0#sm($resource: $StructDomainType, $from_address: int, $amount: int): Field PredicateType_$performs$destroy_0 PMaskType; +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int :: + { PredicateMaskField($performs$destroy_0($resource, $from_address, $amount)) } + PredicateMaskField($performs$destroy_0($resource, $from_address, $amount)) == $performs$destroy_0#sm($resource, $from_address, $amount) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int :: + { $performs$destroy_0($resource, $from_address, $amount) } + IsPredicateField($performs$destroy_0($resource, $from_address, $amount)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int :: + { $performs$destroy_0($resource, $from_address, $amount) } + getPredicateId($performs$destroy_0($resource, $from_address, $amount)) == 11 +); +function $performs$destroy_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$destroy_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $amount2: int :: + { $performs$destroy_0($resource, $from_address, $amount), $performs$destroy_0($resource2, $from_address2, $amount2) } + $performs$destroy_0($resource, $from_address, $amount) == $performs$destroy_0($resource2, $from_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && $amount == $amount2) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $amount2: int :: + { $performs$destroy_0#sm($resource, $from_address, $amount), $performs$destroy_0#sm($resource2, $from_address2, $amount2) } + $performs$destroy_0#sm($resource, $from_address, $amount) == $performs$destroy_0#sm($resource2, $from_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && $amount == $amount2) +); + +axiom (forall Heap: HeapType, $resource: $StructDomainType, $from_address: int, $amount: int :: + { $performs$destroy_0#trigger(Heap, $performs$destroy_0($resource, $from_address, $amount)) } + $performs$destroy_0#everUsed($performs$destroy_0($resource, $from_address, $amount)) +); + +// ================================================== +// Translation of predicate $performs$reallocate +// ================================================== + +type PredicateType_$performs$reallocate; +function $performs$reallocate($resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int): Field PredicateType_$performs$reallocate FrameType; +function $performs$reallocate#sm($resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int): Field PredicateType_$performs$reallocate PMaskType; +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { PredicateMaskField($performs$reallocate($resource, $from_address, $to_address, $amount)) } + PredicateMaskField($performs$reallocate($resource, $from_address, $to_address, $amount)) == $performs$reallocate#sm($resource, $from_address, $to_address, $amount) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$reallocate($resource, $from_address, $to_address, $amount) } + IsPredicateField($performs$reallocate($resource, $from_address, $to_address, $amount)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$reallocate($resource, $from_address, $to_address, $amount) } + getPredicateId($performs$reallocate($resource, $from_address, $to_address, $amount)) == 12 +); +function $performs$reallocate#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$reallocate#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $to_address2: int, $amount2: int :: + { $performs$reallocate($resource, $from_address, $to_address, $amount), $performs$reallocate($resource2, $from_address2, $to_address2, $amount2) } + $performs$reallocate($resource, $from_address, $to_address, $amount) == $performs$reallocate($resource2, $from_address2, $to_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $amount == $amount2)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $to_address2: int, $amount2: int :: + { $performs$reallocate#sm($resource, $from_address, $to_address, $amount), $performs$reallocate#sm($resource2, $from_address2, $to_address2, $amount2) } + $performs$reallocate#sm($resource, $from_address, $to_address, $amount) == $performs$reallocate#sm($resource2, $from_address2, $to_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $amount == $amount2)) +); + +axiom (forall Heap: HeapType, $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$reallocate#trigger(Heap, $performs$reallocate($resource, $from_address, $to_address, $amount)) } + $performs$reallocate#everUsed($performs$reallocate($resource, $from_address, $to_address, $amount)) +); + +// ================================================== +// Translation of predicate $performs$reallocate_0 +// ================================================== + +type PredicateType_$performs$reallocate_0; +function $performs$reallocate_0($resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int): Field PredicateType_$performs$reallocate_0 FrameType; +function $performs$reallocate_0#sm($resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int): Field PredicateType_$performs$reallocate_0 PMaskType; +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { PredicateMaskField($performs$reallocate_0($resource, $from_address, $to_address, $amount)) } + PredicateMaskField($performs$reallocate_0($resource, $from_address, $to_address, $amount)) == $performs$reallocate_0#sm($resource, $from_address, $to_address, $amount) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$reallocate_0($resource, $from_address, $to_address, $amount) } + IsPredicateField($performs$reallocate_0($resource, $from_address, $to_address, $amount)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$reallocate_0($resource, $from_address, $to_address, $amount) } + getPredicateId($performs$reallocate_0($resource, $from_address, $to_address, $amount)) == 13 +); +function $performs$reallocate_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$reallocate_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $to_address2: int, $amount2: int :: + { $performs$reallocate_0($resource, $from_address, $to_address, $amount), $performs$reallocate_0($resource2, $from_address2, $to_address2, $amount2) } + $performs$reallocate_0($resource, $from_address, $to_address, $amount) == $performs$reallocate_0($resource2, $from_address2, $to_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $amount == $amount2)) +); +axiom (forall $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int, $resource2: $StructDomainType, $from_address2: int, $to_address2: int, $amount2: int :: + { $performs$reallocate_0#sm($resource, $from_address, $to_address, $amount), $performs$reallocate_0#sm($resource2, $from_address2, $to_address2, $amount2) } + $performs$reallocate_0#sm($resource, $from_address, $to_address, $amount) == $performs$reallocate_0#sm($resource2, $from_address2, $to_address2, $amount2) ==> $resource == $resource2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $amount == $amount2)) +); + +axiom (forall Heap: HeapType, $resource: $StructDomainType, $from_address: int, $to_address: int, $amount: int :: + { $performs$reallocate_0#trigger(Heap, $performs$reallocate_0($resource, $from_address, $to_address, $amount)) } + $performs$reallocate_0#everUsed($performs$reallocate_0($resource, $from_address, $to_address, $amount)) +); + +// ================================================== +// Translation of predicate $performs$offer +// ================================================== + +type PredicateType_$performs$offer; +function $performs$offer($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int): Field PredicateType_$performs$offer FrameType; +function $performs$offer#sm($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int): Field PredicateType_$performs$offer PMaskType; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int :: + { PredicateMaskField($performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) } + PredicateMaskField($performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) == $performs$offer#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int :: + { $performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) } + IsPredicateField($performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int :: + { $performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) } + getPredicateId($performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) == 14 +); +function $performs$offer#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$offer#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_address2: int, $times2: int :: + { $performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times), $performs$offer($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2, $times2) } + $performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) == $performs$offer($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2, $times2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $times == $times2))))) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_address2: int, $times2: int :: + { $performs$offer#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times), $performs$offer#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2, $times2) } + $performs$offer#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) == $performs$offer#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2, $times2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $times == $times2))))) +); + +axiom (forall Heap: HeapType, $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int :: + { $performs$offer#trigger(Heap, $performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) } + $performs$offer#everUsed($performs$offer($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) +); + +// ================================================== +// Translation of predicate $performs$offer_0 +// ================================================== + +type PredicateType_$performs$offer_0; +function $performs$offer_0($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int): Field PredicateType_$performs$offer_0 FrameType; +function $performs$offer_0#sm($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int): Field PredicateType_$performs$offer_0 PMaskType; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int :: + { PredicateMaskField($performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) } + PredicateMaskField($performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) == $performs$offer_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int :: + { $performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) } + IsPredicateField($performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int :: + { $performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) } + getPredicateId($performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) == 15 +); +function $performs$offer_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$offer_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_address2: int, $times2: int :: + { $performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times), $performs$offer_0($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2, $times2) } + $performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) == $performs$offer_0($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2, $times2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $times == $times2))))) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_address2: int, $times2: int :: + { $performs$offer_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times), $performs$offer_0#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2, $times2) } + $performs$offer_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times) == $performs$offer_0#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_address2, $times2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && ($to_address == $to_address2 && $times == $times2))))) +); + +axiom (forall Heap: HeapType, $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_address: int, $times: int :: + { $performs$offer_0#trigger(Heap, $performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) } + $performs$offer_0#everUsed($performs$offer_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_address, $times)) +); + +// ================================================== +// Translation of predicate $performs$revoke +// ================================================== + +type PredicateType_$performs$revoke; +function $performs$revoke($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int): Field PredicateType_$performs$revoke FrameType; +function $performs$revoke#sm($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int): Field PredicateType_$performs$revoke PMaskType; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int :: + { PredicateMaskField($performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) } + PredicateMaskField($performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) == $performs$revoke#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int :: + { $performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) } + IsPredicateField($performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int :: + { $performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) } + getPredicateId($performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) == 16 +); +function $performs$revoke#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$revoke#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_adress2: int :: + { $performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress), $performs$revoke($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_adress2) } + $performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) == $performs$revoke($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_adress2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && $to_adress == $to_adress2)))) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_adress2: int :: + { $performs$revoke#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress), $performs$revoke#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_adress2) } + $performs$revoke#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) == $performs$revoke#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_adress2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && $to_adress == $to_adress2)))) +); + +axiom (forall Heap: HeapType, $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int :: + { $performs$revoke#trigger(Heap, $performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) } + $performs$revoke#everUsed($performs$revoke($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) +); + +// ================================================== +// Translation of predicate $performs$revoke_0 +// ================================================== + +type PredicateType_$performs$revoke_0; +function $performs$revoke_0($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int): Field PredicateType_$performs$revoke_0 FrameType; +function $performs$revoke_0#sm($from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int): Field PredicateType_$performs$revoke_0 PMaskType; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int :: + { PredicateMaskField($performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) } + PredicateMaskField($performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) == $performs$revoke_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int :: + { $performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) } + IsPredicateField($performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int :: + { $performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) } + getPredicateId($performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) == 17 +); +function $performs$revoke_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$revoke_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_adress2: int :: + { $performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress), $performs$revoke_0($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_adress2) } + $performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) == $performs$revoke_0($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_adress2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && $to_adress == $to_adress2)))) +); +axiom (forall $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int, $from_resource2: $StructDomainType, $to_resource2: $StructDomainType, $from_amount2: int, $to_amount2: int, $from_address2: int, $to_adress2: int :: + { $performs$revoke_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress), $performs$revoke_0#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_adress2) } + $performs$revoke_0#sm($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress) == $performs$revoke_0#sm($from_resource2, $to_resource2, $from_amount2, $to_amount2, $from_address2, $to_adress2) ==> $from_resource == $from_resource2 && ($to_resource == $to_resource2 && ($from_amount == $from_amount2 && ($to_amount == $to_amount2 && ($from_address == $from_address2 && $to_adress == $to_adress2)))) +); + +axiom (forall Heap: HeapType, $from_resource: $StructDomainType, $to_resource: $StructDomainType, $from_amount: int, $to_amount: int, $from_address: int, $to_adress: int :: + { $performs$revoke_0#trigger(Heap, $performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) } + $performs$revoke_0#everUsed($performs$revoke_0($from_resource, $to_resource, $from_amount, $to_amount, $from_address, $to_adress)) +); + +// ================================================== +// Translation of predicate $performs$trust +// ================================================== + +type PredicateType_$performs$trust; +function $performs$trust($address: int, $by_address: int, $value: bool): Field PredicateType_$performs$trust FrameType; +function $performs$trust#sm($address: int, $by_address: int, $value: bool): Field PredicateType_$performs$trust PMaskType; +axiom (forall $address: int, $by_address: int, $value: bool :: + { PredicateMaskField($performs$trust($address, $by_address, $value)) } + PredicateMaskField($performs$trust($address, $by_address, $value)) == $performs$trust#sm($address, $by_address, $value) +); +axiom (forall $address: int, $by_address: int, $value: bool :: + { $performs$trust($address, $by_address, $value) } + IsPredicateField($performs$trust($address, $by_address, $value)) +); +axiom (forall $address: int, $by_address: int, $value: bool :: + { $performs$trust($address, $by_address, $value) } + getPredicateId($performs$trust($address, $by_address, $value)) == 18 +); +function $performs$trust#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$trust#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $address: int, $by_address: int, $value: bool, $address2: int, $by_address2: int, $value2: bool :: + { $performs$trust($address, $by_address, $value), $performs$trust($address2, $by_address2, $value2) } + $performs$trust($address, $by_address, $value) == $performs$trust($address2, $by_address2, $value2) ==> $address == $address2 && ($by_address == $by_address2 && $value == $value2) +); +axiom (forall $address: int, $by_address: int, $value: bool, $address2: int, $by_address2: int, $value2: bool :: + { $performs$trust#sm($address, $by_address, $value), $performs$trust#sm($address2, $by_address2, $value2) } + $performs$trust#sm($address, $by_address, $value) == $performs$trust#sm($address2, $by_address2, $value2) ==> $address == $address2 && ($by_address == $by_address2 && $value == $value2) +); + +axiom (forall Heap: HeapType, $address: int, $by_address: int, $value: bool :: + { $performs$trust#trigger(Heap, $performs$trust($address, $by_address, $value)) } + $performs$trust#everUsed($performs$trust($address, $by_address, $value)) +); + +// ================================================== +// Translation of predicate $performs$trust_0 +// ================================================== + +type PredicateType_$performs$trust_0; +function $performs$trust_0($address: int, $by_address: int, $value: bool): Field PredicateType_$performs$trust_0 FrameType; +function $performs$trust_0#sm($address: int, $by_address: int, $value: bool): Field PredicateType_$performs$trust_0 PMaskType; +axiom (forall $address: int, $by_address: int, $value: bool :: + { PredicateMaskField($performs$trust_0($address, $by_address, $value)) } + PredicateMaskField($performs$trust_0($address, $by_address, $value)) == $performs$trust_0#sm($address, $by_address, $value) +); +axiom (forall $address: int, $by_address: int, $value: bool :: + { $performs$trust_0($address, $by_address, $value) } + IsPredicateField($performs$trust_0($address, $by_address, $value)) +); +axiom (forall $address: int, $by_address: int, $value: bool :: + { $performs$trust_0($address, $by_address, $value) } + getPredicateId($performs$trust_0($address, $by_address, $value)) == 19 +); +function $performs$trust_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $performs$trust_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $address: int, $by_address: int, $value: bool, $address2: int, $by_address2: int, $value2: bool :: + { $performs$trust_0($address, $by_address, $value), $performs$trust_0($address2, $by_address2, $value2) } + $performs$trust_0($address, $by_address, $value) == $performs$trust_0($address2, $by_address2, $value2) ==> $address == $address2 && ($by_address == $by_address2 && $value == $value2) +); +axiom (forall $address: int, $by_address: int, $value: bool, $address2: int, $by_address2: int, $value2: bool :: + { $performs$trust_0#sm($address, $by_address, $value), $performs$trust_0#sm($address2, $by_address2, $value2) } + $performs$trust_0#sm($address, $by_address, $value) == $performs$trust_0#sm($address2, $by_address2, $value2) ==> $address == $address2 && ($by_address == $by_address2 && $value == $value2) +); + +axiom (forall Heap: HeapType, $address: int, $by_address: int, $value: bool :: + { $performs$trust_0#trigger(Heap, $performs$trust_0($address, $by_address, $value)) } + $performs$trust_0#everUsed($performs$trust_0($address, $by_address, $value)) +); + +// ================================================== +// Translation of predicate $accessible$__init__ +// ================================================== + +type PredicateType_$accessible$__init__; +function $accessible$__init__($tag: int, $to: int, $amount: int, $arg0: int, $arg1: int): Field PredicateType_$accessible$__init__ FrameType; +function $accessible$__init__#sm($tag: int, $to: int, $amount: int, $arg0: int, $arg1: int): Field PredicateType_$accessible$__init__ PMaskType; +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int :: + { PredicateMaskField($accessible$__init__($tag, $to, $amount, $arg0, $arg1)) } + PredicateMaskField($accessible$__init__($tag, $to, $amount, $arg0, $arg1)) == $accessible$__init__#sm($tag, $to, $amount, $arg0, $arg1) +); +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int :: + { $accessible$__init__($tag, $to, $amount, $arg0, $arg1) } + IsPredicateField($accessible$__init__($tag, $to, $amount, $arg0, $arg1)) +); +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int :: + { $accessible$__init__($tag, $to, $amount, $arg0, $arg1) } + getPredicateId($accessible$__init__($tag, $to, $amount, $arg0, $arg1)) == 20 +); +function $accessible$__init__#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $accessible$__init__#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int, $tag2: int, $to2: int, $amount2: int, $arg02: int, $arg12: int :: + { $accessible$__init__($tag, $to, $amount, $arg0, $arg1), $accessible$__init__($tag2, $to2, $amount2, $arg02, $arg12) } + $accessible$__init__($tag, $to, $amount, $arg0, $arg1) == $accessible$__init__($tag2, $to2, $amount2, $arg02, $arg12) ==> $tag == $tag2 && ($to == $to2 && ($amount == $amount2 && ($arg0 == $arg02 && $arg1 == $arg12))) +); +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int, $tag2: int, $to2: int, $amount2: int, $arg02: int, $arg12: int :: + { $accessible$__init__#sm($tag, $to, $amount, $arg0, $arg1), $accessible$__init__#sm($tag2, $to2, $amount2, $arg02, $arg12) } + $accessible$__init__#sm($tag, $to, $amount, $arg0, $arg1) == $accessible$__init__#sm($tag2, $to2, $amount2, $arg02, $arg12) ==> $tag == $tag2 && ($to == $to2 && ($amount == $amount2 && ($arg0 == $arg02 && $arg1 == $arg12))) +); + +axiom (forall Heap: HeapType, $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int :: + { $accessible$__init__#trigger(Heap, $accessible$__init__($tag, $to, $amount, $arg0, $arg1)) } + $accessible$__init__#everUsed($accessible$__init__($tag, $to, $amount, $arg0, $arg1)) +); + +// ================================================== +// Translation of predicate $accessible$__init___0 +// ================================================== + +type PredicateType_$accessible$__init___0; +function $accessible$__init___0($tag: int, $to: int, $amount: int, $arg0: int, $arg1: int): Field PredicateType_$accessible$__init___0 FrameType; +function $accessible$__init___0#sm($tag: int, $to: int, $amount: int, $arg0: int, $arg1: int): Field PredicateType_$accessible$__init___0 PMaskType; +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int :: + { PredicateMaskField($accessible$__init___0($tag, $to, $amount, $arg0, $arg1)) } + PredicateMaskField($accessible$__init___0($tag, $to, $amount, $arg0, $arg1)) == $accessible$__init___0#sm($tag, $to, $amount, $arg0, $arg1) +); +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int :: + { $accessible$__init___0($tag, $to, $amount, $arg0, $arg1) } + IsPredicateField($accessible$__init___0($tag, $to, $amount, $arg0, $arg1)) +); +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int :: + { $accessible$__init___0($tag, $to, $amount, $arg0, $arg1) } + getPredicateId($accessible$__init___0($tag, $to, $amount, $arg0, $arg1)) == 21 +); +function $accessible$__init___0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $accessible$__init___0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int, $tag2: int, $to2: int, $amount2: int, $arg02: int, $arg12: int :: + { $accessible$__init___0($tag, $to, $amount, $arg0, $arg1), $accessible$__init___0($tag2, $to2, $amount2, $arg02, $arg12) } + $accessible$__init___0($tag, $to, $amount, $arg0, $arg1) == $accessible$__init___0($tag2, $to2, $amount2, $arg02, $arg12) ==> $tag == $tag2 && ($to == $to2 && ($amount == $amount2 && ($arg0 == $arg02 && $arg1 == $arg12))) +); +axiom (forall $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int, $tag2: int, $to2: int, $amount2: int, $arg02: int, $arg12: int :: + { $accessible$__init___0#sm($tag, $to, $amount, $arg0, $arg1), $accessible$__init___0#sm($tag2, $to2, $amount2, $arg02, $arg12) } + $accessible$__init___0#sm($tag, $to, $amount, $arg0, $arg1) == $accessible$__init___0#sm($tag2, $to2, $amount2, $arg02, $arg12) ==> $tag == $tag2 && ($to == $to2 && ($amount == $amount2 && ($arg0 == $arg02 && $arg1 == $arg12))) +); + +axiom (forall Heap: HeapType, $tag: int, $to: int, $amount: int, $arg0: int, $arg1: int :: + { $accessible$__init___0#trigger(Heap, $accessible$__init___0($tag, $to, $amount, $arg0, $arg1)) } + $accessible$__init___0#everUsed($accessible$__init___0($tag, $to, $amount, $arg0, $arg1)) +); + +// ================================================== +// Translation of predicate $accessible$bid +// ================================================== + +type PredicateType_$accessible$bid; +function $accessible$bid($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$bid FrameType; +function $accessible$bid#sm($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$bid PMaskType; +axiom (forall $tag: int, $to: int, $amount: int :: + { PredicateMaskField($accessible$bid($tag, $to, $amount)) } + PredicateMaskField($accessible$bid($tag, $to, $amount)) == $accessible$bid#sm($tag, $to, $amount) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$bid($tag, $to, $amount) } + IsPredicateField($accessible$bid($tag, $to, $amount)) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$bid($tag, $to, $amount) } + getPredicateId($accessible$bid($tag, $to, $amount)) == 22 +); +function $accessible$bid#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $accessible$bid#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$bid($tag, $to, $amount), $accessible$bid($tag2, $to2, $amount2) } + $accessible$bid($tag, $to, $amount) == $accessible$bid($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$bid#sm($tag, $to, $amount), $accessible$bid#sm($tag2, $to2, $amount2) } + $accessible$bid#sm($tag, $to, $amount) == $accessible$bid#sm($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); + +axiom (forall Heap: HeapType, $tag: int, $to: int, $amount: int :: + { $accessible$bid#trigger(Heap, $accessible$bid($tag, $to, $amount)) } + $accessible$bid#everUsed($accessible$bid($tag, $to, $amount)) +); + +// ================================================== +// Translation of predicate $accessible$bid_0 +// ================================================== + +type PredicateType_$accessible$bid_0; +function $accessible$bid_0($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$bid_0 FrameType; +function $accessible$bid_0#sm($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$bid_0 PMaskType; +axiom (forall $tag: int, $to: int, $amount: int :: + { PredicateMaskField($accessible$bid_0($tag, $to, $amount)) } + PredicateMaskField($accessible$bid_0($tag, $to, $amount)) == $accessible$bid_0#sm($tag, $to, $amount) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$bid_0($tag, $to, $amount) } + IsPredicateField($accessible$bid_0($tag, $to, $amount)) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$bid_0($tag, $to, $amount) } + getPredicateId($accessible$bid_0($tag, $to, $amount)) == 23 +); +function $accessible$bid_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $accessible$bid_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$bid_0($tag, $to, $amount), $accessible$bid_0($tag2, $to2, $amount2) } + $accessible$bid_0($tag, $to, $amount) == $accessible$bid_0($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$bid_0#sm($tag, $to, $amount), $accessible$bid_0#sm($tag2, $to2, $amount2) } + $accessible$bid_0#sm($tag, $to, $amount) == $accessible$bid_0#sm($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); + +axiom (forall Heap: HeapType, $tag: int, $to: int, $amount: int :: + { $accessible$bid_0#trigger(Heap, $accessible$bid_0($tag, $to, $amount)) } + $accessible$bid_0#everUsed($accessible$bid_0($tag, $to, $amount)) +); + +// ================================================== +// Translation of predicate $accessible$withdraw +// ================================================== + +type PredicateType_$accessible$withdraw; +function $accessible$withdraw($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$withdraw FrameType; +function $accessible$withdraw#sm($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$withdraw PMaskType; +axiom (forall $tag: int, $to: int, $amount: int :: + { PredicateMaskField($accessible$withdraw($tag, $to, $amount)) } + PredicateMaskField($accessible$withdraw($tag, $to, $amount)) == $accessible$withdraw#sm($tag, $to, $amount) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$withdraw($tag, $to, $amount) } + IsPredicateField($accessible$withdraw($tag, $to, $amount)) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$withdraw($tag, $to, $amount) } + getPredicateId($accessible$withdraw($tag, $to, $amount)) == 24 +); +function $accessible$withdraw#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $accessible$withdraw#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$withdraw($tag, $to, $amount), $accessible$withdraw($tag2, $to2, $amount2) } + $accessible$withdraw($tag, $to, $amount) == $accessible$withdraw($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$withdraw#sm($tag, $to, $amount), $accessible$withdraw#sm($tag2, $to2, $amount2) } + $accessible$withdraw#sm($tag, $to, $amount) == $accessible$withdraw#sm($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); + +axiom (forall Heap: HeapType, $tag: int, $to: int, $amount: int :: + { $accessible$withdraw#trigger(Heap, $accessible$withdraw($tag, $to, $amount)) } + $accessible$withdraw#everUsed($accessible$withdraw($tag, $to, $amount)) +); + +// ================================================== +// Translation of predicate $accessible$withdraw_0 +// ================================================== + +type PredicateType_$accessible$withdraw_0; +function $accessible$withdraw_0($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$withdraw_0 FrameType; +function $accessible$withdraw_0#sm($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$withdraw_0 PMaskType; +axiom (forall $tag: int, $to: int, $amount: int :: + { PredicateMaskField($accessible$withdraw_0($tag, $to, $amount)) } + PredicateMaskField($accessible$withdraw_0($tag, $to, $amount)) == $accessible$withdraw_0#sm($tag, $to, $amount) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$withdraw_0($tag, $to, $amount) } + IsPredicateField($accessible$withdraw_0($tag, $to, $amount)) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$withdraw_0($tag, $to, $amount) } + getPredicateId($accessible$withdraw_0($tag, $to, $amount)) == 25 +); +function $accessible$withdraw_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $accessible$withdraw_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$withdraw_0($tag, $to, $amount), $accessible$withdraw_0($tag2, $to2, $amount2) } + $accessible$withdraw_0($tag, $to, $amount) == $accessible$withdraw_0($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$withdraw_0#sm($tag, $to, $amount), $accessible$withdraw_0#sm($tag2, $to2, $amount2) } + $accessible$withdraw_0#sm($tag, $to, $amount) == $accessible$withdraw_0#sm($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); + +axiom (forall Heap: HeapType, $tag: int, $to: int, $amount: int :: + { $accessible$withdraw_0#trigger(Heap, $accessible$withdraw_0($tag, $to, $amount)) } + $accessible$withdraw_0#everUsed($accessible$withdraw_0($tag, $to, $amount)) +); + +// ================================================== +// Translation of predicate $accessible$endAuction +// ================================================== + +type PredicateType_$accessible$endAuction; +function $accessible$endAuction($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$endAuction FrameType; +function $accessible$endAuction#sm($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$endAuction PMaskType; +axiom (forall $tag: int, $to: int, $amount: int :: + { PredicateMaskField($accessible$endAuction($tag, $to, $amount)) } + PredicateMaskField($accessible$endAuction($tag, $to, $amount)) == $accessible$endAuction#sm($tag, $to, $amount) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$endAuction($tag, $to, $amount) } + IsPredicateField($accessible$endAuction($tag, $to, $amount)) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$endAuction($tag, $to, $amount) } + getPredicateId($accessible$endAuction($tag, $to, $amount)) == 26 +); +function $accessible$endAuction#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $accessible$endAuction#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$endAuction($tag, $to, $amount), $accessible$endAuction($tag2, $to2, $amount2) } + $accessible$endAuction($tag, $to, $amount) == $accessible$endAuction($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$endAuction#sm($tag, $to, $amount), $accessible$endAuction#sm($tag2, $to2, $amount2) } + $accessible$endAuction#sm($tag, $to, $amount) == $accessible$endAuction#sm($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); + +axiom (forall Heap: HeapType, $tag: int, $to: int, $amount: int :: + { $accessible$endAuction#trigger(Heap, $accessible$endAuction($tag, $to, $amount)) } + $accessible$endAuction#everUsed($accessible$endAuction($tag, $to, $amount)) +); + +// ================================================== +// Translation of predicate $accessible$endAuction_0 +// ================================================== + +type PredicateType_$accessible$endAuction_0; +function $accessible$endAuction_0($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$endAuction_0 FrameType; +function $accessible$endAuction_0#sm($tag: int, $to: int, $amount: int): Field PredicateType_$accessible$endAuction_0 PMaskType; +axiom (forall $tag: int, $to: int, $amount: int :: + { PredicateMaskField($accessible$endAuction_0($tag, $to, $amount)) } + PredicateMaskField($accessible$endAuction_0($tag, $to, $amount)) == $accessible$endAuction_0#sm($tag, $to, $amount) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$endAuction_0($tag, $to, $amount) } + IsPredicateField($accessible$endAuction_0($tag, $to, $amount)) +); +axiom (forall $tag: int, $to: int, $amount: int :: + { $accessible$endAuction_0($tag, $to, $amount) } + getPredicateId($accessible$endAuction_0($tag, $to, $amount)) == 27 +); +function $accessible$endAuction_0#trigger(Heap: HeapType, pred: (Field A FrameType)): bool; +function $accessible$endAuction_0#everUsed(pred: (Field A FrameType)): bool; +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$endAuction_0($tag, $to, $amount), $accessible$endAuction_0($tag2, $to2, $amount2) } + $accessible$endAuction_0($tag, $to, $amount) == $accessible$endAuction_0($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); +axiom (forall $tag: int, $to: int, $amount: int, $tag2: int, $to2: int, $amount2: int :: + { $accessible$endAuction_0#sm($tag, $to, $amount), $accessible$endAuction_0#sm($tag2, $to2, $amount2) } + $accessible$endAuction_0#sm($tag, $to, $amount) == $accessible$endAuction_0#sm($tag2, $to2, $amount2) ==> $tag == $tag2 && ($to == $to2 && $amount == $amount2) +); + +axiom (forall Heap: HeapType, $tag: int, $to: int, $amount: int :: + { $accessible$endAuction_0#trigger(Heap, $accessible$endAuction_0($tag, $to, $amount)) } + $accessible$endAuction_0#everUsed($accessible$endAuction_0($tag, $to, $amount)) +); + +// ================================================== +// Translation of method $transitivity_check +// ================================================== + +procedure $transitivity_check() returns () + modifies Heap, Mask; +{ + var $self$0: $StructDomainType; + var $self$1: $StructDomainType; + var $self$2: $StructDomainType; + var block: $StructDomainType; + var QPMask: MaskType; + var q$a_28: int; + var q$a_31: int; + var q$a_34: int; + var AssertHeap: HeapType; + var AssertMask: MaskType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 0)): Int) && + // ($struct_get($struct_loc($self$0, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@610.3--610.158 + assume 0 <= ($struct_get(($struct_loc($self$0, 0): int)): int); + assume ($struct_get(($struct_loc($self$0, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 1)): Int) && + // ($struct_get($struct_loc($self$0, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@611.3--611.187 + assume 0 <= ($struct_get(($struct_loc($self$0, 1): int)): int); + assume ($struct_get(($struct_loc($self$0, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 2)): Int) && + // ($struct_get($struct_loc($self$0, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@612.3--612.187 + assume 0 <= ($struct_get(($struct_loc($self$0, 2): int)): int); + assume ($struct_get(($struct_loc($self$0, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 3)): Int) && + // ($struct_get($struct_loc($self$0, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@613.3--613.158 + assume 0 <= ($struct_get(($struct_loc($self$0, 3): int)): int); + assume ($struct_get(($struct_loc($self$0, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 4)): Int) && + // ($struct_get($struct_loc($self$0, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@614.3--614.187 + assume 0 <= ($struct_get(($struct_loc($self$0, 4): int)): int); + assume ($struct_get(($struct_loc($self$0, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@615.3--615.355 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_1: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_1): int) && ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@616.3--616.263 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_3: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_3): int) } + ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_3): int) <= ($map_sum(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 7)): Int) && + // ($struct_get($struct_loc($self$0, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@617.3--617.187 + assume 0 <= ($struct_get(($struct_loc($self$0, 7): int)): int); + assume ($struct_get(($struct_loc($self$0, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc($self$0, 8)): Int) && + // ($struct_get($struct_loc($self$0, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@618.3--618.187 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc($self$0, 8): int)): int); + assume ($struct_get(($struct_loc($self$0, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@619.3--619.358 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_1: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_1): int) && ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@620.3--620.266 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_3: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_3): int) } + ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_3): int) <= ($map_sum(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@621.3--621.358 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_1: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_1): int) && ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@622.3--622.266 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_3: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_3): int) } + ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_3): int) <= ($map_sum(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@623.3--623.89 + assume ($struct_get(($struct_loc($self$0, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 0)): Int) && + // ($struct_get($struct_loc($self$1, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@624.3--624.158 + assume 0 <= ($struct_get(($struct_loc($self$1, 0): int)): int); + assume ($struct_get(($struct_loc($self$1, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 1)): Int) && + // ($struct_get($struct_loc($self$1, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@625.3--625.187 + assume 0 <= ($struct_get(($struct_loc($self$1, 1): int)): int); + assume ($struct_get(($struct_loc($self$1, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 2)): Int) && + // ($struct_get($struct_loc($self$1, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@626.3--626.187 + assume 0 <= ($struct_get(($struct_loc($self$1, 2): int)): int); + assume ($struct_get(($struct_loc($self$1, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 3)): Int) && + // ($struct_get($struct_loc($self$1, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@627.3--627.158 + assume 0 <= ($struct_get(($struct_loc($self$1, 3): int)): int); + assume ($struct_get(($struct_loc($self$1, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 4)): Int) && + // ($struct_get($struct_loc($self$1, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@628.3--628.187 + assume 0 <= ($struct_get(($struct_loc($self$1, 4): int)): int); + assume ($struct_get(($struct_loc($self$1, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@629.3--629.355 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_5: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_5): int) && ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@630.3--630.263 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_7: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_7): int) } + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_7): int) <= ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 7)): Int) && + // ($struct_get($struct_loc($self$1, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@631.3--631.187 + assume 0 <= ($struct_get(($struct_loc($self$1, 7): int)): int); + assume ($struct_get(($struct_loc($self$1, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc($self$1, 8)): Int) && + // ($struct_get($struct_loc($self$1, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@632.3--632.187 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc($self$1, 8): int)): int); + assume ($struct_get(($struct_loc($self$1, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@633.3--633.358 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_5: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_5): int) && ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@634.3--634.266 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_7: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_7): int) } + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_7): int) <= ($map_sum(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@635.3--635.358 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_5: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_5): int) && ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@636.3--636.266 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_7: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_7): int) } + ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_7): int) <= ($map_sum(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@637.3--637.89 + assume ($struct_get(($struct_loc($self$1, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$2, 0)): Int) && + // ($struct_get($struct_loc($self$2, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@638.3--638.158 + assume 0 <= ($struct_get(($struct_loc($self$2, 0): int)): int); + assume ($struct_get(($struct_loc($self$2, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$2, 1)): Int) && + // ($struct_get($struct_loc($self$2, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@639.3--639.187 + assume 0 <= ($struct_get(($struct_loc($self$2, 1): int)): int); + assume ($struct_get(($struct_loc($self$2, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$2, 2)): Int) && + // ($struct_get($struct_loc($self$2, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@640.3--640.187 + assume 0 <= ($struct_get(($struct_loc($self$2, 2): int)): int); + assume ($struct_get(($struct_loc($self$2, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$2, 3)): Int) && + // ($struct_get($struct_loc($self$2, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@641.3--641.158 + assume 0 <= ($struct_get(($struct_loc($self$2, 3): int)): int); + assume ($struct_get(($struct_loc($self$2, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$2, 4)): Int) && + // ($struct_get($struct_loc($self$2, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@642.3--642.187 + assume 0 <= ($struct_get(($struct_loc($self$2, 4): int)): int); + assume ($struct_get(($struct_loc($self$2, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@643.3--643.355 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_9: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), $q0_9): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), $q0_9): int) && ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), $q0_9): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@644.3--644.263 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_11: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), $q0_11): int) } + ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), $q0_11): int) <= ($map_sum(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$2, 7)): Int) && + // ($struct_get($struct_loc($self$2, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@645.3--645.187 + assume 0 <= ($struct_get(($struct_loc($self$2, 7): int)): int); + assume ($struct_get(($struct_loc($self$2, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc($self$2, 8)): Int) && + // ($struct_get($struct_loc($self$2, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@646.3--646.187 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc($self$2, 8): int)): int); + assume ($struct_get(($struct_loc($self$2, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@647.3--647.358 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_9: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), $q1_9): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), $q1_9): int) && ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), $q1_9): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@648.3--648.266 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_11: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), $q1_11): int) } + ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), $q1_11): int) <= ($map_sum(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@649.3--649.358 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_9: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), $q2_9): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), $q2_9): int) && ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), $q2_9): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@650.3--650.266 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_11: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), $q2_11): int) } + ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), $q2_11): int) <= ($map_sum(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$2, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@651.3--651.89 + assume ($struct_get(($struct_loc($self$2, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 0)): Int) && + // ($struct_get($struct_loc(block, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@652.3--652.154 + assume 0 <= ($struct_get(($struct_loc(block, 0): int)): int); + assume ($struct_get(($struct_loc(block, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 1)): Int) && + // ($struct_get($struct_loc(block, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@653.3--653.183 + assume 0 <= ($struct_get(($struct_loc(block, 1): int)): int); + assume ($struct_get(($struct_loc(block, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 2)): Int) && + // ($struct_get($struct_loc(block, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@654.3--654.183 + assume 0 <= ($struct_get(($struct_loc(block, 2): int)): int); + assume ($struct_get(($struct_loc(block, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale |($struct_get($struct_loc(block, 3)): Seq[Int])| == 32 -- testsresourcesexamplesauction.vy.vpr@655.3--655.64 + assume Seq#Length(($struct_get(($struct_loc(block, 3): int)): Seq int)) == 32; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 4)): Int) && + // ($struct_get($struct_loc(block, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@656.3--656.183 + assume 0 <= ($struct_get(($struct_loc(block, 4): int)): int); + assume ($struct_get(($struct_loc(block, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(block, -1)): Int) == + // 2335365049822495359383864865678187 -- testsresourcesexamplesauction.vy.vpr@657.3--657.90 + assume ($struct_get(($struct_loc(block, -1): int)): int) == 2335365049822495359383864865678187; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@658.3--658.267 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_1_1: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $a_1_1): int) } + ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $a_1_1): int) >= ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $a_1_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 3)): Int) == 0 ==> + // ($struct_get($struct_loc($self$0, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@659.3--659.111 + if (($struct_get(($struct_loc($self$0, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc($self$0, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 0)): Int) == + // ($struct_get($struct_loc($self$0, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@660.3--660.100 + assume ($struct_get(($struct_loc($self$0, 0): int)): int) == ($struct_get(($struct_loc($self$0, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($struct_get($struct_loc($self$0, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@661.3--661.103 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($struct_get(($struct_loc($self$0, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$0, 4)): Int) <= + // ($struct_get($struct_loc($self$0, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@662.3--662.224 + if (!($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$0, 4): int)): int) <= ($struct_get(($struct_loc($self$0, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$0, 4)): Int) == + // ($map_sum(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@663.3--663.328 + if (!($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$0, 4): int)): int) == ($map_sum(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc($self$0, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@664.3--664.177 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc($self$0, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 4)): Int) >= + // ($struct_get($struct_loc($self$0, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@665.3--665.100 + assume ($struct_get(($struct_loc($self$0, 4): int)): int) >= ($struct_get(($struct_loc($self$0, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($struct_get($struct_loc($self$0, 4)): Int) == + // ($struct_get($struct_loc($self$0, 4)): Int) && + // ($struct_get($struct_loc($self$0, 3)): Int) == + // ($struct_get($struct_loc($self$0, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@666.3--666.243 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($struct_get(($struct_loc($self$0, 4): int)): int) == ($struct_get(($struct_loc($self$0, 4): int)): int); + assume ($struct_get(($struct_loc($self$0, 3): int)): int) == ($struct_get(($struct_loc($self$0, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@667.3--667.58 + assume ($struct_get(($struct_loc($self$0, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 3)): Int) != + // ($struct_get($struct_loc($self$0, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@668.3--668.100 + assume ($struct_get(($struct_loc($self$0, 3): int)): int) != ($struct_get(($struct_loc($self$0, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$0, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@669.3--669.131 + assume ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$0, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$0, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@670.3--670.182 + if (!($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$0, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$0, + // 0)): Int)): Int) == + // ($struct_get($struct_loc($self$0, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@671.3--671.223 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$0, 0): int)): int)): int) == ($struct_get(($struct_loc($self$0, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$0, + // 3)): Int)): Int) + + // ($struct_get($struct_loc($self$0, 4)): Int) + + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$0, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), ($struct_get($struct_loc($self$0, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@672.3--672.413 + assume ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$0, 3): int)): int)): int) + ($struct_get(($struct_loc($self$0, 4): int)): int) + ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$0, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$0, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$0, 3)): Int) && + // q$a != ($struct_get($struct_loc($self$0, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@673.3--673.532 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$0, 3)): Int) && q$a != ($struct_get($struct_loc($self$0, 0)): Int) ==> ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_1: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), q$a_1): int) } + 0 <= q$a_1 && q$a_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_1 != ($struct_get(($struct_loc($self$0, 3): int)): int) && q$a_1 != ($struct_get(($struct_loc($self$0, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), q$a_1): int) + ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), q$a_1): int) == ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), q$a_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@674.3--674.90 + assume ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@675.3--675.353 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_3: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), q$a_3): int) } + 0 <= q$a_3 && q$a_3 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), q$a_3): int) != 0 ==> ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), q$a_3): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$0, 0)): Int) && + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@676.3--676.409 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$0, 0)): Int) && ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_5: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), q$a_5): int) } + 0 <= q$a_5 && q$a_5 <= 1461501637330902918203684832716283019655932542975 ==> q$a_5 != ($struct_get(($struct_loc($self$0, 0): int)): int) && ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), q$a_5): int) == 0 ==> ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), q$a_5): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale true && + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 && + // q$v == + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), q$a): Int))) ==> + // acc($accessible$withdraw(18, q$a, q$v), write)) -- testsresourcesexamplesauction.vy.vpr@677.3--677.397 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 && q$v == ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), q$a): Int))) ==> acc($accessible$withdraw(18, q$a, q$v), write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check if receiver acc($accessible$withdraw(18, q$a, q$v), write) is injective + assert {:msg " Inhale might fail. Quantified resource $accessible$withdraw(18, q$a, q$v) might not be injective. (testsresourcesexamplesauction.vy.vpr@677.10--677.397) [203]"} + (forall q$a_7: int, q$v_1: int, q$a_7_1: int, q$v_1_1: int :: + { neverTriggered2(q$a_7, q$v_1), neverTriggered2(q$a_7_1, q$v_1_1) } + ((((q$a_7 != q$a_7_1 && q$v_1 != q$v_1_1) && (0 <= q$a_7 && (q$a_7 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1 && q$v_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1 == ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), q$a_7): int))))) && (0 <= q$a_7_1 && (q$a_7_1 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1_1 && q$v_1_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1_1 == ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), q$a_7_1): int))))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> q$a_7 != q$a_7_1 || q$v_1 != q$v_1_1 + ); + + // -- Define Inverse Function + assume (forall q$a_7: int, q$v_1: int :: + { Heap[null, $accessible$withdraw(18, q$a_7, q$v_1)] } { Mask[null, $accessible$withdraw(18, q$a_7, q$v_1)] } { Heap[null, $accessible$withdraw(18, q$a_7, q$v_1)] } + (0 <= q$a_7 && (q$a_7 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1 && q$v_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1 == ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), q$a_7): int)))) && NoPerm < FullPerm ==> (invRecv1(18, q$a_7, q$v_1) == q$a_7 && invRecv2(18, q$a_7, q$v_1) == q$v_1) && qpRange2(18, q$a_7, q$v_1) + ); + assume (forall $tag: int, $to: int, $amount: int :: + { invRecv1($tag, $to, $amount), invRecv2($tag, $to, $amount) } + ((0 <= invRecv1($tag, $to, $amount) && (invRecv1($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv2($tag, $to, $amount) && invRecv2($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv2($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), invRecv1($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange2($tag, $to, $amount) ==> (18 == $tag && invRecv1($tag, $to, $amount) == $to) && invRecv2($tag, $to, $amount) == $amount + ); + + // -- Define updated permissions + assume (forall $tag: int, $to: int, $amount: int :: + { QPMask[null, $accessible$withdraw($tag, $to, $amount)] } + ((0 <= invRecv1($tag, $to, $amount) && (invRecv1($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv2($tag, $to, $amount) && invRecv2($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv2($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), invRecv1($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange2($tag, $to, $amount) ==> (NoPerm < FullPerm ==> (18 == $tag && invRecv1($tag, $to, $amount) == $to) && invRecv2($tag, $to, $amount) == $amount) && QPMask[null, $accessible$withdraw($tag, $to, $amount)] == Mask[null, $accessible$withdraw($tag, $to, $amount)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 24 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall $tag: int, $to: int, $amount: int :: + { QPMask[null, $accessible$withdraw($tag, $to, $amount)] } + !(((0 <= invRecv1($tag, $to, $amount) && (invRecv1($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv2($tag, $to, $amount) && invRecv2($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv2($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), invRecv1($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange2($tag, $to, $amount)) ==> QPMask[null, $accessible$withdraw($tag, $to, $amount)] == Mask[null, $accessible$withdraw($tag, $to, $amount)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@678.3--678.267 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_3: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $a_3): int) } + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $a_3): int) >= ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $a_3): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 3)): Int) == 0 ==> + // ($struct_get($struct_loc($self$1, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@679.3--679.111 + if (($struct_get(($struct_loc($self$1, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc($self$1, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 0)): Int) == + // ($struct_get($struct_loc($self$0, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@680.3--680.100 + assume ($struct_get(($struct_loc($self$1, 0): int)): int) == ($struct_get(($struct_loc($self$0, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($struct_get($struct_loc($self$1, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@681.3--681.103 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($struct_get(($struct_loc($self$1, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) <= + // ($struct_get($struct_loc($self$1, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@682.3--682.224 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) <= ($struct_get(($struct_loc($self$1, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) == + // ($map_sum(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@683.3--683.328 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) == ($map_sum(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc($self$1, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@684.3--684.177 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc($self$1, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 4)): Int) >= + // ($struct_get($struct_loc($self$0, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@685.3--685.100 + assume ($struct_get(($struct_loc($self$1, 4): int)): int) >= ($struct_get(($struct_loc($self$0, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($struct_get($struct_loc($self$1, 4)): Int) == + // ($struct_get($struct_loc($self$0, 4)): Int) && + // ($struct_get($struct_loc($self$1, 3)): Int) == + // ($struct_get($struct_loc($self$0, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@686.3--686.243 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($struct_get(($struct_loc($self$1, 4): int)): int) == ($struct_get(($struct_loc($self$0, 4): int)): int); + assume ($struct_get(($struct_loc($self$1, 3): int)): int) == ($struct_get(($struct_loc($self$0, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@687.3--687.58 + assume ($struct_get(($struct_loc($self$1, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 3)): Int) != + // ($struct_get($struct_loc($self$1, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@688.3--688.100 + assume ($struct_get(($struct_loc($self$1, 3): int)): int) != ($struct_get(($struct_loc($self$1, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@689.3--689.131 + assume ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@690.3--690.182 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // ($struct_get($struct_loc($self$1, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@691.3--691.223 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == ($struct_get(($struct_loc($self$1, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) + + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@692.3--692.413 + assume ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$1, 3)): Int) && + // q$a != ($struct_get($struct_loc($self$1, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@693.3--693.532 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$1, 3)): Int) && q$a != ($struct_get($struct_loc($self$1, 0)): Int) ==> ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_10: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_10): int) } + 0 <= q$a_10 && q$a_10 <= 1461501637330902918203684832716283019655932542975 ==> q$a_10 != ($struct_get(($struct_loc($self$1, 3): int)): int) && q$a_10 != ($struct_get(($struct_loc($self$1, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), q$a_10): int) + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_10): int) == ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_10): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@694.3--694.90 + assume ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@695.3--695.353 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_12: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_12): int) } + 0 <= q$a_12 && q$a_12 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_12): int) != 0 ==> ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_12): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$1, 0)): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@696.3--696.409 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$1, 0)): Int) && ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_14: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_14): int) } + 0 <= q$a_14 && q$a_14 <= 1461501637330902918203684832716283019655932542975 ==> q$a_14 != ($struct_get(($struct_loc($self$1, 0): int)): int) && ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_14): int) == 0 ==> ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), q$a_14): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale true && + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 && + // q$v == + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int))) ==> + // acc($accessible$withdraw(18, q$a, q$v), write)) -- testsresourcesexamplesauction.vy.vpr@697.3--697.397 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 && q$v == ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int))) ==> acc($accessible$withdraw(18, q$a, q$v), write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check if receiver acc($accessible$withdraw(18, q$a, q$v), write) is injective + assert {:msg " Inhale might fail. Quantified resource $accessible$withdraw(18, q$a, q$v) might not be injective. (testsresourcesexamplesauction.vy.vpr@697.10--697.397) [204]"} + (forall q$a_16: int, q$v_4: int, q$a_16_1: int, q$v_4_1: int :: + { neverTriggered4(q$a_16, q$v_4), neverTriggered4(q$a_16_1, q$v_4_1) } + ((((q$a_16 != q$a_16_1 && q$v_4 != q$v_4_1) && (0 <= q$a_16 && (q$a_16 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_4 && q$v_4 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_4 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_16): int))))) && (0 <= q$a_16_1 && (q$a_16_1 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_4_1 && q$v_4_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_4_1 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_16_1): int))))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> q$a_16 != q$a_16_1 || q$v_4 != q$v_4_1 + ); + + // -- Define Inverse Function + assume (forall q$a_16: int, q$v_4: int :: + { Heap[null, $accessible$withdraw(18, q$a_16, q$v_4)] } { Mask[null, $accessible$withdraw(18, q$a_16, q$v_4)] } { Heap[null, $accessible$withdraw(18, q$a_16, q$v_4)] } + (0 <= q$a_16 && (q$a_16 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_4 && q$v_4 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_4 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_16): int)))) && NoPerm < FullPerm ==> (invRecv3(18, q$a_16, q$v_4) == q$a_16 && invRecv4(18, q$a_16, q$v_4) == q$v_4) && qpRange4(18, q$a_16, q$v_4) + ); + assume (forall $tag_1: int, $to_1: int, $amount_1: int :: + { invRecv3($tag_1, $to_1, $amount_1), invRecv4($tag_1, $to_1, $amount_1) } + ((0 <= invRecv3($tag_1, $to_1, $amount_1) && (invRecv3($tag_1, $to_1, $amount_1) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv4($tag_1, $to_1, $amount_1) && invRecv4($tag_1, $to_1, $amount_1) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv4($tag_1, $to_1, $amount_1) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv3($tag_1, $to_1, $amount_1)): int)))) && NoPerm < FullPerm) && qpRange4($tag_1, $to_1, $amount_1) ==> (18 == $tag_1 && invRecv3($tag_1, $to_1, $amount_1) == $to_1) && invRecv4($tag_1, $to_1, $amount_1) == $amount_1 + ); + + // -- Define updated permissions + assume (forall $tag_1: int, $to_1: int, $amount_1: int :: + { QPMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] } + ((0 <= invRecv3($tag_1, $to_1, $amount_1) && (invRecv3($tag_1, $to_1, $amount_1) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv4($tag_1, $to_1, $amount_1) && invRecv4($tag_1, $to_1, $amount_1) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv4($tag_1, $to_1, $amount_1) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv3($tag_1, $to_1, $amount_1)): int)))) && NoPerm < FullPerm) && qpRange4($tag_1, $to_1, $amount_1) ==> (NoPerm < FullPerm ==> (18 == $tag_1 && invRecv3($tag_1, $to_1, $amount_1) == $to_1) && invRecv4($tag_1, $to_1, $amount_1) == $amount_1) && QPMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] == Mask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 24 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall $tag_1: int, $to_1: int, $amount_1: int :: + { QPMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] } + !(((0 <= invRecv3($tag_1, $to_1, $amount_1) && (invRecv3($tag_1, $to_1, $amount_1) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv4($tag_1, $to_1, $amount_1) && invRecv4($tag_1, $to_1, $amount_1) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv4($tag_1, $to_1, $amount_1) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv3($tag_1, $to_1, $amount_1)): int)))) && NoPerm < FullPerm) && qpRange4($tag_1, $to_1, $amount_1)) ==> QPMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] == Mask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@698.3--698.267 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_5: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), $a_5): int) } + ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), $a_5): int) >= ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $a_5): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$2, 3)): Int) == 0 ==> + // ($struct_get($struct_loc($self$2, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@699.3--699.111 + if (($struct_get(($struct_loc($self$2, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc($self$2, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$2, 0)): Int) == + // ($struct_get($struct_loc($self$1, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@700.3--700.100 + assume ($struct_get(($struct_loc($self$2, 0): int)): int) == ($struct_get(($struct_loc($self$1, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($struct_get($struct_loc($self$2, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@701.3--701.103 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($struct_get(($struct_loc($self$2, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$2, 4)): Int) <= + // ($struct_get($struct_loc($self$2, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@702.3--702.224 + if (!($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$2, 4): int)): int) <= ($struct_get(($struct_loc($self$2, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$2, 4)): Int) == + // ($map_sum(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@703.3--703.328 + if (!($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$2, 4): int)): int) == ($map_sum(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc($self$2, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@704.3--704.177 + if (($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc($self$2, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$2, 4)): Int) >= + // ($struct_get($struct_loc($self$1, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@705.3--705.100 + assume ($struct_get(($struct_loc($self$2, 4): int)): int) >= ($struct_get(($struct_loc($self$1, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($struct_get($struct_loc($self$2, 4)): Int) == + // ($struct_get($struct_loc($self$1, 4)): Int) && + // ($struct_get($struct_loc($self$2, 3)): Int) == + // ($struct_get($struct_loc($self$1, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@706.3--706.243 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($struct_get(($struct_loc($self$2, 4): int)): int) == ($struct_get(($struct_loc($self$1, 4): int)): int); + assume ($struct_get(($struct_loc($self$2, 3): int)): int) == ($struct_get(($struct_loc($self$1, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$2, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@707.3--707.58 + assume ($struct_get(($struct_loc($self$2, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$2, 3)): Int) != + // ($struct_get($struct_loc($self$2, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@708.3--708.100 + assume ($struct_get(($struct_loc($self$2, 3): int)): int) != ($struct_get(($struct_loc($self$2, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@709.3--709.131 + assume ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@710.3--710.182 + if (!($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 0)): Int)): Int) == + // ($struct_get($struct_loc($self$2, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@711.3--711.223 + if (($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 0): int)): int)): int) == ($struct_get(($struct_loc($self$2, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 3)): Int)): Int) + + // ($struct_get($struct_loc($self$2, 4)): Int) + + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@712.3--712.413 + assume ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 3): int)): int)): int) + ($struct_get(($struct_loc($self$2, 4): int)): int) + ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$2, 3)): Int) && + // q$a != ($struct_get($struct_loc($self$2, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@713.3--713.532 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$2, 3)): Int) && q$a != ($struct_get($struct_loc($self$2, 0)): Int) ==> ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_19: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_19): int) } + 0 <= q$a_19 && q$a_19 <= 1461501637330902918203684832716283019655932542975 ==> q$a_19 != ($struct_get(($struct_loc($self$2, 3): int)): int) && q$a_19 != ($struct_get(($struct_loc($self$2, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), q$a_19): int) + ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_19): int) == ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_19): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@714.3--714.90 + assume ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@715.3--715.353 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_21: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_21): int) } + 0 <= q$a_21 && q$a_21 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_21): int) != 0 ==> ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_21): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$2, 0)): Int) && + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@716.3--716.409 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$2, 0)): Int) && ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_23: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_23): int) } + 0 <= q$a_23 && q$a_23 <= 1461501637330902918203684832716283019655932542975 ==> q$a_23 != ($struct_get(($struct_loc($self$2, 0): int)): int) && ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_23): int) == 0 ==> ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), q$a_23): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale true && + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 && + // q$v == + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int))) ==> + // acc($accessible$withdraw(18, q$a, q$v), write)) -- testsresourcesexamplesauction.vy.vpr@717.3--717.397 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 && q$v == ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int))) ==> acc($accessible$withdraw(18, q$a, q$v), write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check if receiver acc($accessible$withdraw(18, q$a, q$v), write) is injective + assert {:msg " Inhale might fail. Quantified resource $accessible$withdraw(18, q$a, q$v) might not be injective. (testsresourcesexamplesauction.vy.vpr@717.10--717.397) [205]"} + (forall q$a_25: int, q$v_7: int, q$a_25_1: int, q$v_7_1: int :: + { neverTriggered6(q$a_25, q$v_7), neverTriggered6(q$a_25_1, q$v_7_1) } + ((((q$a_25 != q$a_25_1 && q$v_7 != q$v_7_1) && (0 <= q$a_25 && (q$a_25 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_7 && q$v_7 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_7 == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_25): int))))) && (0 <= q$a_25_1 && (q$a_25_1 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_7_1 && q$v_7_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_7_1 == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_25_1): int))))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> q$a_25 != q$a_25_1 || q$v_7 != q$v_7_1 + ); + + // -- Define Inverse Function + assume (forall q$a_25: int, q$v_7: int :: + { Heap[null, $accessible$withdraw(18, q$a_25, q$v_7)] } { Mask[null, $accessible$withdraw(18, q$a_25, q$v_7)] } { Heap[null, $accessible$withdraw(18, q$a_25, q$v_7)] } + (0 <= q$a_25 && (q$a_25 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_7 && q$v_7 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_7 == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_25): int)))) && NoPerm < FullPerm ==> (invRecv5(18, q$a_25, q$v_7) == q$a_25 && invRecv6(18, q$a_25, q$v_7) == q$v_7) && qpRange6(18, q$a_25, q$v_7) + ); + assume (forall $tag_2: int, $to_2: int, $amount_2: int :: + { invRecv5($tag_2, $to_2, $amount_2), invRecv6($tag_2, $to_2, $amount_2) } + ((0 <= invRecv5($tag_2, $to_2, $amount_2) && (invRecv5($tag_2, $to_2, $amount_2) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv6($tag_2, $to_2, $amount_2) && invRecv6($tag_2, $to_2, $amount_2) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv6($tag_2, $to_2, $amount_2) == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), invRecv5($tag_2, $to_2, $amount_2)): int)))) && NoPerm < FullPerm) && qpRange6($tag_2, $to_2, $amount_2) ==> (18 == $tag_2 && invRecv5($tag_2, $to_2, $amount_2) == $to_2) && invRecv6($tag_2, $to_2, $amount_2) == $amount_2 + ); + + // -- Define updated permissions + assume (forall $tag_2: int, $to_2: int, $amount_2: int :: + { QPMask[null, $accessible$withdraw($tag_2, $to_2, $amount_2)] } + ((0 <= invRecv5($tag_2, $to_2, $amount_2) && (invRecv5($tag_2, $to_2, $amount_2) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv6($tag_2, $to_2, $amount_2) && invRecv6($tag_2, $to_2, $amount_2) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv6($tag_2, $to_2, $amount_2) == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), invRecv5($tag_2, $to_2, $amount_2)): int)))) && NoPerm < FullPerm) && qpRange6($tag_2, $to_2, $amount_2) ==> (NoPerm < FullPerm ==> (18 == $tag_2 && invRecv5($tag_2, $to_2, $amount_2) == $to_2) && invRecv6($tag_2, $to_2, $amount_2) == $amount_2) && QPMask[null, $accessible$withdraw($tag_2, $to_2, $amount_2)] == Mask[null, $accessible$withdraw($tag_2, $to_2, $amount_2)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 24 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall $tag_2: int, $to_2: int, $amount_2: int :: + { QPMask[null, $accessible$withdraw($tag_2, $to_2, $amount_2)] } + !(((0 <= invRecv5($tag_2, $to_2, $amount_2) && (invRecv5($tag_2, $to_2, $amount_2) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv6($tag_2, $to_2, $amount_2) && invRecv6($tag_2, $to_2, $amount_2) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv6($tag_2, $to_2, $amount_2) == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), invRecv5($tag_2, $to_2, $amount_2)): int)))) && NoPerm < FullPerm) && qpRange6($tag_2, $to_2, $amount_2)) ==> QPMask[null, $accessible$withdraw($tag_2, $to_2, $amount_2)] == Mask[null, $accessible$withdraw($tag_2, $to_2, $amount_2)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$2, 3)): Int) == 0 ==> + // ($struct_get($struct_loc($self$2, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@718.3--718.111 + if (($struct_get(($struct_loc($self$2, 3): int)): int) == 0) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$2, 4)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@718.10--718.111) [206]"} + ($struct_get(($struct_loc($self$2, 4): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$2, 0)): Int) == + // ($struct_get($struct_loc($self$0, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@719.3--719.100 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$2, 0)): Int) == ($struct_get($struct_loc($self$0, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@719.10--719.100) [207]"} + ($struct_get(($struct_loc($self$2, 0): int)): int) == ($struct_get(($struct_loc($self$0, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($struct_get($struct_loc($self$2, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@720.3--720.103 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$2, 5)): Bool) might not hold. (testsresourcesexamplesauction.vy.vpr@720.10--720.103) [208]"} + ($struct_get(($struct_loc($self$2, 5): int)): bool); + } + assume state(Heap, Mask); + + // -- Translating statement: assert !($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$2, 4)): Int) <= + // ($struct_get($struct_loc($self$2, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@721.3--721.224 + if (!($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc($self$2, 4)): Int) <= ($struct_get($struct_loc($self$2, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@721.10--721.224) [209]"} + ($map_sum(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$2, 4): int)): int) <= ($struct_get(($struct_loc($self$2, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert !($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$2, 4)): Int) == + // ($map_sum(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@722.3--722.328 + if (!($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc($self$2, 4)): Int) == ($map_sum(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int])): Int) - ($map_sum(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@722.10--722.328) [210]"} + ($map_sum(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$2, 4): int)): int) == ($map_sum(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc($self$2, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@723.3--723.177 + if (($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int])): Int) <= ($struct_get($struct_loc($self$2, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@723.10--723.177) [211]"} + ($map_sum(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc($self$2, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$2, 4)): Int) >= + // ($struct_get($struct_loc($self$0, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@724.3--724.100 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$2, 4)): Int) >= ($struct_get($struct_loc($self$0, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@724.10--724.100) [212]"} + ($struct_get(($struct_loc($self$2, 4): int)): int) >= ($struct_get(($struct_loc($self$0, 4): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($struct_get($struct_loc($self$2, 4)): Int) == + // ($struct_get($struct_loc($self$0, 4)): Int) && + // ($struct_get($struct_loc($self$2, 3)): Int) == + // ($struct_get($struct_loc($self$0, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@725.3--725.243 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$2, 4)): Int) == ($struct_get($struct_loc($self$0, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@725.10--725.243) [213]"} + ($struct_get(($struct_loc($self$2, 4): int)): int) == ($struct_get(($struct_loc($self$0, 4): int)): int); + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$2, 3)): Int) == ($struct_get($struct_loc($self$0, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@725.10--725.243) [214]"} + ($struct_get(($struct_loc($self$2, 3): int)): int) == ($struct_get(($struct_loc($self$0, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$2, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@726.3--726.58 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$2, 0)): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@726.10--726.58) [215]"} + ($struct_get(($struct_loc($self$2, 0): int)): int) != 0; + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$2, 3)): Int) != + // ($struct_get($struct_loc($self$2, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@727.3--727.100 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$2, 3)): Int) != ($struct_get($struct_loc($self$2, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@727.10--727.100) [216]"} + ($struct_get(($struct_loc($self$2, 3): int)): int) != ($struct_get(($struct_loc($self$2, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: assert ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@728.3--728.131 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@728.10--728.131) [217]"} + ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: assert !($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@729.3--729.182 + if (!($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@729.10--729.182) [218]"} + ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$2, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 0)): Int)): Int) == + // ($struct_get($struct_loc($self$2, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@730.3--730.223 + if (($struct_get(($struct_loc($self$2, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, 0)): Int)): Int) == ($struct_get($struct_loc($self$2, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@730.10--730.223) [219]"} + ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 0): int)): int)): int) == ($struct_get(($struct_loc($self$2, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 3)): Int)): Int) + + // ($struct_get($struct_loc($self$2, 4)): Int) + + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@731.3--731.413 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, 3)): Int)): Int) + ($struct_get($struct_loc($self$2, 4)): Int) + ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, 3)): Int)): Int) == ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), ($struct_get($struct_loc($self$2, 3)): Int)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@731.10--731.413) [220]"} + ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 3): int)): int)): int) + ($struct_get(($struct_loc($self$2, 4): int)): int) + ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$2, 3): int)): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$2, 3)): Int) && + // q$a != ($struct_get($struct_loc($self$2, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@732.3--732.532 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$2, 3)): Int) && q$a != ($struct_get($struct_loc($self$2, 0)): Int) ==> ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_28 && q$a_28 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_28 != ($struct_get(($struct_loc($self$2, 3): int)): int) && q$a_28 != ($struct_get(($struct_loc($self$2, 0): int)): int)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@732.11--732.531) [221]"} + ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), q$a_28): int) + ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_28): int) == ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_28): int); + } + } + assume false; + } + assume (forall q$a_29_1: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_29_1): int) } + 0 <= q$a_29_1 && q$a_29_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_29_1 != ($struct_get(($struct_loc($self$2, 3): int)): int) && q$a_29_1 != ($struct_get(($struct_loc($self$2, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), q$a_29_1): int) + ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_29_1): int) == ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_29_1): int) + ); + assume state(Heap, Mask); + + // -- Translating statement: assert ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@733.3--733.90 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), 0): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@733.10--733.90) [222]"} + ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@734.3--734.353 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_31 && q$a_31 <= 1461501637330902918203684832716283019655932542975) { + if (($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_31): int) != 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@734.11--734.352) [223]"} + ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_31): int) != 0; + } + } + assume false; + } + assume (forall q$a_32_1: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_32_1): int) } + 0 <= q$a_32_1 && q$a_32_1 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_32_1): int) != 0 ==> ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_32_1): int) != 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$2, 0)): Int) && + // ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@735.3--735.409 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$2, 0)): Int) && ($map_get(($struct_get($struct_loc($self$2, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_34 && q$a_34 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_34 != ($struct_get(($struct_loc($self$2, 0): int)): int) && ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_34): int) == 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$2, 10)): $Map[Int, Int]), q$a): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@735.11--735.408) [224]"} + ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), q$a_34): int) == 0; + } + } + assume false; + } + assume (forall q$a_35_1: int :: + { ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_35_1): int) } + 0 <= q$a_35_1 && q$a_35_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_35_1 != ($struct_get(($struct_loc($self$2, 0): int)): int) && ($map_get(($struct_get(($struct_loc($self$2, 11): int)): $MapDomainType int int), q$a_35_1): int) == 0 ==> ($map_get(($struct_get(($struct_loc($self$2, 10): int)): $MapDomainType int int), q$a_35_1): int) == 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: assert true && + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 && + // q$v == + // ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int))) ==> + // acc($accessible$withdraw(18, q$a, q$v), write)) -- testsresourcesexamplesauction.vy.vpr@736.3--736.397 + + // -- Check definedness of true && (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 && q$v == ($map_get(($struct_get($struct_loc($self$2, 6)): $Map[Int, Int]), q$a): Int))) ==> acc($accessible$withdraw(18, q$a, q$v), write)) + if (*) { + assume false; + } + AssertHeap := Heap; + AssertMask := Mask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver acc($accessible$withdraw(18, q$a, q$v), write) is injective + assert {:msg " Assert might fail. Quantified resource $accessible$withdraw(18, q$a, q$v) might not be injective. (testsresourcesexamplesauction.vy.vpr@736.10--736.397) [227]"} + (forall q$a_36: int, q$v_9: int, q$a_36_1: int, q$v_9_1: int :: + { neverTriggered8(q$a_36, q$v_9), neverTriggered8(q$a_36_1, q$v_9_1) } + ((((q$a_36 != q$a_36_1 && q$v_9 != q$v_9_1) && (0 <= q$a_36 && (q$a_36 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_9 && q$v_9 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_9 == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_36): int))))) && (0 <= q$a_36_1 && (q$a_36_1 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_9_1 && q$v_9_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_9_1 == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_36_1): int))))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> q$a_36 != q$a_36_1 || q$v_9 != q$v_9_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Assert might fail. There might be insufficient permission to access $accessible$withdraw(18, q$a, q$v) (testsresourcesexamplesauction.vy.vpr@736.10--736.397) [228]"} + (forall q$a_36: int, q$v_9: int :: + { AssertHeap[null, $accessible$withdraw(18, q$a_36, q$v_9)] } { AssertMask[null, $accessible$withdraw(18, q$a_36, q$v_9)] } { AssertHeap[null, $accessible$withdraw(18, q$a_36, q$v_9)] } + 0 <= q$a_36 && (q$a_36 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_9 && q$v_9 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_9 == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_36): int))) ==> AssertMask[null, $accessible$withdraw(18, q$a_36, q$v_9)] >= FullPerm + ); + + // -- assumptions for inverse of receiver acc($accessible$withdraw(18, q$a, q$v), write) + assume (forall q$a_36: int, q$v_9: int :: + { AssertHeap[null, $accessible$withdraw(18, q$a_36, q$v_9)] } { AssertMask[null, $accessible$withdraw(18, q$a_36, q$v_9)] } { AssertHeap[null, $accessible$withdraw(18, q$a_36, q$v_9)] } + (0 <= q$a_36 && (q$a_36 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_9 && q$v_9 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_9 == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), q$a_36): int)))) && NoPerm < FullPerm ==> (invRecv7(18, q$a_36, q$v_9) == q$a_36 && invRecv8(18, q$a_36, q$v_9) == q$v_9) && qpRange8(18, q$a_36, q$v_9) + ); + assume (forall $tag_3: int, $to_3: int, $amount_3: int :: + { invRecv7($tag_3, $to_3, $amount_3), invRecv8($tag_3, $to_3, $amount_3) } + ((0 <= invRecv7($tag_3, $to_3, $amount_3) && (invRecv7($tag_3, $to_3, $amount_3) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv8($tag_3, $to_3, $amount_3) && invRecv8($tag_3, $to_3, $amount_3) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv8($tag_3, $to_3, $amount_3) == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), invRecv7($tag_3, $to_3, $amount_3)): int)))) && NoPerm < FullPerm) && qpRange8($tag_3, $to_3, $amount_3) ==> (18 == $tag_3 && invRecv7($tag_3, $to_3, $amount_3) == $to_3) && invRecv8($tag_3, $to_3, $amount_3) == $amount_3 + ); + + // -- assume permission updates for predicate $accessible$withdraw + assume (forall $tag_3: int, $to_3: int, $amount_3: int :: + { QPMask[null, $accessible$withdraw($tag_3, $to_3, $amount_3)] } + ((0 <= invRecv7($tag_3, $to_3, $amount_3) && (invRecv7($tag_3, $to_3, $amount_3) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv8($tag_3, $to_3, $amount_3) && invRecv8($tag_3, $to_3, $amount_3) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv8($tag_3, $to_3, $amount_3) == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), invRecv7($tag_3, $to_3, $amount_3)): int)))) && NoPerm < FullPerm) && qpRange8($tag_3, $to_3, $amount_3) ==> ((18 == $tag_3 && invRecv7($tag_3, $to_3, $amount_3) == $to_3) && invRecv8($tag_3, $to_3, $amount_3) == $amount_3) && QPMask[null, $accessible$withdraw($tag_3, $to_3, $amount_3)] == AssertMask[null, $accessible$withdraw($tag_3, $to_3, $amount_3)] - FullPerm + ); + assume (forall $tag_3: int, $to_3: int, $amount_3: int :: + { QPMask[null, $accessible$withdraw($tag_3, $to_3, $amount_3)] } + !(((0 <= invRecv7($tag_3, $to_3, $amount_3) && (invRecv7($tag_3, $to_3, $amount_3) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv8($tag_3, $to_3, $amount_3) && invRecv8($tag_3, $to_3, $amount_3) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv8($tag_3, $to_3, $amount_3) == ($map_get(($struct_get(($struct_loc($self$2, 6): int)): $MapDomainType int int), invRecv7($tag_3, $to_3, $amount_3)): int)))) && NoPerm < FullPerm) && qpRange8($tag_3, $to_3, $amount_3)) ==> QPMask[null, $accessible$withdraw($tag_3, $to_3, $amount_3)] == AssertMask[null, $accessible$withdraw($tag_3, $to_3, $amount_3)] + ); + + // -- assume permission updates for independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { AssertMask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 24 ==> AssertMask[o_4, f_6] == QPMask[o_4, f_6] + ); + AssertMask := QPMask; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method $reflexivity_check +// ================================================== + +procedure $reflexivity_check() returns () + modifies Heap, Mask; +{ + var $self$0: $StructDomainType; + var $self$1: $StructDomainType; + var block: $StructDomainType; + var QPMask: MaskType; + var q$a_10: int; + var q$a_13: int; + var q$a_16: int; + var AssertHeap: HeapType; + var AssertMask: MaskType; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 0)): Int) && + // ($struct_get($struct_loc($self$0, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@747.3--747.158 + assume 0 <= ($struct_get(($struct_loc($self$0, 0): int)): int); + assume ($struct_get(($struct_loc($self$0, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 1)): Int) && + // ($struct_get($struct_loc($self$0, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@748.3--748.187 + assume 0 <= ($struct_get(($struct_loc($self$0, 1): int)): int); + assume ($struct_get(($struct_loc($self$0, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 2)): Int) && + // ($struct_get($struct_loc($self$0, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@749.3--749.187 + assume 0 <= ($struct_get(($struct_loc($self$0, 2): int)): int); + assume ($struct_get(($struct_loc($self$0, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 3)): Int) && + // ($struct_get($struct_loc($self$0, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@750.3--750.158 + assume 0 <= ($struct_get(($struct_loc($self$0, 3): int)): int); + assume ($struct_get(($struct_loc($self$0, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 4)): Int) && + // ($struct_get($struct_loc($self$0, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@751.3--751.187 + assume 0 <= ($struct_get(($struct_loc($self$0, 4): int)): int); + assume ($struct_get(($struct_loc($self$0, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@752.3--752.355 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_1: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_1): int) && ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@753.3--753.263 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc($self$0, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_3: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_3): int) } + ($map_get(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int), $q0_3): int) <= ($map_sum(($struct_get(($struct_loc($self$0, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$0, 7)): Int) && + // ($struct_get($struct_loc($self$0, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@754.3--754.187 + assume 0 <= ($struct_get(($struct_loc($self$0, 7): int)): int); + assume ($struct_get(($struct_loc($self$0, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc($self$0, 8)): Int) && + // ($struct_get($struct_loc($self$0, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@755.3--755.187 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc($self$0, 8): int)): int); + assume ($struct_get(($struct_loc($self$0, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@756.3--756.358 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_1: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_1): int) && ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@757.3--757.266 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_3: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_3): int) } + ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $q1_3): int) <= ($map_sum(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@758.3--758.358 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_1: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_1): int) && ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@759.3--759.266 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc($self$0, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_3: int :: + { ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_3): int) } + ($map_get(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int), $q2_3): int) <= ($map_sum(($struct_get(($struct_loc($self$0, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@760.3--760.89 + assume ($struct_get(($struct_loc($self$0, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 0)): Int) && + // ($struct_get($struct_loc($self$1, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@761.3--761.158 + assume 0 <= ($struct_get(($struct_loc($self$1, 0): int)): int); + assume ($struct_get(($struct_loc($self$1, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 1)): Int) && + // ($struct_get($struct_loc($self$1, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@762.3--762.187 + assume 0 <= ($struct_get(($struct_loc($self$1, 1): int)): int); + assume ($struct_get(($struct_loc($self$1, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 2)): Int) && + // ($struct_get($struct_loc($self$1, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@763.3--763.187 + assume 0 <= ($struct_get(($struct_loc($self$1, 2): int)): int); + assume ($struct_get(($struct_loc($self$1, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 3)): Int) && + // ($struct_get($struct_loc($self$1, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@764.3--764.158 + assume 0 <= ($struct_get(($struct_loc($self$1, 3): int)): int); + assume ($struct_get(($struct_loc($self$1, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 4)): Int) && + // ($struct_get($struct_loc($self$1, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@765.3--765.187 + assume 0 <= ($struct_get(($struct_loc($self$1, 4): int)): int); + assume ($struct_get(($struct_loc($self$1, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@766.3--766.355 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_5: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_5): int) && ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@767.3--767.263 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_7: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_7): int) } + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), $q0_7): int) <= ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($self$1, 7)): Int) && + // ($struct_get($struct_loc($self$1, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@768.3--768.187 + assume 0 <= ($struct_get(($struct_loc($self$1, 7): int)): int); + assume ($struct_get(($struct_loc($self$1, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc($self$1, 8)): Int) && + // ($struct_get($struct_loc($self$1, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@769.3--769.187 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc($self$1, 8): int)): int); + assume ($struct_get(($struct_loc($self$1, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@770.3--770.358 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_5: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_5): int) && ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@771.3--771.266 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_7: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_7): int) } + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $q1_7): int) <= ($map_sum(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@772.3--772.358 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_5: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_5): int) && ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@773.3--773.266 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_7: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_7): int) } + ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), $q2_7): int) <= ($map_sum(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@774.3--774.89 + assume ($struct_get(($struct_loc($self$1, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 0)): Int) && + // ($struct_get($struct_loc(block, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@775.3--775.154 + assume 0 <= ($struct_get(($struct_loc(block, 0): int)): int); + assume ($struct_get(($struct_loc(block, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 1)): Int) && + // ($struct_get($struct_loc(block, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@776.3--776.183 + assume 0 <= ($struct_get(($struct_loc(block, 1): int)): int); + assume ($struct_get(($struct_loc(block, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 2)): Int) && + // ($struct_get($struct_loc(block, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@777.3--777.183 + assume 0 <= ($struct_get(($struct_loc(block, 2): int)): int); + assume ($struct_get(($struct_loc(block, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale |($struct_get($struct_loc(block, 3)): Seq[Int])| == 32 -- testsresourcesexamplesauction.vy.vpr@778.3--778.64 + assume Seq#Length(($struct_get(($struct_loc(block, 3): int)): Seq int)) == 32; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 4)): Int) && + // ($struct_get($struct_loc(block, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@779.3--779.183 + assume 0 <= ($struct_get(($struct_loc(block, 4): int)): int); + assume ($struct_get(($struct_loc(block, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(block, -1)): Int) == + // 2335365049822495359383864865678187 -- testsresourcesexamplesauction.vy.vpr@780.3--780.90 + assume ($struct_get(($struct_loc(block, -1): int)): int) == 2335365049822495359383864865678187; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@781.3--781.267 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc($self$0, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_1_1: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $a_1_1): int) } + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), $a_1_1): int) >= ($map_get(($struct_get(($struct_loc($self$0, 10): int)): $MapDomainType int int), $a_1_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 3)): Int) == 0 ==> + // ($struct_get($struct_loc($self$1, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@782.3--782.111 + if (($struct_get(($struct_loc($self$1, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc($self$1, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 0)): Int) == + // ($struct_get($struct_loc($self$0, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@783.3--783.100 + assume ($struct_get(($struct_loc($self$1, 0): int)): int) == ($struct_get(($struct_loc($self$0, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($struct_get($struct_loc($self$1, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@784.3--784.103 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($struct_get(($struct_loc($self$1, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) <= + // ($struct_get($struct_loc($self$1, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@785.3--785.224 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) <= ($struct_get(($struct_loc($self$1, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) == + // ($map_sum(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@786.3--786.328 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) == ($map_sum(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc($self$1, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@787.3--787.177 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc($self$1, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 4)): Int) >= + // ($struct_get($struct_loc($self$0, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@788.3--788.100 + assume ($struct_get(($struct_loc($self$1, 4): int)): int) >= ($struct_get(($struct_loc($self$0, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$0, 5)): Bool) ==> + // ($struct_get($struct_loc($self$1, 4)): Int) == + // ($struct_get($struct_loc($self$0, 4)): Int) && + // ($struct_get($struct_loc($self$1, 3)): Int) == + // ($struct_get($struct_loc($self$0, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@789.3--789.243 + if (($struct_get(($struct_loc($self$0, 5): int)): bool)) { + assume ($struct_get(($struct_loc($self$1, 4): int)): int) == ($struct_get(($struct_loc($self$0, 4): int)): int); + assume ($struct_get(($struct_loc($self$1, 3): int)): int) == ($struct_get(($struct_loc($self$0, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@790.3--790.58 + assume ($struct_get(($struct_loc($self$1, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 3)): Int) != + // ($struct_get($struct_loc($self$1, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@791.3--791.100 + assume ($struct_get(($struct_loc($self$1, 3): int)): int) != ($struct_get(($struct_loc($self$1, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@792.3--792.131 + assume ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@793.3--793.182 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // ($struct_get($struct_loc($self$1, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@794.3--794.223 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == ($struct_get(($struct_loc($self$1, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) + + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@795.3--795.413 + assume ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$1, 3)): Int) && + // q$a != ($struct_get($struct_loc($self$1, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@796.3--796.532 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$1, 3)): Int) && q$a != ($struct_get($struct_loc($self$1, 0)): Int) ==> ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_1: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_1): int) } + 0 <= q$a_1 && q$a_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_1 != ($struct_get(($struct_loc($self$1, 3): int)): int) && q$a_1 != ($struct_get(($struct_loc($self$1, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), q$a_1): int) + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_1): int) == ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@797.3--797.90 + assume ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@798.3--798.353 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_3: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_3): int) } + 0 <= q$a_3 && q$a_3 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_3): int) != 0 ==> ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_3): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$1, 0)): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@799.3--799.409 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$1, 0)): Int) && ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_5: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_5): int) } + 0 <= q$a_5 && q$a_5 <= 1461501637330902918203684832716283019655932542975 ==> q$a_5 != ($struct_get(($struct_loc($self$1, 0): int)): int) && ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_5): int) == 0 ==> ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), q$a_5): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale true && + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 && + // q$v == + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int))) ==> + // acc($accessible$withdraw(18, q$a, q$v), write)) -- testsresourcesexamplesauction.vy.vpr@800.3--800.397 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 && q$v == ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int))) ==> acc($accessible$withdraw(18, q$a, q$v), write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check if receiver acc($accessible$withdraw(18, q$a, q$v), write) is injective + assert {:msg " Inhale might fail. Quantified resource $accessible$withdraw(18, q$a, q$v) might not be injective. (testsresourcesexamplesauction.vy.vpr@800.10--800.397) [229]"} + (forall q$a_7: int, q$v_1: int, q$a_7_1: int, q$v_1_1: int :: + { neverTriggered10(q$a_7, q$v_1), neverTriggered10(q$a_7_1, q$v_1_1) } + ((((q$a_7 != q$a_7_1 && q$v_1 != q$v_1_1) && (0 <= q$a_7 && (q$a_7 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1 && q$v_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_7): int))))) && (0 <= q$a_7_1 && (q$a_7_1 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1_1 && q$v_1_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1_1 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_7_1): int))))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> q$a_7 != q$a_7_1 || q$v_1 != q$v_1_1 + ); + + // -- Define Inverse Function + assume (forall q$a_7: int, q$v_1: int :: + { Heap[null, $accessible$withdraw(18, q$a_7, q$v_1)] } { Mask[null, $accessible$withdraw(18, q$a_7, q$v_1)] } { Heap[null, $accessible$withdraw(18, q$a_7, q$v_1)] } + (0 <= q$a_7 && (q$a_7 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1 && q$v_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_7): int)))) && NoPerm < FullPerm ==> (invRecv9(18, q$a_7, q$v_1) == q$a_7 && invRecv10(18, q$a_7, q$v_1) == q$v_1) && qpRange10(18, q$a_7, q$v_1) + ); + assume (forall $tag: int, $to: int, $amount: int :: + { invRecv9($tag, $to, $amount), invRecv10($tag, $to, $amount) } + ((0 <= invRecv9($tag, $to, $amount) && (invRecv9($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv10($tag, $to, $amount) && invRecv10($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv10($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv9($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange10($tag, $to, $amount) ==> (18 == $tag && invRecv9($tag, $to, $amount) == $to) && invRecv10($tag, $to, $amount) == $amount + ); + + // -- Define updated permissions + assume (forall $tag: int, $to: int, $amount: int :: + { QPMask[null, $accessible$withdraw($tag, $to, $amount)] } + ((0 <= invRecv9($tag, $to, $amount) && (invRecv9($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv10($tag, $to, $amount) && invRecv10($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv10($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv9($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange10($tag, $to, $amount) ==> (NoPerm < FullPerm ==> (18 == $tag && invRecv9($tag, $to, $amount) == $to) && invRecv10($tag, $to, $amount) == $amount) && QPMask[null, $accessible$withdraw($tag, $to, $amount)] == Mask[null, $accessible$withdraw($tag, $to, $amount)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 24 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall $tag: int, $to: int, $amount: int :: + { QPMask[null, $accessible$withdraw($tag, $to, $amount)] } + !(((0 <= invRecv9($tag, $to, $amount) && (invRecv9($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv10($tag, $to, $amount) && invRecv10($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv10($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv9($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange10($tag, $to, $amount)) ==> QPMask[null, $accessible$withdraw($tag, $to, $amount)] == Mask[null, $accessible$withdraw($tag, $to, $amount)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 3)): Int) == 0 ==> + // ($struct_get($struct_loc($self$1, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@801.3--801.111 + if (($struct_get(($struct_loc($self$1, 3): int)): int) == 0) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$1, 4)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@801.10--801.111) [230]"} + ($struct_get(($struct_loc($self$1, 4): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 0)): Int) == + // ($struct_get($struct_loc($self$1, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@802.3--802.100 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$1, 0)): Int) == ($struct_get($struct_loc($self$1, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@802.10--802.100) [231]"} + ($struct_get(($struct_loc($self$1, 0): int)): int) == ($struct_get(($struct_loc($self$1, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($struct_get($struct_loc($self$1, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@803.3--803.103 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$1, 5)): Bool) might not hold. (testsresourcesexamplesauction.vy.vpr@803.10--803.103) [232]"} + ($struct_get(($struct_loc($self$1, 5): int)): bool); + } + assume state(Heap, Mask); + + // -- Translating statement: assert !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) <= + // ($struct_get($struct_loc($self$1, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@804.3--804.224 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc($self$1, 4)): Int) <= ($struct_get($struct_loc($self$1, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@804.10--804.224) [233]"} + ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) <= ($struct_get(($struct_loc($self$1, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) == + // ($map_sum(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@805.3--805.328 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc($self$1, 4)): Int) == ($map_sum(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int])): Int) - ($map_sum(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@805.10--805.328) [234]"} + ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) == ($map_sum(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc($self$1, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@806.3--806.177 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int])): Int) <= ($struct_get($struct_loc($self$1, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@806.10--806.177) [235]"} + ($map_sum(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc($self$1, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 4)): Int) >= + // ($struct_get($struct_loc($self$1, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@807.3--807.100 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$1, 4)): Int) >= ($struct_get($struct_loc($self$1, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@807.10--807.100) [236]"} + ($struct_get(($struct_loc($self$1, 4): int)): int) >= ($struct_get(($struct_loc($self$1, 4): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($struct_get($struct_loc($self$1, 4)): Int) == + // ($struct_get($struct_loc($self$1, 4)): Int) && + // ($struct_get($struct_loc($self$1, 3)): Int) == + // ($struct_get($struct_loc($self$1, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@808.3--808.243 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$1, 4)): Int) == ($struct_get($struct_loc($self$1, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@808.10--808.243) [237]"} + ($struct_get(($struct_loc($self$1, 4): int)): int) == ($struct_get(($struct_loc($self$1, 4): int)): int); + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$1, 3)): Int) == ($struct_get($struct_loc($self$1, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@808.10--808.243) [238]"} + ($struct_get(($struct_loc($self$1, 3): int)): int) == ($struct_get(($struct_loc($self$1, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@809.3--809.58 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$1, 0)): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@809.10--809.58) [239]"} + ($struct_get(($struct_loc($self$1, 0): int)): int) != 0; + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 3)): Int) != + // ($struct_get($struct_loc($self$1, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@810.3--810.100 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc($self$1, 3)): Int) != ($struct_get($struct_loc($self$1, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@810.10--810.100) [240]"} + ($struct_get(($struct_loc($self$1, 3): int)): int) != ($struct_get(($struct_loc($self$1, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: assert ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@811.3--811.131 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@811.10--811.131) [241]"} + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: assert !($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@812.3--812.182 + if (!($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@812.10--812.182) [242]"} + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($struct_get($struct_loc($self$1, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 0)): Int)): Int) == + // ($struct_get($struct_loc($self$1, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@813.3--813.223 + if (($struct_get(($struct_loc($self$1, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, 0)): Int)): Int) == ($struct_get($struct_loc($self$1, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@813.10--813.223) [243]"} + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 0): int)): int)): int) == ($struct_get(($struct_loc($self$1, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: assert ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) + + // ($struct_get($struct_loc($self$1, 4)): Int) + + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@814.3--814.413 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, 3)): Int)): Int) + ($struct_get($struct_loc($self$1, 4)): Int) + ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, 3)): Int)): Int) == ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), ($struct_get($struct_loc($self$1, 3)): Int)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@814.10--814.413) [244]"} + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int) + ($struct_get(($struct_loc($self$1, 4): int)): int) + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc($self$1, 3): int)): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$1, 3)): Int) && + // q$a != ($struct_get($struct_loc($self$1, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@815.3--815.532 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$1, 3)): Int) && q$a != ($struct_get($struct_loc($self$1, 0)): Int) ==> ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_10 && q$a_10 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_10 != ($struct_get(($struct_loc($self$1, 3): int)): int) && q$a_10 != ($struct_get(($struct_loc($self$1, 0): int)): int)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@815.11--815.531) [245]"} + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), q$a_10): int) + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_10): int) == ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_10): int); + } + } + assume false; + } + assume (forall q$a_11_1: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_11_1): int) } + 0 <= q$a_11_1 && q$a_11_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_11_1 != ($struct_get(($struct_loc($self$1, 3): int)): int) && q$a_11_1 != ($struct_get(($struct_loc($self$1, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), q$a_11_1): int) + ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_11_1): int) == ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_11_1): int) + ); + assume state(Heap, Mask); + + // -- Translating statement: assert ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@816.3--816.90 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), 0): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@816.10--816.90) [246]"} + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@817.3--817.353 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_13 && q$a_13 <= 1461501637330902918203684832716283019655932542975) { + if (($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_13): int) != 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@817.11--817.352) [247]"} + ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_13): int) != 0; + } + } + assume false; + } + assume (forall q$a_14_1: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_14_1): int) } + 0 <= q$a_14_1 && q$a_14_1 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_14_1): int) != 0 ==> ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_14_1): int) != 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc($self$1, 0)): Int) && + // ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@818.3--818.409 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc($self$1, 0)): Int) && ($map_get(($struct_get($struct_loc($self$1, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_16 && q$a_16 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_16 != ($struct_get(($struct_loc($self$1, 0): int)): int) && ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_16): int) == 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc($self$1, 10)): $Map[Int, Int]), q$a): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@818.11--818.408) [248]"} + ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), q$a_16): int) == 0; + } + } + assume false; + } + assume (forall q$a_17_1: int :: + { ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_17_1): int) } + 0 <= q$a_17_1 && q$a_17_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_17_1 != ($struct_get(($struct_loc($self$1, 0): int)): int) && ($map_get(($struct_get(($struct_loc($self$1, 11): int)): $MapDomainType int int), q$a_17_1): int) == 0 ==> ($map_get(($struct_get(($struct_loc($self$1, 10): int)): $MapDomainType int int), q$a_17_1): int) == 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: assert true && + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 && + // q$v == + // ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int))) ==> + // acc($accessible$withdraw(18, q$a, q$v), write)) -- testsresourcesexamplesauction.vy.vpr@819.3--819.397 + + // -- Check definedness of true && (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 && q$v == ($map_get(($struct_get($struct_loc($self$1, 6)): $Map[Int, Int]), q$a): Int))) ==> acc($accessible$withdraw(18, q$a, q$v), write)) + if (*) { + assume false; + } + AssertHeap := Heap; + AssertMask := Mask; + havoc QPMask; + + // -- check that the permission amount is positive + + + // -- check if receiver acc($accessible$withdraw(18, q$a, q$v), write) is injective + assert {:msg " Assert might fail. Quantified resource $accessible$withdraw(18, q$a, q$v) might not be injective. (testsresourcesexamplesauction.vy.vpr@819.10--819.397) [251]"} + (forall q$a_18: int, q$v_3: int, q$a_18_1: int, q$v_3_1: int :: + { neverTriggered12(q$a_18, q$v_3), neverTriggered12(q$a_18_1, q$v_3_1) } + ((((q$a_18 != q$a_18_1 && q$v_3 != q$v_3_1) && (0 <= q$a_18 && (q$a_18 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_3 && q$v_3 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_3 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_18): int))))) && (0 <= q$a_18_1 && (q$a_18_1 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_3_1 && q$v_3_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_3_1 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_18_1): int))))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> q$a_18 != q$a_18_1 || q$v_3 != q$v_3_1 + ); + + // -- check if sufficient permission is held + assert {:msg " Assert might fail. There might be insufficient permission to access $accessible$withdraw(18, q$a, q$v) (testsresourcesexamplesauction.vy.vpr@819.10--819.397) [252]"} + (forall q$a_18: int, q$v_3: int :: + { AssertHeap[null, $accessible$withdraw(18, q$a_18, q$v_3)] } { AssertMask[null, $accessible$withdraw(18, q$a_18, q$v_3)] } { AssertHeap[null, $accessible$withdraw(18, q$a_18, q$v_3)] } + 0 <= q$a_18 && (q$a_18 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_3 && q$v_3 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_3 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_18): int))) ==> AssertMask[null, $accessible$withdraw(18, q$a_18, q$v_3)] >= FullPerm + ); + + // -- assumptions for inverse of receiver acc($accessible$withdraw(18, q$a, q$v), write) + assume (forall q$a_18: int, q$v_3: int :: + { AssertHeap[null, $accessible$withdraw(18, q$a_18, q$v_3)] } { AssertMask[null, $accessible$withdraw(18, q$a_18, q$v_3)] } { AssertHeap[null, $accessible$withdraw(18, q$a_18, q$v_3)] } + (0 <= q$a_18 && (q$a_18 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_3 && q$v_3 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_3 == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), q$a_18): int)))) && NoPerm < FullPerm ==> (invRecv11(18, q$a_18, q$v_3) == q$a_18 && invRecv12(18, q$a_18, q$v_3) == q$v_3) && qpRange12(18, q$a_18, q$v_3) + ); + assume (forall $tag_1: int, $to_1: int, $amount_1: int :: + { invRecv11($tag_1, $to_1, $amount_1), invRecv12($tag_1, $to_1, $amount_1) } + ((0 <= invRecv11($tag_1, $to_1, $amount_1) && (invRecv11($tag_1, $to_1, $amount_1) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv12($tag_1, $to_1, $amount_1) && invRecv12($tag_1, $to_1, $amount_1) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv12($tag_1, $to_1, $amount_1) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv11($tag_1, $to_1, $amount_1)): int)))) && NoPerm < FullPerm) && qpRange12($tag_1, $to_1, $amount_1) ==> (18 == $tag_1 && invRecv11($tag_1, $to_1, $amount_1) == $to_1) && invRecv12($tag_1, $to_1, $amount_1) == $amount_1 + ); + + // -- assume permission updates for predicate $accessible$withdraw + assume (forall $tag_1: int, $to_1: int, $amount_1: int :: + { QPMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] } + ((0 <= invRecv11($tag_1, $to_1, $amount_1) && (invRecv11($tag_1, $to_1, $amount_1) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv12($tag_1, $to_1, $amount_1) && invRecv12($tag_1, $to_1, $amount_1) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv12($tag_1, $to_1, $amount_1) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv11($tag_1, $to_1, $amount_1)): int)))) && NoPerm < FullPerm) && qpRange12($tag_1, $to_1, $amount_1) ==> ((18 == $tag_1 && invRecv11($tag_1, $to_1, $amount_1) == $to_1) && invRecv12($tag_1, $to_1, $amount_1) == $amount_1) && QPMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] == AssertMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] - FullPerm + ); + assume (forall $tag_1: int, $to_1: int, $amount_1: int :: + { QPMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] } + !(((0 <= invRecv11($tag_1, $to_1, $amount_1) && (invRecv11($tag_1, $to_1, $amount_1) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv12($tag_1, $to_1, $amount_1) && invRecv12($tag_1, $to_1, $amount_1) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv12($tag_1, $to_1, $amount_1) == ($map_get(($struct_get(($struct_loc($self$1, 6): int)): $MapDomainType int int), invRecv11($tag_1, $to_1, $amount_1)): int)))) && NoPerm < FullPerm) && qpRange12($tag_1, $to_1, $amount_1)) ==> QPMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] == AssertMask[null, $accessible$withdraw($tag_1, $to_1, $amount_1)] + ); + + // -- assume permission updates for independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { AssertMask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 24 ==> AssertMask[o_4, f_6] == QPMask[o_4, f_6] + ); + AssertMask := QPMask; + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method $forced_ether_check +// ================================================== + +procedure $forced_ether_check() returns () + modifies Heap, Mask; +{ + var self: $StructDomainType; + var $pre_self: $StructDomainType; + var block: $StructDomainType; + var $havoc: int; + var QPMask: MaskType; + var $pre_$contracts: ($MapDomainType int $StructDomainType); + var $contracts: ($MapDomainType int $StructDomainType); + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(self, 0)): Int) && + // ($struct_get($struct_loc(self, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@831.3--831.152 + assume 0 <= ($struct_get(($struct_loc(self, 0): int)): int); + assume ($struct_get(($struct_loc(self, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(self, 1)): Int) && + // ($struct_get($struct_loc(self, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@832.3--832.181 + assume 0 <= ($struct_get(($struct_loc(self, 1): int)): int); + assume ($struct_get(($struct_loc(self, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(self, 2)): Int) && + // ($struct_get($struct_loc(self, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@833.3--833.181 + assume 0 <= ($struct_get(($struct_loc(self, 2): int)): int); + assume ($struct_get(($struct_loc(self, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(self, 3)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@834.3--834.152 + assume 0 <= ($struct_get(($struct_loc(self, 3): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@835.3--835.181 + assume 0 <= ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@836.3--836.346 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) && ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@837.3--837.254 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) } + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(self, 7)): Int) && + // ($struct_get($struct_loc(self, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@838.3--838.181 + assume 0 <= ($struct_get(($struct_loc(self, 7): int)): int); + assume ($struct_get(($struct_loc(self, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc(self, 8)): Int) && + // ($struct_get($struct_loc(self, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@839.3--839.181 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc(self, 8): int)): int); + assume ($struct_get(($struct_loc(self, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@840.3--840.349 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) && ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@841.3--841.257 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@842.3--842.349 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@843.3--843.257 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) } + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@844.3--844.86 + assume ($struct_get(($struct_loc(self, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($pre_self, 0)): Int) && + // ($struct_get($struct_loc($pre_self, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@845.3--845.162 + assume 0 <= ($struct_get(($struct_loc($pre_self, 0): int)): int); + assume ($struct_get(($struct_loc($pre_self, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($pre_self, 1)): Int) && + // ($struct_get($struct_loc($pre_self, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@846.3--846.191 + assume 0 <= ($struct_get(($struct_loc($pre_self, 1): int)): int); + assume ($struct_get(($struct_loc($pre_self, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($pre_self, 2)): Int) && + // ($struct_get($struct_loc($pre_self, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@847.3--847.191 + assume 0 <= ($struct_get(($struct_loc($pre_self, 2): int)): int); + assume ($struct_get(($struct_loc($pre_self, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($pre_self, 3)): Int) && + // ($struct_get($struct_loc($pre_self, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@848.3--848.162 + assume 0 <= ($struct_get(($struct_loc($pre_self, 3): int)): int); + assume ($struct_get(($struct_loc($pre_self, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($pre_self, 4)): Int) && + // ($struct_get($struct_loc($pre_self, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@849.3--849.191 + assume 0 <= ($struct_get(($struct_loc($pre_self, 4): int)): int); + assume ($struct_get(($struct_loc($pre_self, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@850.3--850.361 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_5: int :: + { ($map_get(($struct_get(($struct_loc($pre_self, 6): int)): $MapDomainType int int), $q0_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($pre_self, 6): int)): $MapDomainType int int), $q0_5): int) && ($map_get(($struct_get(($struct_loc($pre_self, 6): int)): $MapDomainType int int), $q0_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@851.3--851.269 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc($pre_self, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_7: int :: + { ($map_get(($struct_get(($struct_loc($pre_self, 6): int)): $MapDomainType int int), $q0_7): int) } + ($map_get(($struct_get(($struct_loc($pre_self, 6): int)): $MapDomainType int int), $q0_7): int) <= ($map_sum(($struct_get(($struct_loc($pre_self, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc($pre_self, 7)): Int) && + // ($struct_get($struct_loc($pre_self, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@852.3--852.191 + assume 0 <= ($struct_get(($struct_loc($pre_self, 7): int)): int); + assume ($struct_get(($struct_loc($pre_self, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc($pre_self, 8)): Int) && + // ($struct_get($struct_loc($pre_self, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@853.3--853.191 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc($pre_self, 8): int)): int); + assume ($struct_get(($struct_loc($pre_self, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@854.3--854.364 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_5: int :: + { ($map_get(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int), $q1_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int), $q1_5): int) && ($map_get(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int), $q1_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@855.3--855.272 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_7: int :: + { ($map_get(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int), $q1_7): int) } + ($map_get(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int), $q1_7): int) <= ($map_sum(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@856.3--856.364 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_5: int :: + { ($map_get(($struct_get(($struct_loc($pre_self, 11): int)): $MapDomainType int int), $q2_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc($pre_self, 11): int)): $MapDomainType int int), $q2_5): int) && ($map_get(($struct_get(($struct_loc($pre_self, 11): int)): $MapDomainType int int), $q2_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@857.3--857.272 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc($pre_self, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_7: int :: + { ($map_get(($struct_get(($struct_loc($pre_self, 11): int)): $MapDomainType int int), $q2_7): int) } + ($map_get(($struct_get(($struct_loc($pre_self, 11): int)): $MapDomainType int int), $q2_7): int) <= ($map_sum(($struct_get(($struct_loc($pre_self, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc($pre_self, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@858.3--858.91 + assume ($struct_get(($struct_loc($pre_self, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 0)): Int) && + // ($struct_get($struct_loc(block, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@859.3--859.154 + assume 0 <= ($struct_get(($struct_loc(block, 0): int)): int); + assume ($struct_get(($struct_loc(block, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 1)): Int) && + // ($struct_get($struct_loc(block, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@860.3--860.183 + assume 0 <= ($struct_get(($struct_loc(block, 1): int)): int); + assume ($struct_get(($struct_loc(block, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 2)): Int) && + // ($struct_get($struct_loc(block, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@861.3--861.183 + assume 0 <= ($struct_get(($struct_loc(block, 2): int)): int); + assume ($struct_get(($struct_loc(block, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale |($struct_get($struct_loc(block, 3)): Seq[Int])| == 32 -- testsresourcesexamplesauction.vy.vpr@862.3--862.64 + assume Seq#Length(($struct_get(($struct_loc(block, 3): int)): Seq int)) == 32; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale 0 <= ($struct_get($struct_loc(block, 4)): Int) && + // ($struct_get($struct_loc(block, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@863.3--863.183 + assume 0 <= ($struct_get(($struct_loc(block, 4): int)): int); + assume ($struct_get(($struct_loc(block, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(block, -1)): Int) == + // 2335365049822495359383864865678187 -- testsresourcesexamplesauction.vy.vpr@864.3--864.90 + assume ($struct_get(($struct_loc(block, -1): int)): int) == 2335365049822495359383864865678187; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale $havoc >= 0 -- testsresourcesexamplesauction.vy.vpr@865.3--865.21 + assume $havoc >= 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@866.3--866.258 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) >= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@867.3--867.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@868.3--868.94 + assume ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@869.3--869.97 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@870.3--870.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@871.3--871.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@872.3--872.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@873.3--873.94 + assume ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc(self, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc(self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@874.3--874.228 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc(self, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@875.3--875.55 + assume ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@876.3--876.94 + assume ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@877.3--877.125 + assume ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@878.3--878.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@879.3--879.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@880.3--880.392 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@881.3--881.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int) } + 0 <= q$a_1 && q$a_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@882.3--882.87 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@883.3--883.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_3): int) } + 0 <= q$a_3 && q$a_3 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_3): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_3): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@884.3--884.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5): int) } + 0 <= q$a_5 && q$a_5 <= 1461501637330902918203684832716283019655932542975 ==> q$a_5 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_5): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: inhale true && + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 && + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int))) ==> + // acc($accessible$withdraw(18, q$a, q$v), write)) -- testsresourcesexamplesauction.vy.vpr@885.3--885.394 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 && q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int))) ==> acc($accessible$withdraw(18, q$a, q$v), write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check if receiver acc($accessible$withdraw(18, q$a, q$v), write) is injective + assert {:msg " Inhale might fail. Quantified resource $accessible$withdraw(18, q$a, q$v) might not be injective. (testsresourcesexamplesauction.vy.vpr@885.10--885.394) [253]"} + (forall q$a_7: int, q$v_1: int, q$a_7_1: int, q$v_1_1: int :: + { neverTriggered14(q$a_7, q$v_1), neverTriggered14(q$a_7_1, q$v_1_1) } + ((((q$a_7 != q$a_7_1 && q$v_1 != q$v_1_1) && (0 <= q$a_7 && (q$a_7 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1 && q$v_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1 == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_7): int))))) && (0 <= q$a_7_1 && (q$a_7_1 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1_1 && q$v_1_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1_1 == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_7_1): int))))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> q$a_7 != q$a_7_1 || q$v_1 != q$v_1_1 + ); + + // -- Define Inverse Function + assume (forall q$a_7: int, q$v_1: int :: + { Heap[null, $accessible$withdraw(18, q$a_7, q$v_1)] } { Mask[null, $accessible$withdraw(18, q$a_7, q$v_1)] } { Heap[null, $accessible$withdraw(18, q$a_7, q$v_1)] } + (0 <= q$a_7 && (q$a_7 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1 && q$v_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1 == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_7): int)))) && NoPerm < FullPerm ==> (invRecv13(18, q$a_7, q$v_1) == q$a_7 && invRecv14(18, q$a_7, q$v_1) == q$v_1) && qpRange14(18, q$a_7, q$v_1) + ); + assume (forall $tag: int, $to: int, $amount: int :: + { invRecv13($tag, $to, $amount), invRecv14($tag, $to, $amount) } + ((0 <= invRecv13($tag, $to, $amount) && (invRecv13($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv14($tag, $to, $amount) && invRecv14($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv14($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), invRecv13($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange14($tag, $to, $amount) ==> (18 == $tag && invRecv13($tag, $to, $amount) == $to) && invRecv14($tag, $to, $amount) == $amount + ); + + // -- Define updated permissions + assume (forall $tag: int, $to: int, $amount: int :: + { QPMask[null, $accessible$withdraw($tag, $to, $amount)] } + ((0 <= invRecv13($tag, $to, $amount) && (invRecv13($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv14($tag, $to, $amount) && invRecv14($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv14($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), invRecv13($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange14($tag, $to, $amount) ==> (NoPerm < FullPerm ==> (18 == $tag && invRecv13($tag, $to, $amount) == $to) && invRecv14($tag, $to, $amount) == $amount) && QPMask[null, $accessible$withdraw($tag, $to, $amount)] == Mask[null, $accessible$withdraw($tag, $to, $amount)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 24 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall $tag: int, $to: int, $amount: int :: + { QPMask[null, $accessible$withdraw($tag, $to, $amount)] } + !(((0 <= invRecv13($tag, $to, $amount) && (invRecv13($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv14($tag, $to, $amount) && invRecv14($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv14($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), invRecv13($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange14($tag, $to, $amount)) ==> QPMask[null, $accessible$withdraw($tag, $to, $amount)] == Mask[null, $accessible$withdraw($tag, $to, $amount)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: $pre_self := self -- testsresourcesexamplesauction.vy.vpr@887.3--887.20 + $pre_self := self; + assume state(Heap, Mask); + + // -- Translating statement: $pre_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@888.3--888.32 + $pre_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) + + // $havoc): $Struct) -- testsresourcesexamplesauction.vy.vpr@889.3--889.93 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) + $havoc): $StructDomainType); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method f$__init__ +// ================================================== + +procedure f$__init__(l$_beneficiary: int, l$_bidding_time: $IntDomainType) returns ($succ: bool) + modifies Heap, Mask; +{ + var revert_lblGuard: bool; + var end_lblGuard: bool; + var return_lblGuard: bool; + var self: $StructDomainType; + var block: $StructDomainType; + var msg: $StructDomainType; + var $pre_self: $StructDomainType; + var $pre_$contracts: ($MapDomainType int $StructDomainType); + var $contracts: ($MapDomainType int $StructDomainType); + var $old_self: $StructDomainType; + var $old_$contracts: ($MapDomainType int $StructDomainType); + var $overflow: bool; + var $first_public_state: bool; + var l$havoc: int; + var LabelreturnMask: MaskType; + var LabelreturnHeap: HeapType; + var $out_of_gas: bool; + var LabelrevertMask: MaskType; + var LabelrevertHeap: HeapType; + var LabelendMask: MaskType; + var LabelendHeap: HeapType; + var l$havoc$1: int; + var l$havoc$2: ($MapDomainType int $StructDomainType); + var q$a_1: int; + var q$a_4: int; + var q$a_7: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + revert_lblGuard := false; + end_lblGuard := false; + return_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: // id = 1 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 2 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 3 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 4 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 5 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 6 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 7 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 8 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 9 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 10 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 11 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 12 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 13 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 14 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 15 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 16 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 17 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 18 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 19 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 20 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 21 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 22 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 23 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 24 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 25 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 26 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 27 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 28 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 29 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 30 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 31 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 32 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 33 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 34 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 35 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 36 + // inhale 0 <= ($struct_get($struct_loc(self, 0)): Int) && + // ($struct_get($struct_loc(self, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@913.3--913.152 + assume 0 <= ($struct_get(($struct_loc(self, 0): int)): int); + assume ($struct_get(($struct_loc(self, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 37 + // inhale 0 <= ($struct_get($struct_loc(self, 1)): Int) && + // ($struct_get($struct_loc(self, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@914.3--914.181 + assume 0 <= ($struct_get(($struct_loc(self, 1): int)): int); + assume ($struct_get(($struct_loc(self, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 38 + // inhale 0 <= ($struct_get($struct_loc(self, 2)): Int) && + // ($struct_get($struct_loc(self, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@915.3--915.181 + assume 0 <= ($struct_get(($struct_loc(self, 2): int)): int); + assume ($struct_get(($struct_loc(self, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 39 + // inhale 0 <= ($struct_get($struct_loc(self, 3)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@916.3--916.152 + assume 0 <= ($struct_get(($struct_loc(self, 3): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 40 + // inhale 0 <= ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@917.3--917.181 + assume 0 <= ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 41 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@918.3--918.346 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) && ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 42 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@919.3--919.254 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) } + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 43 + // inhale 0 <= ($struct_get($struct_loc(self, 7)): Int) && + // ($struct_get($struct_loc(self, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@920.3--920.181 + assume 0 <= ($struct_get(($struct_loc(self, 7): int)): int); + assume ($struct_get(($struct_loc(self, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 44 + // inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc(self, 8)): Int) && + // ($struct_get($struct_loc(self, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@921.3--921.181 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc(self, 8): int)): int); + assume ($struct_get(($struct_loc(self, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 45 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@922.3--922.349 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) && ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 46 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@923.3--923.257 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 47 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@924.3--924.349 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 48 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@925.3--925.257 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) } + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 49 + // inhale ($struct_get($struct_loc(self, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@926.3--926.86 + assume ($struct_get(($struct_loc(self, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 50 + // inhale 0 <= $self_address() && + // $self_address() <= 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@928.3--928.102 + assume 0 <= ($self_address(): int); + assume ($self_address(): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 51 + // inhale 0 <= l$_beneficiary && + // l$_beneficiary <= 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@930.3--930.100 + assume 0 <= l$_beneficiary; + assume l$_beneficiary <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 52 + // inhale 0 <= $unwrap(l$_bidding_time) && + // $unwrap(l$_bidding_time) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@931.3--931.149 + assume 0 <= ($unwrap(l$_bidding_time): int); + assume ($unwrap(l$_bidding_time): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 53 + // inhale 0 <= ($struct_get($struct_loc(block, 0)): Int) && + // ($struct_get($struct_loc(block, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@933.3--933.154 + assume 0 <= ($struct_get(($struct_loc(block, 0): int)): int); + assume ($struct_get(($struct_loc(block, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 54 + // inhale 0 <= ($struct_get($struct_loc(block, 1)): Int) && + // ($struct_get($struct_loc(block, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@934.3--934.183 + assume 0 <= ($struct_get(($struct_loc(block, 1): int)): int); + assume ($struct_get(($struct_loc(block, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 55 + // inhale 0 <= ($struct_get($struct_loc(block, 2)): Int) && + // ($struct_get($struct_loc(block, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@935.3--935.183 + assume 0 <= ($struct_get(($struct_loc(block, 2): int)): int); + assume ($struct_get(($struct_loc(block, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 56 + // inhale |($struct_get($struct_loc(block, 3)): Seq[Int])| == 32 -- testsresourcesexamplesauction.vy.vpr@936.3--936.64 + assume Seq#Length(($struct_get(($struct_loc(block, 3): int)): Seq int)) == 32; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 57 + // inhale 0 <= ($struct_get($struct_loc(block, 4)): Int) && + // ($struct_get($struct_loc(block, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@937.3--937.183 + assume 0 <= ($struct_get(($struct_loc(block, 4): int)): int); + assume ($struct_get(($struct_loc(block, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 58 + // inhale ($struct_get($struct_loc(block, -1)): Int) == + // 2335365049822495359383864865678187 -- testsresourcesexamplesauction.vy.vpr@938.3--938.90 + assume ($struct_get(($struct_loc(block, -1): int)): int) == 2335365049822495359383864865678187; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 59 + // inhale 0 <= ($struct_get($struct_loc(msg, 0)): Int) && + // ($struct_get($struct_loc(msg, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@940.3--940.150 + assume 0 <= ($struct_get(($struct_loc(msg, 0): int)): int); + assume ($struct_get(($struct_loc(msg, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 60 + // inhale 0 <= ($struct_get($struct_loc(msg, 1)): Int) && + // ($struct_get($struct_loc(msg, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@941.3--941.179 + assume 0 <= ($struct_get(($struct_loc(msg, 1): int)): int); + assume ($struct_get(($struct_loc(msg, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 61 + // inhale 0 <= ($struct_get($struct_loc(msg, 2)): Int) && + // ($struct_get($struct_loc(msg, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@942.3--942.179 + assume 0 <= ($struct_get(($struct_loc(msg, 2): int)): int); + assume ($struct_get(($struct_loc(msg, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 62 + // inhale ($struct_get($struct_loc(msg, -1)): Int) == + // 35634842679176259756224246631 -- testsresourcesexamplesauction.vy.vpr@943.3--943.83 + assume ($struct_get(($struct_loc(msg, -1): int)): int) == 35634842679176259756224246631; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 63 + // inhale ($struct_get($struct_loc(msg, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@944.3--944.54 + assume ($struct_get(($struct_loc(msg, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 64 + // $pre_self := self -- testsresourcesexamplesauction.vy.vpr@946.3--946.20 + $pre_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 65 + // $pre_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@947.3--947.32 + $pre_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 66 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@949.3--949.20 + $old_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 67 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@950.3--950.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 68 + // $succ := true -- testsresourcesexamplesauction.vy.vpr@951.3--951.16 + $succ := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 69 + // $overflow := false -- testsresourcesexamplesauction.vy.vpr@952.3--952.21 + $overflow := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 70 + // $first_public_state := true -- testsresourcesexamplesauction.vy.vpr@953.3--953.30 + $first_public_state := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 71 + // self := s$struct$self$init(0, 0, 0, 0, 0, false, ($map_init(0): $Map[Int, Int]), + // 0, 0, false, ($map_init(0): $Map[Int, Int]), ($map_init(0): $Map[Int, Int]), + // false) -- testsresourcesexamplesauction.vy.vpr@954.3--954.167 + self := (s$struct$self$init(0, 0, 0, 0, 0, false, ($map_init(0): $MapDomainType int int), 0, 0, false, ($map_init(0): $MapDomainType int int), ($map_init(0): $MapDomainType int int), false): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 72 + // inhale l$havoc >= 0 -- testsresourcesexamplesauction.vy.vpr@955.3--955.22 + assume l$havoc >= 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 73 + // self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) + + // l$havoc): $Struct) -- testsresourcesexamplesauction.vy.vpr@956.3--956.94 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) + l$havoc): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 74 + // inhale ($struct_get($struct_loc(msg, 1)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@958.3--958.54 + assume ($struct_get(($struct_loc(msg, 1): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: if (!(l$_beneficiary != 0)) -- testsresourcesexamplesauction.vy.vpr@960.3--962.4 + if (!(l$_beneficiary != 0)) { + + // -- Translating statement: // id = 75 + // goto revert -- testsresourcesexamplesauction.vy.vpr@961.5--961.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 76 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 77 + // self := ($struct_set(self, 0, l$_beneficiary): $Struct) -- testsresourcesexamplesauction.vy.vpr@963.3--963.58 + self := ($struct_set(self, 0, l$_beneficiary): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 78 + // self := ($struct_set(self, 1, $unwrap($wrap(($struct_get($struct_loc(block, + // 4)): Int)))): $Struct) -- testsresourcesexamplesauction.vy.vpr@964.3--964.101 + self := ($struct_set(self, 1, ($unwrap(($wrap(($struct_get(($struct_loc(block, 4): int)): int)): $IntDomainType)): int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: if (($struct_get($struct_loc(self, 1)): Int) + $unwrap(l$_bidding_time) < 0) -- testsresourcesexamplesauction.vy.vpr@965.3--967.4 + if (($struct_get(($struct_loc(self, 1): int)): int) + ($unwrap(l$_bidding_time): int) < 0) { + + // -- Translating statement: // id = 79 + // goto revert -- testsresourcesexamplesauction.vy.vpr@966.5--966.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 80 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 81 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: if (($struct_get($struct_loc(self, 1)): Int) + $unwrap(l$_bidding_time) > 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@968.3--971.4 + if (($struct_get(($struct_loc(self, 1): int)): int) + ($unwrap(l$_bidding_time): int) > 115792089237316195423570985008687907853269984665640564039457584007913129639935) { + + // -- Translating statement: // id = 82 + // $overflow := true -- testsresourcesexamplesauction.vy.vpr@969.5--969.22 + $overflow := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 83 + // goto revert -- testsresourcesexamplesauction.vy.vpr@970.5--970.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 84 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 85 + // self := ($struct_set(self, 2, $unwrap($wrap(($struct_get($struct_loc(self, 1)): Int) + + // $unwrap(l$_bidding_time)))): $Struct) -- testsresourcesexamplesauction.vy.vpr@972.3--972.127 + self := ($struct_set(self, 2, ($unwrap(($wrap(($struct_get(($struct_loc(self, 1): int)): int) + ($unwrap(l$_bidding_time): int)): $IntDomainType)): int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 86 + // label return -- testsresourcesexamplesauction.vy.vpr@973.3--973.15 + vreturn: + LabelreturnMask := Mask; + LabelreturnHeap := Heap; + return_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: if ($out_of_gas) -- testsresourcesexamplesauction.vy.vpr@974.3--976.4 + if ($out_of_gas) { + + // -- Translating statement: // id = 87 + // goto revert -- testsresourcesexamplesauction.vy.vpr@975.5--975.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 88 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 89 + // goto end -- testsresourcesexamplesauction.vy.vpr@977.3--977.11 + goto end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 90 + // label revert -- testsresourcesexamplesauction.vy.vpr@978.3--978.15 + revert: + LabelrevertMask := Mask; + LabelrevertHeap := Heap; + revert_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 91 + // $succ := false -- testsresourcesexamplesauction.vy.vpr@979.3--979.17 + $succ := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 92 + // self := $pre_self -- testsresourcesexamplesauction.vy.vpr@981.3--981.20 + self := $pre_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 93 + // $contracts := $pre_$contracts -- testsresourcesexamplesauction.vy.vpr@982.3--982.32 + $contracts := $pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 94 + // $old_self := $pre_self -- testsresourcesexamplesauction.vy.vpr@984.3--984.25 + $old_self := $pre_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 95 + // $old_$contracts := $pre_$contracts -- testsresourcesexamplesauction.vy.vpr@985.3--985.37 + $old_$contracts := $pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 96 + // label end -- testsresourcesexamplesauction.vy.vpr@986.3--986.12 + end: + LabelendMask := Mask; + LabelendHeap := Heap; + end_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: if ($first_public_state) -- testsresourcesexamplesauction.vy.vpr@987.3--989.4 + if ($first_public_state) { + + // -- Translating statement: // id = 97 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@988.5--988.22 + $old_self := self; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 98 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 99 + // assert $succ ==> + // $succ && + // (($struct_get($struct_loc(msg, 1)): Int) > + // ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) != 0) ==> + // ($struct_get($struct_loc(msg, 0)): Int) == + // ($struct_get($struct_loc(self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@991.3--991.248 + if ($succ) { + if ($succ && (($struct_get(($struct_loc(msg, 1): int)): int) > ($struct_get(($struct_loc(self, 4): int)): int) && ($struct_get(($struct_loc(self, 3): int)): int) != 0)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(msg, 0)): Int) == ($struct_get($struct_loc(self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@991.10--991.248) [254]"} + ($struct_get(($struct_loc(msg, 0): int)): int) == ($struct_get(($struct_loc(self, 3): int)): int); + } + } + assume state(Heap, Mask); + + // -- Translating statement: if ($succ) -- testsresourcesexamplesauction.vy.vpr@993.3--995.4 + if ($succ) { + + // -- Translating statement: // id = 100 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 101 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 102 + // inhale l$havoc$1 >= 0 -- testsresourcesexamplesauction.vy.vpr@996.3--996.24 + assume l$havoc$1 >= 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 103 + // self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) + + // l$havoc$1): $Struct) -- testsresourcesexamplesauction.vy.vpr@997.3--997.96 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) + l$havoc$1): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 104 + // $contracts := l$havoc$2 -- testsresourcesexamplesauction.vy.vpr@999.3--999.26 + $contracts := l$havoc$2; + assume state(Heap, Mask); + + // -- Translating statement: if ($first_public_state) -- testsresourcesexamplesauction.vy.vpr@1000.3--1002.4 + if ($first_public_state) { + + // -- Translating statement: // id = 105 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@1001.5--1001.22 + $old_self := self; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 106 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 107 + // assert $succ ==> + // ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1004.3--1004.115 + if ($succ) { + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1004.10--1004.115) [255]"} + ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 108 + // assert $succ ==> + // ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc($old_self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1005.3--1005.109 + if ($succ) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) == ($struct_get($struct_loc($old_self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1005.10--1005.109) [256]"} + ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc($old_self, 0): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 109 + // assert $succ ==> + // ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1006.3--1006.112 + if ($succ) { + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 5)): Bool) might not hold. (testsresourcesexamplesauction.vy.vpr@1006.10--1006.112) [257]"} + ($struct_get(($struct_loc(self, 5): int)): bool); + } + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 110 + // assert $succ ==> + // !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1007.3--1007.222 + if ($succ) { + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1007.10--1007.222) [258]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 111 + // assert $succ ==> + // !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1008.3--1008.323 + if ($succ) { + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) == ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1008.10--1008.323) [259]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 112 + // assert $succ ==> + // ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1009.3--1009.178 + if ($succ) { + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1009.10--1009.178) [260]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 113 + // assert $succ ==> + // ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc($old_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1010.3--1010.109 + if ($succ) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) >= ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1010.10--1010.109) [261]"} + ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc($old_self, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 114 + // assert $succ ==> + // ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc($old_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc($old_self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1011.3--1011.253 + if ($succ) { + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1011.10--1011.253) [262]"} + ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc($old_self, 4): int)): int); + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) == ($struct_get($struct_loc($old_self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1011.10--1011.253) [263]"} + ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc($old_self, 3): int)): int); + } + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 115 + // assert $succ ==> ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1012.3--1012.65 + if ($succ) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1012.10--1012.65) [264]"} + ($struct_get(($struct_loc(self, 0): int)): int) != 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 116 + // assert $succ ==> + // ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1013.3--1013.104 + if ($succ) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) != ($struct_get($struct_loc(self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1013.10--1013.104) [265]"} + ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 117 + // assert $succ ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1014.3--1014.135 + if ($succ) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1014.10--1014.135) [266]"} + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 118 + // assert $succ ==> + // !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1015.3--1015.183 + if ($succ) { + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1015.10--1015.183) [267]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 119 + // assert $succ ==> + // ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1016.3--1016.221 + if ($succ) { + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == ($struct_get($struct_loc(self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1016.10--1016.221) [268]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 120 + // assert $succ ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1017.3--1017.402 + if ($succ) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) + ($struct_get($struct_loc(self, 4)): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1017.10--1017.402) [269]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 121 + // assert $succ ==> + // (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1018.3--1018.524 + + // -- Check definedness of $succ ==> (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if ($succ) { + if (*) { + assume false; + } + } + if ($succ) { + if (*) { + if (0 <= q$a_1 && q$a_1 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_1 != ($struct_get(($struct_loc(self, 0): int)): int)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1018.10--1018.524) [270]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int); + } + } + assume false; + } + assume (forall q$a_2_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_2_1): int) } + 0 <= q$a_2_1 && q$a_2_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_2_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_2_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_2_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_2_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_2_1): int) + ); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 122 + // assert $succ ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1019.3--1019.97 + if ($succ) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1019.10--1019.97) [271]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 123 + // assert $succ ==> + // (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1020.3--1020.354 + + // -- Check definedness of $succ ==> (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if ($succ) { + if (*) { + assume false; + } + } + if ($succ) { + if (*) { + if (0 <= q$a_4 && q$a_4 <= 1461501637330902918203684832716283019655932542975) { + if (($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_4): int) != 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1020.10--1020.354) [272]"} + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_4): int) != 0; + } + } + assume false; + } + assume (forall q$a_5_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_5_1): int) } + 0 <= q$a_5_1 && q$a_5_1 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_5_1): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5_1): int) != 0 + ); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 124 + // assert $succ ==> + // (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1021.3--1021.407 + + // -- Check definedness of $succ ==> (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if ($succ) { + if (*) { + assume false; + } + } + if ($succ) { + if (*) { + if (0 <= q$a_7 && q$a_7 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_7 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_7): int) == 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1021.10--1021.407) [273]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_7): int) == 0; + } + } + assume false; + } + assume (forall q$a_8_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_8_1): int) } + 0 <= q$a_8_1 && q$a_8_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_8_1 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_8_1): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_8_1): int) == 0 + ); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 125 + // assert $succ ==> + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1022.3--1022.355 + + // -- Check definedness of $succ ==> (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if ($succ) { + if (*) { + assume false; + } + } + if ($succ) { + if (*) { + assume false; + } + } + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method f$bid +// ================================================== + +procedure f$bid() returns ($succ: bool) + modifies Heap, Mask; +{ + var revert_lblGuard: bool; + var end_lblGuard: bool; + var return_lblGuard: bool; + var self: $StructDomainType; + var block: $StructDomainType; + var msg: $StructDomainType; + var $pre_self: $StructDomainType; + var $pre_$contracts: ($MapDomainType int $StructDomainType); + var $contracts: ($MapDomainType int $StructDomainType); + var $old_self: $StructDomainType; + var $old_$contracts: ($MapDomainType int $StructDomainType); + var $overflow: bool; + var LabelreturnMask: MaskType; + var LabelreturnHeap: HeapType; + var $out_of_gas: bool; + var LabelrevertMask: MaskType; + var LabelrevertHeap: HeapType; + var LabelendMask: MaskType; + var LabelendHeap: HeapType; + var l$havoc: int; + var l$havoc$1: ($MapDomainType int $StructDomainType); + var q$a_9: int; + var q$a_12: int; + var q$a_15: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + revert_lblGuard := false; + end_lblGuard := false; + return_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: // id = 1 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 2 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 3 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 4 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 5 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 6 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 7 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 8 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 9 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 10 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 11 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 12 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 13 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 14 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 15 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 16 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 17 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 18 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 19 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 20 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 21 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 22 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 23 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 24 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 25 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 26 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 27 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 28 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 29 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 30 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 31 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 32 + // inhale 0 <= ($struct_get($struct_loc(self, 0)): Int) && + // ($struct_get($struct_loc(self, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1044.3--1044.152 + assume 0 <= ($struct_get(($struct_loc(self, 0): int)): int); + assume ($struct_get(($struct_loc(self, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 33 + // inhale 0 <= ($struct_get($struct_loc(self, 1)): Int) && + // ($struct_get($struct_loc(self, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1045.3--1045.181 + assume 0 <= ($struct_get(($struct_loc(self, 1): int)): int); + assume ($struct_get(($struct_loc(self, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 34 + // inhale 0 <= ($struct_get($struct_loc(self, 2)): Int) && + // ($struct_get($struct_loc(self, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1046.3--1046.181 + assume 0 <= ($struct_get(($struct_loc(self, 2): int)): int); + assume ($struct_get(($struct_loc(self, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 35 + // inhale 0 <= ($struct_get($struct_loc(self, 3)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1047.3--1047.152 + assume 0 <= ($struct_get(($struct_loc(self, 3): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 36 + // inhale 0 <= ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1048.3--1048.181 + assume 0 <= ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 37 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1049.3--1049.346 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) && ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 38 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1050.3--1050.254 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) } + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 39 + // inhale 0 <= ($struct_get($struct_loc(self, 7)): Int) && + // ($struct_get($struct_loc(self, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1051.3--1051.181 + assume 0 <= ($struct_get(($struct_loc(self, 7): int)): int); + assume ($struct_get(($struct_loc(self, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 40 + // inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc(self, 8)): Int) && + // ($struct_get($struct_loc(self, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@1052.3--1052.181 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc(self, 8): int)): int); + assume ($struct_get(($struct_loc(self, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 41 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1053.3--1053.349 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) && ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 42 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1054.3--1054.257 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 43 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1055.3--1055.349 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 44 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1056.3--1056.257 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) } + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 45 + // inhale ($struct_get($struct_loc(self, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@1057.3--1057.86 + assume ($struct_get(($struct_loc(self, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 46 + // inhale 0 <= $self_address() && + // $self_address() <= 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1059.3--1059.102 + assume 0 <= ($self_address(): int); + assume ($self_address(): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 47 + // inhale 0 <= ($struct_get($struct_loc(block, 0)): Int) && + // ($struct_get($struct_loc(block, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1061.3--1061.154 + assume 0 <= ($struct_get(($struct_loc(block, 0): int)): int); + assume ($struct_get(($struct_loc(block, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 48 + // inhale 0 <= ($struct_get($struct_loc(block, 1)): Int) && + // ($struct_get($struct_loc(block, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1062.3--1062.183 + assume 0 <= ($struct_get(($struct_loc(block, 1): int)): int); + assume ($struct_get(($struct_loc(block, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 49 + // inhale 0 <= ($struct_get($struct_loc(block, 2)): Int) && + // ($struct_get($struct_loc(block, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1063.3--1063.183 + assume 0 <= ($struct_get(($struct_loc(block, 2): int)): int); + assume ($struct_get(($struct_loc(block, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 50 + // inhale |($struct_get($struct_loc(block, 3)): Seq[Int])| == 32 -- testsresourcesexamplesauction.vy.vpr@1064.3--1064.64 + assume Seq#Length(($struct_get(($struct_loc(block, 3): int)): Seq int)) == 32; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 51 + // inhale 0 <= ($struct_get($struct_loc(block, 4)): Int) && + // ($struct_get($struct_loc(block, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1065.3--1065.183 + assume 0 <= ($struct_get(($struct_loc(block, 4): int)): int); + assume ($struct_get(($struct_loc(block, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 52 + // inhale ($struct_get($struct_loc(block, -1)): Int) == + // 2335365049822495359383864865678187 -- testsresourcesexamplesauction.vy.vpr@1066.3--1066.90 + assume ($struct_get(($struct_loc(block, -1): int)): int) == 2335365049822495359383864865678187; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 53 + // inhale 0 <= ($struct_get($struct_loc(msg, 0)): Int) && + // ($struct_get($struct_loc(msg, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1068.3--1068.150 + assume 0 <= ($struct_get(($struct_loc(msg, 0): int)): int); + assume ($struct_get(($struct_loc(msg, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 54 + // inhale 0 <= ($struct_get($struct_loc(msg, 1)): Int) && + // ($struct_get($struct_loc(msg, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1069.3--1069.179 + assume 0 <= ($struct_get(($struct_loc(msg, 1): int)): int); + assume ($struct_get(($struct_loc(msg, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 55 + // inhale 0 <= ($struct_get($struct_loc(msg, 2)): Int) && + // ($struct_get($struct_loc(msg, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1070.3--1070.179 + assume 0 <= ($struct_get(($struct_loc(msg, 2): int)): int); + assume ($struct_get(($struct_loc(msg, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 56 + // inhale ($struct_get($struct_loc(msg, -1)): Int) == + // 35634842679176259756224246631 -- testsresourcesexamplesauction.vy.vpr@1071.3--1071.83 + assume ($struct_get(($struct_loc(msg, -1): int)): int) == 35634842679176259756224246631; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 57 + // inhale ($struct_get($struct_loc(msg, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1072.3--1072.54 + assume ($struct_get(($struct_loc(msg, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 58 + // inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@1074.3--1074.258 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) >= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 59 + // inhale ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1075.3--1075.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 60 + // inhale ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1076.3--1076.94 + assume ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 61 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1077.3--1077.97 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 62 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1078.3--1078.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 63 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1079.3--1079.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 64 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1080.3--1080.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 65 + // inhale ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1081.3--1081.94 + assume ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc(self, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 66 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc(self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1082.3--1082.228 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc(self, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 67 + // inhale ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1083.3--1083.55 + assume ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 68 + // inhale ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1084.3--1084.94 + assume ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 69 + // inhale ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1085.3--1085.125 + assume ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 70 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1086.3--1086.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 71 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1087.3--1087.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 72 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1088.3--1088.392 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 73 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1089.3--1089.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int) } + 0 <= q$a_1 && q$a_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 74 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1090.3--1090.87 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 75 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1091.3--1091.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_3): int) } + 0 <= q$a_3 && q$a_3 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_3): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_3): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 76 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1092.3--1092.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5): int) } + 0 <= q$a_5 && q$a_5 <= 1461501637330902918203684832716283019655932542975 ==> q$a_5 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_5): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 77 + // inhale (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1093.3--1093.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 78 + // $pre_self := self -- testsresourcesexamplesauction.vy.vpr@1095.3--1095.20 + $pre_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 79 + // $pre_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1096.3--1096.32 + $pre_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 80 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@1098.3--1098.20 + $old_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 81 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1099.3--1099.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 82 + // $succ := true -- testsresourcesexamplesauction.vy.vpr@1100.3--1100.16 + $succ := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 83 + // $overflow := false -- testsresourcesexamplesauction.vy.vpr@1101.3--1101.21 + $overflow := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 84 + // self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) + + // ($struct_get($struct_loc(msg, 1)): Int)): $Struct) -- testsresourcesexamplesauction.vy.vpr@1103.3--1103.126 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) + ($struct_get(($struct_loc(msg, 1): int)): int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 85 + // self := ($struct_set(self, 11, ($map_set(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), + // ($struct_get($struct_loc(msg, 0)): Int), ($map_get(($struct_get($struct_loc(self, + // 11)): $Map[Int, Int]), ($struct_get($struct_loc(msg, 0)): Int)): Int) + + // ($struct_get($struct_loc(msg, 1)): Int)): $Map[Int, Int])): $Struct) -- testsresourcesexamplesauction.vy.vpr@1104.3--1104.320 + self := ($struct_set(self, 11, ($map_set(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int), ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int)): int) + ($struct_get(($struct_loc(msg, 1): int)): int)): $MapDomainType int int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: if (!(($struct_get($struct_loc(block, 4)): Int) < ($struct_get($struct_loc(self, 2)): Int))) -- testsresourcesexamplesauction.vy.vpr@1106.3--1108.4 + if (!(($struct_get(($struct_loc(block, 4): int)): int) < ($struct_get(($struct_loc(self, 2): int)): int))) { + + // -- Translating statement: // id = 86 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1107.5--1107.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 87 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 88 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: if (!!($struct_get($struct_loc(self, 5)): Bool)) -- testsresourcesexamplesauction.vy.vpr@1109.3--1111.4 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + + // -- Translating statement: // id = 89 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1110.5--1110.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 90 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 91 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: if (!(($struct_get($struct_loc(msg, 1)): Int) > ($struct_get($struct_loc(self, 4)): Int))) -- testsresourcesexamplesauction.vy.vpr@1112.3--1114.4 + if (!(($struct_get(($struct_loc(msg, 1): int)): int) > ($struct_get(($struct_loc(self, 4): int)): int))) { + + // -- Translating statement: // id = 92 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1113.5--1113.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 93 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 94 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: if (!(($struct_get($struct_loc(msg, 0)): Int) != ($struct_get($struct_loc(self, 0)): Int))) -- testsresourcesexamplesauction.vy.vpr@1115.3--1117.4 + if (!(($struct_get(($struct_loc(msg, 0): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int))) { + + // -- Translating statement: // id = 95 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1116.5--1116.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 96 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 97 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: if ($unwrap($wrap(($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int))) + $unwrap($wrap(($struct_get($struct_loc(self, 4)): Int))) < 0) -- testsresourcesexamplesauction.vy.vpr@1118.3--1120.4 + if (($unwrap(($wrap(($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int)): $IntDomainType)): int) + ($unwrap(($wrap(($struct_get(($struct_loc(self, 4): int)): int)): $IntDomainType)): int) < 0) { + + // -- Translating statement: // id = 98 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1119.5--1119.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 99 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 100 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: if ($unwrap($wrap(($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int))) + $unwrap($wrap(($struct_get($struct_loc(self, 4)): Int))) > 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1121.3--1124.4 + if (($unwrap(($wrap(($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int)): $IntDomainType)): int) + ($unwrap(($wrap(($struct_get(($struct_loc(self, 4): int)): int)): $IntDomainType)): int) > 115792089237316195423570985008687907853269984665640564039457584007913129639935) { + + // -- Translating statement: // id = 101 + // $overflow := true -- testsresourcesexamplesauction.vy.vpr@1122.5--1122.22 + $overflow := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 102 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1123.5--1123.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 103 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 104 + // self := ($struct_set(self, 6, ($map_set(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), + // ($struct_get($struct_loc(self, 3)): Int), $unwrap($wrap(($map_get(($struct_get($struct_loc(self, + // 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int))) + + // $unwrap($wrap(($struct_get($struct_loc(self, 4)): Int)))): $Map[Int, Int])): $Struct) -- testsresourcesexamplesauction.vy.vpr@1125.3--1125.352 + self := ($struct_set(self, 6, ($map_set(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int), ($unwrap(($wrap(($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int)): $IntDomainType)): int) + ($unwrap(($wrap(($struct_get(($struct_loc(self, 4): int)): int)): $IntDomainType)): int)): $MapDomainType int int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 105 + // self := ($struct_set(self, 3, ($struct_get($struct_loc(msg, 0)): Int)): $Struct) -- testsresourcesexamplesauction.vy.vpr@1126.3--1126.83 + self := ($struct_set(self, 3, ($struct_get(($struct_loc(msg, 0): int)): int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 106 + // self := ($struct_set(self, 4, $unwrap($wrap(($struct_get($struct_loc(msg, 1)): Int)))): $Struct) -- testsresourcesexamplesauction.vy.vpr@1127.3--1127.99 + self := ($struct_set(self, 4, ($unwrap(($wrap(($struct_get(($struct_loc(msg, 1): int)): int)): $IntDomainType)): int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 107 + // label return -- testsresourcesexamplesauction.vy.vpr@1128.3--1128.15 + vreturn: + LabelreturnMask := Mask; + LabelreturnHeap := Heap; + return_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: if ($out_of_gas) -- testsresourcesexamplesauction.vy.vpr@1129.3--1131.4 + if ($out_of_gas) { + + // -- Translating statement: // id = 108 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1130.5--1130.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 109 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 110 + // goto end -- testsresourcesexamplesauction.vy.vpr@1132.3--1132.11 + goto end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 111 + // label revert -- testsresourcesexamplesauction.vy.vpr@1133.3--1133.15 + revert: + LabelrevertMask := Mask; + LabelrevertHeap := Heap; + revert_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 112 + // $succ := false -- testsresourcesexamplesauction.vy.vpr@1134.3--1134.17 + $succ := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 113 + // self := $pre_self -- testsresourcesexamplesauction.vy.vpr@1136.3--1136.20 + self := $pre_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 114 + // $contracts := $pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1137.3--1137.32 + $contracts := $pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 115 + // $old_self := $pre_self -- testsresourcesexamplesauction.vy.vpr@1139.3--1139.25 + $old_self := $pre_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 116 + // $old_$contracts := $pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1140.3--1140.37 + $old_$contracts := $pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 117 + // label end -- testsresourcesexamplesauction.vy.vpr@1141.3--1141.12 + end: + LabelendMask := Mask; + LabelendHeap := Heap; + end_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 118 + // exhale $succ ==> + // ($struct_get($struct_loc(self, 4)): Int) > + // ($struct_get($struct_loc($pre_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1143.3--1143.108 + if ($succ) { + assert {:msg " Exhale might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) > ($struct_get($struct_loc($pre_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1143.10--1143.108) [275]"} + ($struct_get(($struct_loc(self, 4): int)): int) > ($struct_get(($struct_loc($pre_self, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 119 + // assert $succ && + // (($struct_get($struct_loc(msg, 1)): Int) > + // ($struct_get($struct_loc($pre_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) != 0) ==> + // ($struct_get($struct_loc(msg, 0)): Int) == + // ($struct_get($struct_loc(self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1144.3--1144.243 + if ($succ && (($struct_get(($struct_loc(msg, 1): int)): int) > ($struct_get(($struct_loc($pre_self, 4): int)): int) && ($struct_get(($struct_loc(self, 3): int)): int) != 0)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(msg, 0)): Int) == ($struct_get($struct_loc(self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1144.10--1144.243) [276]"} + ($struct_get(($struct_loc(msg, 0): int)): int) == ($struct_get(($struct_loc(self, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: if ($succ) -- testsresourcesexamplesauction.vy.vpr@1146.3--1148.4 + if ($succ) { + + // -- Translating statement: // id = 120 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 121 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 122 + // inhale l$havoc >= 0 -- testsresourcesexamplesauction.vy.vpr@1149.3--1149.22 + assume l$havoc >= 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 123 + // self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) + + // l$havoc): $Struct) -- testsresourcesexamplesauction.vy.vpr@1150.3--1150.94 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) + l$havoc): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 124 + // $contracts := l$havoc$1 -- testsresourcesexamplesauction.vy.vpr@1152.3--1152.26 + $contracts := l$havoc$1; + assume state(Heap, Mask); + + // -- Translating statement: // id = 125 + // assert ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1154.3--1154.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1154.10--1154.105) [277]"} + ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 126 + // assert ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc($old_self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1155.3--1155.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) == ($struct_get($struct_loc($old_self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1155.10--1155.99) [278]"} + ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc($old_self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 127 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1156.3--1156.102 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 5)): Bool) might not hold. (testsresourcesexamplesauction.vy.vpr@1156.10--1156.102) [279]"} + ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 128 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1157.3--1157.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1157.10--1157.212) [280]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 129 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1158.3--1158.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) == ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1158.10--1158.313) [281]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 130 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1159.3--1159.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1159.10--1159.168) [282]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 131 + // assert ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc($old_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1160.3--1160.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) >= ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1160.10--1160.99) [283]"} + ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc($old_self, 4): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 132 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc($old_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc($old_self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1161.3--1161.243 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1161.10--1161.243) [284]"} + ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc($old_self, 4): int)): int); + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) == ($struct_get($struct_loc($old_self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1161.10--1161.243) [285]"} + ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc($old_self, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 133 + // assert ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1162.3--1162.55 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1162.10--1162.55) [286]"} + ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 134 + // assert ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1163.3--1163.94 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) != ($struct_get($struct_loc(self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1163.10--1163.94) [287]"} + ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 135 + // assert ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1164.3--1164.125 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1164.10--1164.125) [288]"} + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 136 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1165.3--1165.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1165.10--1165.173) [289]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 137 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1166.3--1166.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == ($struct_get($struct_loc(self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1166.10--1166.211) [290]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 138 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1167.3--1167.392 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) + ($struct_get($struct_loc(self, 4)): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1167.10--1167.392) [291]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 139 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1168.3--1168.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_9 && q$a_9 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_9 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_9 != ($struct_get(($struct_loc(self, 0): int)): int)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1168.11--1168.513) [292]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_9): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_9): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_9): int); + } + } + assume false; + } + assume (forall q$a_10_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_10_1): int) } + 0 <= q$a_10_1 && q$a_10_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_10_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_10_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_10_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_10_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_10_1): int) + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 140 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1169.3--1169.87 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1169.10--1169.87) [293]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 141 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1170.3--1170.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_12 && q$a_12 <= 1461501637330902918203684832716283019655932542975) { + if (($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_12): int) != 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1170.11--1170.343) [294]"} + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_12): int) != 0; + } + } + assume false; + } + assume (forall q$a_13_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_13_1): int) } + 0 <= q$a_13_1 && q$a_13_1 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_13_1): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_13_1): int) != 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 142 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1171.3--1171.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_15 && q$a_15 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_15 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_15): int) == 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1171.11--1171.396) [295]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_15): int) == 0; + } + } + assume false; + } + assume (forall q$a_16_1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_16_1_1): int) } + 0 <= q$a_16_1_1 && q$a_16_1_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_16_1_1 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_16_1_1): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_16_1_1): int) == 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 143 + // assert (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1172.3--1172.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + if (*) { + assume false; + } + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method f$withdraw +// ================================================== + +procedure f$withdraw() returns ($succ: bool) + modifies Heap, Mask; +{ + var revert_lblGuard: bool; + var end_lblGuard: bool; + var return_lblGuard: bool; + var self: $StructDomainType; + var block: $StructDomainType; + var msg: $StructDomainType; + var QPMask: MaskType; + var $pre_self: $StructDomainType; + var $pre_$contracts: ($MapDomainType int $StructDomainType); + var $contracts: ($MapDomainType int $StructDomainType); + var $old_self: $StructDomainType; + var $old_$contracts: ($MapDomainType int $StructDomainType); + var $overflow: bool; + var l$pending_amount: $IntDomainType; + var l$havoc: ($MapDomainType int $StructDomainType); + var q$a_10: int; + var q$a_13: int; + var q$a_16: int; + var l$send_fail: bool; + var perm: Perm; + var i0$$pre_self: $StructDomainType; + var i0$$pre_$contracts: ($MapDomainType int $StructDomainType); + var l$havoc$1: ($MapDomainType int $StructDomainType); + var l$havoc$2: $StructDomainType; + var l$havoc$3: ($MapDomainType int $StructDomainType); + var l$no_reentrant_call: bool; + var l$havoc$4: ($MapDomainType int $StructDomainType); + var l$havoc$5: ($MapDomainType int $StructDomainType); + var LabelreturnMask: MaskType; + var LabelreturnHeap: HeapType; + var $out_of_gas: bool; + var LabelrevertMask: MaskType; + var LabelrevertHeap: HeapType; + var LabelendMask: MaskType; + var LabelendHeap: HeapType; + var l$havoc$6: int; + var l$havoc$7: ($MapDomainType int $StructDomainType); + var q$a_30: int; + var q$a_33: int; + var q$a_36: int; + var $a_5: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + revert_lblGuard := false; + end_lblGuard := false; + return_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: // id = 1 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 2 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 3 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 4 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 5 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 6 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 7 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 8 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 9 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 10 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 11 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 12 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 13 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 14 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 15 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 16 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 17 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 18 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 19 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 20 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 21 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 22 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 23 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 24 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 25 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 26 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 27 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 28 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 29 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 30 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 31 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 32 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 33 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 34 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 35 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 36 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 37 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 38 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 39 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 40 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 41 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 42 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 43 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 44 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 45 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 46 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 47 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 48 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 49 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 50 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 51 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 52 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 53 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 54 + // inhale 0 <= ($struct_get($struct_loc(self, 0)): Int) && + // ($struct_get($struct_loc(self, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1205.3--1205.152 + assume 0 <= ($struct_get(($struct_loc(self, 0): int)): int); + assume ($struct_get(($struct_loc(self, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 55 + // inhale 0 <= ($struct_get($struct_loc(self, 1)): Int) && + // ($struct_get($struct_loc(self, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1206.3--1206.181 + assume 0 <= ($struct_get(($struct_loc(self, 1): int)): int); + assume ($struct_get(($struct_loc(self, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 56 + // inhale 0 <= ($struct_get($struct_loc(self, 2)): Int) && + // ($struct_get($struct_loc(self, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1207.3--1207.181 + assume 0 <= ($struct_get(($struct_loc(self, 2): int)): int); + assume ($struct_get(($struct_loc(self, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 57 + // inhale 0 <= ($struct_get($struct_loc(self, 3)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1208.3--1208.152 + assume 0 <= ($struct_get(($struct_loc(self, 3): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 58 + // inhale 0 <= ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1209.3--1209.181 + assume 0 <= ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 59 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1210.3--1210.346 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) && ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 60 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1211.3--1211.254 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) } + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 61 + // inhale 0 <= ($struct_get($struct_loc(self, 7)): Int) && + // ($struct_get($struct_loc(self, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1212.3--1212.181 + assume 0 <= ($struct_get(($struct_loc(self, 7): int)): int); + assume ($struct_get(($struct_loc(self, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 62 + // inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc(self, 8)): Int) && + // ($struct_get($struct_loc(self, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@1213.3--1213.181 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc(self, 8): int)): int); + assume ($struct_get(($struct_loc(self, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 63 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1214.3--1214.349 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) && ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 64 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1215.3--1215.257 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 65 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1216.3--1216.349 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 66 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1217.3--1217.257 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) } + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 67 + // inhale ($struct_get($struct_loc(self, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@1218.3--1218.86 + assume ($struct_get(($struct_loc(self, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 68 + // inhale 0 <= $self_address() && + // $self_address() <= 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1220.3--1220.102 + assume 0 <= ($self_address(): int); + assume ($self_address(): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 69 + // inhale 0 <= ($struct_get($struct_loc(block, 0)): Int) && + // ($struct_get($struct_loc(block, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1222.3--1222.154 + assume 0 <= ($struct_get(($struct_loc(block, 0): int)): int); + assume ($struct_get(($struct_loc(block, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 70 + // inhale 0 <= ($struct_get($struct_loc(block, 1)): Int) && + // ($struct_get($struct_loc(block, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1223.3--1223.183 + assume 0 <= ($struct_get(($struct_loc(block, 1): int)): int); + assume ($struct_get(($struct_loc(block, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 71 + // inhale 0 <= ($struct_get($struct_loc(block, 2)): Int) && + // ($struct_get($struct_loc(block, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1224.3--1224.183 + assume 0 <= ($struct_get(($struct_loc(block, 2): int)): int); + assume ($struct_get(($struct_loc(block, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 72 + // inhale |($struct_get($struct_loc(block, 3)): Seq[Int])| == 32 -- testsresourcesexamplesauction.vy.vpr@1225.3--1225.64 + assume Seq#Length(($struct_get(($struct_loc(block, 3): int)): Seq int)) == 32; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 73 + // inhale 0 <= ($struct_get($struct_loc(block, 4)): Int) && + // ($struct_get($struct_loc(block, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1226.3--1226.183 + assume 0 <= ($struct_get(($struct_loc(block, 4): int)): int); + assume ($struct_get(($struct_loc(block, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 74 + // inhale ($struct_get($struct_loc(block, -1)): Int) == + // 2335365049822495359383864865678187 -- testsresourcesexamplesauction.vy.vpr@1227.3--1227.90 + assume ($struct_get(($struct_loc(block, -1): int)): int) == 2335365049822495359383864865678187; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 75 + // inhale 0 <= ($struct_get($struct_loc(msg, 0)): Int) && + // ($struct_get($struct_loc(msg, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1229.3--1229.150 + assume 0 <= ($struct_get(($struct_loc(msg, 0): int)): int); + assume ($struct_get(($struct_loc(msg, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 76 + // inhale 0 <= ($struct_get($struct_loc(msg, 1)): Int) && + // ($struct_get($struct_loc(msg, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1230.3--1230.179 + assume 0 <= ($struct_get(($struct_loc(msg, 1): int)): int); + assume ($struct_get(($struct_loc(msg, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 77 + // inhale 0 <= ($struct_get($struct_loc(msg, 2)): Int) && + // ($struct_get($struct_loc(msg, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1231.3--1231.179 + assume 0 <= ($struct_get(($struct_loc(msg, 2): int)): int); + assume ($struct_get(($struct_loc(msg, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 78 + // inhale ($struct_get($struct_loc(msg, -1)): Int) == + // 35634842679176259756224246631 -- testsresourcesexamplesauction.vy.vpr@1232.3--1232.83 + assume ($struct_get(($struct_loc(msg, -1): int)): int) == 35634842679176259756224246631; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 79 + // inhale ($struct_get($struct_loc(msg, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1233.3--1233.54 + assume ($struct_get(($struct_loc(msg, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 80 + // inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@1235.3--1235.258 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) >= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 81 + // inhale ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1236.3--1236.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 82 + // inhale ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1237.3--1237.94 + assume ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 83 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1238.3--1238.97 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 84 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1239.3--1239.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 85 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1240.3--1240.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 86 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1241.3--1241.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 87 + // inhale ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1242.3--1242.94 + assume ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc(self, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 88 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc(self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1243.3--1243.228 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc(self, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 89 + // inhale ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1244.3--1244.55 + assume ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 90 + // inhale ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1245.3--1245.94 + assume ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 91 + // inhale ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1246.3--1246.125 + assume ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 92 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1247.3--1247.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 93 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1248.3--1248.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 94 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1249.3--1249.392 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 95 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1250.3--1250.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int) } + 0 <= q$a_1 && q$a_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 96 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1251.3--1251.87 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 97 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1252.3--1252.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_3): int) } + 0 <= q$a_3 && q$a_3 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_3): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_3): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 98 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1253.3--1253.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5): int) } + 0 <= q$a_5 && q$a_5 <= 1461501637330902918203684832716283019655932542975 ==> q$a_5 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_5): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 99 + // inhale true && + // (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 && + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int))) ==> + // acc($accessible$withdraw(18, q$a, q$v), write)) -- testsresourcesexamplesauction.vy.vpr@1254.3--1254.394 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 && q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int))) ==> acc($accessible$withdraw(18, q$a, q$v), write)) + if (*) { + assume false; + } + havoc QPMask; + + // -- check if receiver acc($accessible$withdraw(18, q$a, q$v), write) is injective + assert {:msg " Inhale might fail. Quantified resource $accessible$withdraw(18, q$a, q$v) might not be injective. (testsresourcesexamplesauction.vy.vpr@1254.10--1254.394) [297]"} + (forall q$a_7: int, q$v_1: int, q$a_7_1: int, q$v_1_1: int :: + { neverTriggered16(q$a_7, q$v_1), neverTriggered16(q$a_7_1, q$v_1_1) } + ((((q$a_7 != q$a_7_1 && q$v_1 != q$v_1_1) && (0 <= q$a_7 && (q$a_7 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1 && q$v_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1 == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_7): int))))) && (0 <= q$a_7_1 && (q$a_7_1 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1_1 && q$v_1_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1_1 == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_7_1): int))))) && NoPerm < FullPerm) && NoPerm < FullPerm ==> q$a_7 != q$a_7_1 || q$v_1 != q$v_1_1 + ); + + // -- Define Inverse Function + assume (forall q$a_7: int, q$v_1: int :: + { Heap[null, $accessible$withdraw(18, q$a_7, q$v_1)] } { Mask[null, $accessible$withdraw(18, q$a_7, q$v_1)] } { Heap[null, $accessible$withdraw(18, q$a_7, q$v_1)] } + (0 <= q$a_7 && (q$a_7 <= 1461501637330902918203684832716283019655932542975 && ((0 <= q$v_1 && q$v_1 <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && q$v_1 == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_7): int)))) && NoPerm < FullPerm ==> (invRecv15(18, q$a_7, q$v_1) == q$a_7 && invRecv16(18, q$a_7, q$v_1) == q$v_1) && qpRange16(18, q$a_7, q$v_1) + ); + assume (forall $tag: int, $to: int, $amount: int :: + { invRecv15($tag, $to, $amount), invRecv16($tag, $to, $amount) } + ((0 <= invRecv15($tag, $to, $amount) && (invRecv15($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv16($tag, $to, $amount) && invRecv16($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv16($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), invRecv15($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange16($tag, $to, $amount) ==> (18 == $tag && invRecv15($tag, $to, $amount) == $to) && invRecv16($tag, $to, $amount) == $amount + ); + + // -- Define updated permissions + assume (forall $tag: int, $to: int, $amount: int :: + { QPMask[null, $accessible$withdraw($tag, $to, $amount)] } + ((0 <= invRecv15($tag, $to, $amount) && (invRecv15($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv16($tag, $to, $amount) && invRecv16($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv16($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), invRecv15($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange16($tag, $to, $amount) ==> (NoPerm < FullPerm ==> (18 == $tag && invRecv15($tag, $to, $amount) == $to) && invRecv16($tag, $to, $amount) == $amount) && QPMask[null, $accessible$withdraw($tag, $to, $amount)] == Mask[null, $accessible$withdraw($tag, $to, $amount)] + FullPerm + ); + + // -- Define independent locations + assume (forall o_4: Ref, f_6: (Field A B) :: + { Mask[o_4, f_6] } { QPMask[o_4, f_6] } + (o_4 != null || !IsPredicateField(f_6)) || getPredicateId(f_6) != 24 ==> Mask[o_4, f_6] == QPMask[o_4, f_6] + ); + assume (forall $tag: int, $to: int, $amount: int :: + { QPMask[null, $accessible$withdraw($tag, $to, $amount)] } + !(((0 <= invRecv15($tag, $to, $amount) && (invRecv15($tag, $to, $amount) <= 1461501637330902918203684832716283019655932542975 && ((0 <= invRecv16($tag, $to, $amount) && invRecv16($tag, $to, $amount) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) && invRecv16($tag, $to, $amount) == ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), invRecv15($tag, $to, $amount)): int)))) && NoPerm < FullPerm) && qpRange16($tag, $to, $amount)) ==> QPMask[null, $accessible$withdraw($tag, $to, $amount)] == Mask[null, $accessible$withdraw($tag, $to, $amount)] + ); + Mask := QPMask; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 100 + // $pre_self := self -- testsresourcesexamplesauction.vy.vpr@1256.3--1256.20 + $pre_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 101 + // $pre_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1257.3--1257.32 + $pre_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 102 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@1259.3--1259.20 + $old_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 103 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1260.3--1260.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 104 + // $succ := true -- testsresourcesexamplesauction.vy.vpr@1261.3--1261.16 + $succ := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 105 + // $overflow := false -- testsresourcesexamplesauction.vy.vpr@1262.3--1262.21 + $overflow := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 106 + // inhale ($struct_get($struct_loc(msg, 1)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1264.3--1264.54 + assume ($struct_get(($struct_loc(msg, 1): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 107 + // l$pending_amount := $wrap(($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), + // ($struct_get($struct_loc(msg, 0)): Int)): Int)) -- testsresourcesexamplesauction.vy.vpr@1266.3--1266.139 + l$pending_amount := ($wrap(($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int)): int)): $IntDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 108 + // self := ($struct_set(self, 6, ($map_set(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), + // ($struct_get($struct_loc(msg, 0)): Int), 0): $Map[Int, Int])): $Struct) -- testsresourcesexamplesauction.vy.vpr@1267.3--1267.167 + self := ($struct_set(self, 6, ($map_set(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int), 0): $MapDomainType int int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: if (($struct_get($struct_loc(self, 7)): Int) < $unwrap(l$pending_amount)) -- testsresourcesexamplesauction.vy.vpr@1268.3--1270.4 + if (($struct_get(($struct_loc(self, 7): int)): int) < ($unwrap(l$pending_amount): int)) { + + // -- Translating statement: // id = 109 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1269.5--1269.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 110 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 111 + // self := ($struct_set(self, 10, ($map_set(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), + // ($struct_get($struct_loc(msg, 0)): Int), ($map_get(($struct_get($struct_loc(self, + // 10)): $Map[Int, Int]), ($struct_get($struct_loc(msg, 0)): Int)): Int) + + // $unwrap(l$pending_amount)): $Map[Int, Int])): $Struct) -- testsresourcesexamplesauction.vy.vpr@1271.3--1271.306 + self := ($struct_set(self, 10, ($map_set(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int), ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int)): int) + ($unwrap(l$pending_amount): int)): $MapDomainType int int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 112 + // self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) - + // $unwrap(l$pending_amount)): $Struct) -- testsresourcesexamplesauction.vy.vpr@1272.3--1272.112 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) - ($unwrap(l$pending_amount): int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 113 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1274.3--1274.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 114 + // $contracts := l$havoc -- testsresourcesexamplesauction.vy.vpr@1276.3--1276.24 + $contracts := l$havoc; + assume state(Heap, Mask); + + // -- Translating statement: // id = 115 + // assert ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1278.3--1278.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1278.10--1278.105) [298]"} + ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 116 + // assert ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc($old_self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1279.3--1279.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) == ($struct_get($struct_loc($old_self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1279.10--1279.99) [299]"} + ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc($old_self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 117 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1280.3--1280.102 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 5)): Bool) might not hold. (testsresourcesexamplesauction.vy.vpr@1280.10--1280.102) [300]"} + ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 118 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1281.3--1281.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1281.10--1281.212) [301]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 119 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1282.3--1282.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) == ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1282.10--1282.313) [302]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 120 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1283.3--1283.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1283.10--1283.168) [303]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 121 + // assert ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc($old_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1284.3--1284.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) >= ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1284.10--1284.99) [304]"} + ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc($old_self, 4): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 122 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc($old_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc($old_self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1285.3--1285.243 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1285.10--1285.243) [305]"} + ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc($old_self, 4): int)): int); + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) == ($struct_get($struct_loc($old_self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1285.10--1285.243) [306]"} + ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc($old_self, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 123 + // assert ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1286.3--1286.55 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1286.10--1286.55) [307]"} + ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 124 + // assert ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1287.3--1287.94 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) != ($struct_get($struct_loc(self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1287.10--1287.94) [308]"} + ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 125 + // assert ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1288.3--1288.125 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1288.10--1288.125) [309]"} + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 126 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1289.3--1289.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1289.10--1289.173) [310]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 127 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1290.3--1290.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == ($struct_get($struct_loc(self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1290.10--1290.211) [311]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 128 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1291.3--1291.392 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) + ($struct_get($struct_loc(self, 4)): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1291.10--1291.392) [312]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 129 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1292.3--1292.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_10 && q$a_10 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_10 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_10 != ($struct_get(($struct_loc(self, 0): int)): int)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1292.11--1292.513) [313]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_10): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_10): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_10): int); + } + } + assume false; + } + assume (forall q$a_11_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_11_1): int) } + 0 <= q$a_11_1 && q$a_11_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_11_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_11_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_11_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_11_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_11_1): int) + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 130 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1293.3--1293.87 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1293.10--1293.87) [314]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 131 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1294.3--1294.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_13 && q$a_13 <= 1461501637330902918203684832716283019655932542975) { + if (($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_13): int) != 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1294.11--1294.343) [315]"} + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_13): int) != 0; + } + } + assume false; + } + assume (forall q$a_14_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_14_1): int) } + 0 <= q$a_14_1 && q$a_14_1 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_14_1): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_14_1): int) != 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 132 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1295.3--1295.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_16 && q$a_16 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_16 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_16): int) == 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1295.11--1295.396) [316]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_16): int) == 0; + } + } + assume false; + } + assume (forall q$a_17_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_17_1): int) } + 0 <= q$a_17_1 && q$a_17_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_17_1 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_17_1): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_17_1): int) == 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 133 + // assert (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1296.3--1296.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + if (*) { + assume false; + } + assume state(Heap, Mask); + + // -- Translating statement: if (l$send_fail) -- testsresourcesexamplesauction.vy.vpr@1297.3--1300.4 + if (l$send_fail) { + + // -- Translating statement: // id = 134 + // inhale acc($failed(($struct_get($struct_loc(msg, 0)): Int)), write) -- testsresourcesexamplesauction.vy.vpr@1298.5--1298.72 + perm := FullPerm; + Mask[null, $failed(($struct_get(($struct_loc(msg, 0): int)): int))] := Mask[null, $failed(($struct_get(($struct_loc(msg, 0): int)): int))] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 135 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1299.5--1299.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 136 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 137 + // $contracts := $old_$contracts -- testsresourcesexamplesauction.vy.vpr@1302.3--1302.32 + $contracts := $old_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 138 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@1304.3--1304.20 + $old_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 139 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1305.3--1305.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 140 + // i0$$pre_self := self -- testsresourcesexamplesauction.vy.vpr@1307.3--1307.23 + i0$$pre_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 141 + // i0$$pre_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1308.3--1308.35 + i0$$pre_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 142 + // $contracts := l$havoc$1 -- testsresourcesexamplesauction.vy.vpr@1310.3--1310.26 + $contracts := l$havoc$1; + assume state(Heap, Mask); + + // -- Translating statement: // id = 143 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1312.3--1312.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 144 + // self := l$havoc$2 -- testsresourcesexamplesauction.vy.vpr@1314.3--1314.20 + self := l$havoc$2; + assume state(Heap, Mask); + + // -- Translating statement: // id = 145 + // $contracts := l$havoc$3 -- testsresourcesexamplesauction.vy.vpr@1315.3--1315.26 + $contracts := l$havoc$3; + assume state(Heap, Mask); + + // -- Translating statement: // id = 146 + // inhale 0 <= ($struct_get($struct_loc(self, 0)): Int) && + // ($struct_get($struct_loc(self, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1317.3--1317.152 + assume 0 <= ($struct_get(($struct_loc(self, 0): int)): int); + assume ($struct_get(($struct_loc(self, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 147 + // inhale 0 <= ($struct_get($struct_loc(self, 1)): Int) && + // ($struct_get($struct_loc(self, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1318.3--1318.181 + assume 0 <= ($struct_get(($struct_loc(self, 1): int)): int); + assume ($struct_get(($struct_loc(self, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 148 + // inhale 0 <= ($struct_get($struct_loc(self, 2)): Int) && + // ($struct_get($struct_loc(self, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1319.3--1319.181 + assume 0 <= ($struct_get(($struct_loc(self, 2): int)): int); + assume ($struct_get(($struct_loc(self, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 149 + // inhale 0 <= ($struct_get($struct_loc(self, 3)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1320.3--1320.152 + assume 0 <= ($struct_get(($struct_loc(self, 3): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 150 + // inhale 0 <= ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1321.3--1321.181 + assume 0 <= ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 151 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1322.3--1322.346 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_5): int) && ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 152 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1323.3--1323.254 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_7: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_7): int) } + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_7): int) <= ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 153 + // inhale 0 <= ($struct_get($struct_loc(self, 7)): Int) && + // ($struct_get($struct_loc(self, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1324.3--1324.181 + assume 0 <= ($struct_get(($struct_loc(self, 7): int)): int); + assume ($struct_get(($struct_loc(self, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 154 + // inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc(self, 8)): Int) && + // ($struct_get($struct_loc(self, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@1325.3--1325.181 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc(self, 8): int)): int); + assume ($struct_get(($struct_loc(self, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 155 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1326.3--1326.349 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_5): int) && ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 156 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1327.3--1327.257 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_7: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_7): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_7): int) <= ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 157 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1328.3--1328.349 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_5): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 158 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1329.3--1329.257 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_7: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_7): int) } + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_7): int) <= ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 159 + // inhale ($struct_get($struct_loc(self, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@1330.3--1330.86 + assume ($struct_get(($struct_loc(self, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 160 + // inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc($old_self, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@1332.3--1332.263 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc($old_self, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_3): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_3): int) >= ($map_get(($struct_get(($struct_loc($old_self, 10): int)): $MapDomainType int int), $a_3): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 161 + // inhale ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1333.3--1333.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 162 + // inhale ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc($old_self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1334.3--1334.99 + assume ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc($old_self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 163 + // inhale ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1335.3--1335.102 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 164 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1336.3--1336.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 165 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1337.3--1337.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 166 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1338.3--1338.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 167 + // inhale ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc($old_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1339.3--1339.99 + assume ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc($old_self, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 168 + // inhale ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc($old_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc($old_self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1340.3--1340.243 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc($old_self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc($old_self, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 169 + // inhale ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1341.3--1341.55 + assume ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 170 + // inhale ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1342.3--1342.94 + assume ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 171 + // inhale ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1343.3--1343.125 + assume ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 172 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1344.3--1344.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 173 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1345.3--1345.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 174 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1346.3--1346.392 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 175 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1347.3--1347.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_22: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_22): int) } + 0 <= q$a_22 && q$a_22 <= 1461501637330902918203684832716283019655932542975 ==> q$a_22 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_22 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_22): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_22): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_22): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 176 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1348.3--1348.87 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 177 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1349.3--1349.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_24: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_24): int) } + 0 <= q$a_24 && q$a_24 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_24): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_24): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 178 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1350.3--1350.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_26: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_26): int) } + 0 <= q$a_26 && q$a_26 <= 1461501637330902918203684832716283019655932542975 ==> q$a_26 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_26): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_26): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 179 + // inhale (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1351.3--1351.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: if (l$no_reentrant_call) -- testsresourcesexamplesauction.vy.vpr@1352.3--1356.4 + if (l$no_reentrant_call) { + + // -- Translating statement: // id = 180 + // self := $old_self -- testsresourcesexamplesauction.vy.vpr@1354.5--1354.22 + self := $old_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 181 + // $contracts := $old_$contracts -- testsresourcesexamplesauction.vy.vpr@1355.5--1355.34 + $contracts := $old_$contracts; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 182 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 183 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1358.3--1358.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 184 + // $contracts := l$havoc$4 -- testsresourcesexamplesauction.vy.vpr@1360.3--1360.26 + $contracts := l$havoc$4; + assume state(Heap, Mask); + + // -- Translating statement: // id = 185 + // $old_$contracts := i0$$pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1362.3--1362.40 + $old_$contracts := i0$$pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 186 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1364.3--1364.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 187 + // $contracts := l$havoc$5 -- testsresourcesexamplesauction.vy.vpr@1366.3--1366.26 + $contracts := l$havoc$5; + assume state(Heap, Mask); + + // -- Translating statement: // id = 188 + // $old_$contracts := i0$$pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1368.3--1368.40 + $old_$contracts := i0$$pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 189 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@1370.3--1370.20 + $old_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 190 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1371.3--1371.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 191 + // label return -- testsresourcesexamplesauction.vy.vpr@1372.3--1372.15 + vreturn: + LabelreturnMask := Mask; + LabelreturnHeap := Heap; + return_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: if ($out_of_gas) -- testsresourcesexamplesauction.vy.vpr@1373.3--1375.4 + if ($out_of_gas) { + + // -- Translating statement: // id = 192 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1374.5--1374.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 193 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 194 + // goto end -- testsresourcesexamplesauction.vy.vpr@1376.3--1376.11 + goto end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 195 + // label revert -- testsresourcesexamplesauction.vy.vpr@1377.3--1377.15 + revert: + LabelrevertMask := Mask; + LabelrevertHeap := Heap; + revert_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 196 + // $succ := false -- testsresourcesexamplesauction.vy.vpr@1378.3--1378.17 + $succ := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 197 + // self := $pre_self -- testsresourcesexamplesauction.vy.vpr@1380.3--1380.20 + self := $pre_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 198 + // $contracts := $pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1381.3--1381.32 + $contracts := $pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 199 + // $old_self := $pre_self -- testsresourcesexamplesauction.vy.vpr@1383.3--1383.25 + $old_self := $pre_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 200 + // $old_$contracts := $pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1384.3--1384.37 + $old_$contracts := $pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 201 + // label end -- testsresourcesexamplesauction.vy.vpr@1385.3--1385.12 + end: + LabelendMask := Mask; + LabelendHeap := Heap; + end_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 202 + // exhale !($out_of_gas || + // ($out_of_gas || + // perm($failed(($struct_get($struct_loc(msg, 0)): Int))) > none)) ==> + // $succ -- testsresourcesexamplesauction.vy.vpr@1387.3--1387.116 + if (!($out_of_gas || ($out_of_gas || NoPerm < Mask[null, $failed(($struct_get(($struct_loc(msg, 0): int)): int))]))) { + assert {:msg " Exhale might fail. Assertion $succ might not hold. (testsresourcesexamplesauction.vy.vpr@1387.10--1387.116) [319]"} + $succ; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 203 + // assert $succ && + // (($struct_get($struct_loc(msg, 1)): Int) > + // ($struct_get($struct_loc($pre_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) != 0) ==> + // ($struct_get($struct_loc(msg, 0)): Int) == + // ($struct_get($struct_loc(self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1388.3--1388.243 + if ($succ && (($struct_get(($struct_loc(msg, 1): int)): int) > ($struct_get(($struct_loc($pre_self, 4): int)): int) && ($struct_get(($struct_loc(self, 3): int)): int) != 0)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(msg, 0)): Int) == ($struct_get($struct_loc(self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1388.10--1388.243) [320]"} + ($struct_get(($struct_loc(msg, 0): int)): int) == ($struct_get(($struct_loc(self, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: if ($succ) -- testsresourcesexamplesauction.vy.vpr@1390.3--1392.4 + if ($succ) { + + // -- Translating statement: // id = 204 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 205 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 206 + // inhale l$havoc$6 >= 0 -- testsresourcesexamplesauction.vy.vpr@1393.3--1393.24 + assume l$havoc$6 >= 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 207 + // self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) + + // l$havoc$6): $Struct) -- testsresourcesexamplesauction.vy.vpr@1394.3--1394.96 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) + l$havoc$6): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 208 + // $contracts := l$havoc$7 -- testsresourcesexamplesauction.vy.vpr@1396.3--1396.26 + $contracts := l$havoc$7; + assume state(Heap, Mask); + + // -- Translating statement: // id = 209 + // assert ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1398.3--1398.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1398.10--1398.105) [321]"} + ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 210 + // assert ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc($old_self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1399.3--1399.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) == ($struct_get($struct_loc($old_self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1399.10--1399.99) [322]"} + ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc($old_self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 211 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1400.3--1400.102 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 5)): Bool) might not hold. (testsresourcesexamplesauction.vy.vpr@1400.10--1400.102) [323]"} + ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 212 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1401.3--1401.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1401.10--1401.212) [324]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 213 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1402.3--1402.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) == ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1402.10--1402.313) [325]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 214 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1403.3--1403.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1403.10--1403.168) [326]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 215 + // assert ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc($old_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1404.3--1404.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) >= ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1404.10--1404.99) [327]"} + ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc($old_self, 4): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 216 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc($old_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc($old_self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1405.3--1405.243 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1405.10--1405.243) [328]"} + ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc($old_self, 4): int)): int); + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) == ($struct_get($struct_loc($old_self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1405.10--1405.243) [329]"} + ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc($old_self, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 217 + // assert ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1406.3--1406.55 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1406.10--1406.55) [330]"} + ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 218 + // assert ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1407.3--1407.94 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) != ($struct_get($struct_loc(self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1407.10--1407.94) [331]"} + ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 219 + // assert ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1408.3--1408.125 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1408.10--1408.125) [332]"} + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 220 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1409.3--1409.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1409.10--1409.173) [333]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 221 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1410.3--1410.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == ($struct_get($struct_loc(self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1410.10--1410.211) [334]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 222 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1411.3--1411.392 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) + ($struct_get($struct_loc(self, 4)): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1411.10--1411.392) [335]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 223 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1412.3--1412.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_30 && q$a_30 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_30 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_30 != ($struct_get(($struct_loc(self, 0): int)): int)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1412.11--1412.513) [336]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_30): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_30): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_30): int); + } + } + assume false; + } + assume (forall q$a_31_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_31_1): int) } + 0 <= q$a_31_1 && q$a_31_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_31_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_31_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_31_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_31_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_31_1): int) + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 224 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1413.3--1413.87 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1413.10--1413.87) [337]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 225 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1414.3--1414.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_33 && q$a_33 <= 1461501637330902918203684832716283019655932542975) { + if (($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_33): int) != 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1414.11--1414.343) [338]"} + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_33): int) != 0; + } + } + assume false; + } + assume (forall q$a_34_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_34_1): int) } + 0 <= q$a_34_1 && q$a_34_1 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_34_1): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_34_1): int) != 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 226 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1415.3--1415.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_36 && q$a_36 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_36 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_36): int) == 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1415.11--1415.396) [339]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_36): int) == 0; + } + } + assume false; + } + assume (forall q$a_37_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_37_1): int) } + 0 <= q$a_37_1 && q$a_37_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_37_1 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_37_1): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_37_1): int) == 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 227 + // assert (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1416.3--1416.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + if (*) { + assume false; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 228 + // assert (forall $a: Int :: + // { $accessible$withdraw(18, ($struct_get($struct_loc(msg, 0)): Int), $a) } + // perm($accessible$withdraw(18, ($struct_get($struct_loc(msg, 0)): Int), $a)) > + // none ==> + // (!(perm($failed(($struct_get($struct_loc(msg, 0)): Int))) > none || + // $out_of_gas) ==> + // $succ) && + // ($succ ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(msg, + // 0)): Int)): Int) - + // ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(msg, + // 0)): Int)): Int) >= + // $a)) -- testsresourcesexamplesauction.vy.vpr@1418.3--1418.532 + + // -- Check definedness of (forall $a: Int :: { $accessible$withdraw(18, ($struct_get($struct_loc(msg, 0)): Int), $a) } perm($accessible$withdraw(18, ($struct_get($struct_loc(msg, 0)): Int), $a)) > none ==> (!(perm($failed(($struct_get($struct_loc(msg, 0)): Int))) > none || $out_of_gas) ==> $succ) && ($succ ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(msg, 0)): Int)): Int) - ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(msg, 0)): Int)): Int) >= $a)) + if (*) { + assume false; + } + if (*) { + if (NoPerm < Mask[null, $accessible$withdraw(18, ($struct_get(($struct_loc(msg, 0): int)): int), $a_5)]) { + if (!(NoPerm < Mask[null, $failed(($struct_get(($struct_loc(msg, 0): int)): int))] || $out_of_gas)) { + assert {:msg " Assert might fail. Assertion $succ might not hold. (testsresourcesexamplesauction.vy.vpr@1418.11--1418.531) [341]"} + $succ; + } + if ($succ) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(msg, 0)): Int)): Int) - ($map_get(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(msg, 0)): Int)): Int) >= $a might not hold. (testsresourcesexamplesauction.vy.vpr@1418.11--1418.531) [342]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int)): int) - ($map_get(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int)): int) >= $a_5; + } + } + assume false; + } + assume (forall $a_6_1: int :: + { Heap[null, $accessible$withdraw(18, ($struct_get(($struct_loc(msg, 0): int)): int), $a_6_1)] } + NoPerm < Mask[null, $accessible$withdraw(18, ($struct_get(($struct_loc(msg, 0): int)): int), $a_6_1)] ==> (!(NoPerm < Mask[null, $failed(($struct_get(($struct_loc(msg, 0): int)): int))] || $out_of_gas) ==> $succ) && ($succ ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int)): int) - ($map_get(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(msg, 0): int)): int)): int) >= $a_6_1) + ); + assume state(Heap, Mask); +} + +// ================================================== +// Translation of method f$endAuction +// ================================================== + +procedure f$endAuction() returns ($succ: bool) + modifies Heap, Mask; +{ + var revert_lblGuard: bool; + var end_lblGuard: bool; + var return_lblGuard: bool; + var self: $StructDomainType; + var block: $StructDomainType; + var msg: $StructDomainType; + var $pre_self: $StructDomainType; + var $pre_$contracts: ($MapDomainType int $StructDomainType); + var $contracts: ($MapDomainType int $StructDomainType); + var $old_self: $StructDomainType; + var $old_$contracts: ($MapDomainType int $StructDomainType); + var $overflow: bool; + var l$havoc: ($MapDomainType int $StructDomainType); + var q$a_9: int; + var q$a_12: int; + var q$a_15: int; + var l$send_fail: bool; + var perm: Perm; + var i0$$pre_self: $StructDomainType; + var i0$$pre_$contracts: ($MapDomainType int $StructDomainType); + var l$havoc$1: ($MapDomainType int $StructDomainType); + var l$havoc$2: $StructDomainType; + var l$havoc$3: ($MapDomainType int $StructDomainType); + var l$no_reentrant_call: bool; + var l$havoc$4: ($MapDomainType int $StructDomainType); + var l$havoc$5: ($MapDomainType int $StructDomainType); + var LabelreturnMask: MaskType; + var LabelreturnHeap: HeapType; + var $out_of_gas: bool; + var LabelrevertMask: MaskType; + var LabelrevertHeap: HeapType; + var LabelendMask: MaskType; + var LabelendHeap: HeapType; + var l$havoc$6: int; + var l$havoc$7: ($MapDomainType int $StructDomainType); + var q$a_29: int; + var q$a_32: int; + var q$a_35: int; + + // -- Initializing the state + Mask := ZeroMask; + assume state(Heap, Mask); + assume AssumeFunctionsAbove == -1; + revert_lblGuard := false; + end_lblGuard := false; + return_lblGuard := false; + + // -- Initializing of old state + + // -- Initializing the old state + assume Heap == old(Heap); + assume Mask == old(Mask); + + // -- Translating statement: // id = 1 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 2 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 3 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 4 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 5 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 6 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 7 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 8 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 9 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 10 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 11 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 12 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 13 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 14 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 15 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 16 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 17 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 18 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 19 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 20 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 21 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 22 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 23 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 24 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 25 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 26 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 27 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 28 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 29 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 30 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 31 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 32 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 33 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 34 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 35 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 36 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 37 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 38 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 39 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 40 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 41 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 42 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 43 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 44 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 45 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 46 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 47 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 48 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 49 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 50 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 51 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: // id = 52 + // inhale 0 <= ($struct_get($struct_loc(self, 0)): Int) && + // ($struct_get($struct_loc(self, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1450.3--1450.152 + assume 0 <= ($struct_get(($struct_loc(self, 0): int)): int); + assume ($struct_get(($struct_loc(self, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 53 + // inhale 0 <= ($struct_get($struct_loc(self, 1)): Int) && + // ($struct_get($struct_loc(self, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1451.3--1451.181 + assume 0 <= ($struct_get(($struct_loc(self, 1): int)): int); + assume ($struct_get(($struct_loc(self, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 54 + // inhale 0 <= ($struct_get($struct_loc(self, 2)): Int) && + // ($struct_get($struct_loc(self, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1452.3--1452.181 + assume 0 <= ($struct_get(($struct_loc(self, 2): int)): int); + assume ($struct_get(($struct_loc(self, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 55 + // inhale 0 <= ($struct_get($struct_loc(self, 3)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1453.3--1453.152 + assume 0 <= ($struct_get(($struct_loc(self, 3): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 56 + // inhale 0 <= ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1454.3--1454.181 + assume 0 <= ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 57 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1455.3--1455.346 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) && ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 58 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1456.3--1456.254 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) } + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 59 + // inhale 0 <= ($struct_get($struct_loc(self, 7)): Int) && + // ($struct_get($struct_loc(self, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1457.3--1457.181 + assume 0 <= ($struct_get(($struct_loc(self, 7): int)): int); + assume ($struct_get(($struct_loc(self, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 60 + // inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc(self, 8)): Int) && + // ($struct_get($struct_loc(self, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@1458.3--1458.181 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc(self, 8): int)): int); + assume ($struct_get(($struct_loc(self, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 61 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1459.3--1459.349 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) && ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 62 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1460.3--1460.257 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 63 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1461.3--1461.349 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_1): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 64 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1462.3--1462.257 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) } + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_3): int) <= ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 65 + // inhale ($struct_get($struct_loc(self, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@1463.3--1463.86 + assume ($struct_get(($struct_loc(self, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 66 + // inhale 0 <= $self_address() && + // $self_address() <= 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1465.3--1465.102 + assume 0 <= ($self_address(): int); + assume ($self_address(): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 67 + // inhale 0 <= ($struct_get($struct_loc(block, 0)): Int) && + // ($struct_get($struct_loc(block, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1467.3--1467.154 + assume 0 <= ($struct_get(($struct_loc(block, 0): int)): int); + assume ($struct_get(($struct_loc(block, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 68 + // inhale 0 <= ($struct_get($struct_loc(block, 1)): Int) && + // ($struct_get($struct_loc(block, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1468.3--1468.183 + assume 0 <= ($struct_get(($struct_loc(block, 1): int)): int); + assume ($struct_get(($struct_loc(block, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 69 + // inhale 0 <= ($struct_get($struct_loc(block, 2)): Int) && + // ($struct_get($struct_loc(block, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1469.3--1469.183 + assume 0 <= ($struct_get(($struct_loc(block, 2): int)): int); + assume ($struct_get(($struct_loc(block, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 70 + // inhale |($struct_get($struct_loc(block, 3)): Seq[Int])| == 32 -- testsresourcesexamplesauction.vy.vpr@1470.3--1470.64 + assume Seq#Length(($struct_get(($struct_loc(block, 3): int)): Seq int)) == 32; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 71 + // inhale 0 <= ($struct_get($struct_loc(block, 4)): Int) && + // ($struct_get($struct_loc(block, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1471.3--1471.183 + assume 0 <= ($struct_get(($struct_loc(block, 4): int)): int); + assume ($struct_get(($struct_loc(block, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 72 + // inhale ($struct_get($struct_loc(block, -1)): Int) == + // 2335365049822495359383864865678187 -- testsresourcesexamplesauction.vy.vpr@1472.3--1472.90 + assume ($struct_get(($struct_loc(block, -1): int)): int) == 2335365049822495359383864865678187; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 73 + // inhale 0 <= ($struct_get($struct_loc(msg, 0)): Int) && + // ($struct_get($struct_loc(msg, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1474.3--1474.150 + assume 0 <= ($struct_get(($struct_loc(msg, 0): int)): int); + assume ($struct_get(($struct_loc(msg, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 74 + // inhale 0 <= ($struct_get($struct_loc(msg, 1)): Int) && + // ($struct_get($struct_loc(msg, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1475.3--1475.179 + assume 0 <= ($struct_get(($struct_loc(msg, 1): int)): int); + assume ($struct_get(($struct_loc(msg, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 75 + // inhale 0 <= ($struct_get($struct_loc(msg, 2)): Int) && + // ($struct_get($struct_loc(msg, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1476.3--1476.179 + assume 0 <= ($struct_get(($struct_loc(msg, 2): int)): int); + assume ($struct_get(($struct_loc(msg, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 76 + // inhale ($struct_get($struct_loc(msg, -1)): Int) == + // 35634842679176259756224246631 -- testsresourcesexamplesauction.vy.vpr@1477.3--1477.83 + assume ($struct_get(($struct_loc(msg, -1): int)): int) == 35634842679176259756224246631; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 77 + // inhale ($struct_get($struct_loc(msg, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1478.3--1478.54 + assume ($struct_get(($struct_loc(msg, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 78 + // inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@1480.3--1480.258 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) >= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_1_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 79 + // inhale ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1481.3--1481.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 80 + // inhale ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1482.3--1482.94 + assume ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 81 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1483.3--1483.97 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 82 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1484.3--1484.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 83 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1485.3--1485.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 84 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1486.3--1486.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 85 + // inhale ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1487.3--1487.94 + assume ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc(self, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 86 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc(self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1488.3--1488.228 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc(self, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 87 + // inhale ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1489.3--1489.55 + assume ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 88 + // inhale ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1490.3--1490.94 + assume ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 89 + // inhale ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1491.3--1491.125 + assume ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 90 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1492.3--1492.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 91 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1493.3--1493.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 92 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1494.3--1494.392 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 93 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1495.3--1495.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int) } + 0 <= q$a_1 && q$a_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_1): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 94 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1496.3--1496.87 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 95 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1497.3--1497.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_3): int) } + 0 <= q$a_3 && q$a_3 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_3): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_3): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 96 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1498.3--1498.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5): int) } + 0 <= q$a_5 && q$a_5 <= 1461501637330902918203684832716283019655932542975 ==> q$a_5 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_5): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_5): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 97 + // inhale (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1499.3--1499.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 98 + // $pre_self := self -- testsresourcesexamplesauction.vy.vpr@1501.3--1501.20 + $pre_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 99 + // $pre_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1502.3--1502.32 + $pre_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 100 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@1504.3--1504.20 + $old_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 101 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1505.3--1505.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 102 + // $succ := true -- testsresourcesexamplesauction.vy.vpr@1506.3--1506.16 + $succ := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 103 + // $overflow := false -- testsresourcesexamplesauction.vy.vpr@1507.3--1507.21 + $overflow := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 104 + // inhale ($struct_get($struct_loc(msg, 1)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1509.3--1509.54 + assume ($struct_get(($struct_loc(msg, 1): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: if (!(($struct_get($struct_loc(block, 4)): Int) >= ($struct_get($struct_loc(self, 2)): Int))) -- testsresourcesexamplesauction.vy.vpr@1511.3--1513.4 + if (!(($struct_get(($struct_loc(block, 4): int)): int) >= ($struct_get(($struct_loc(self, 2): int)): int))) { + + // -- Translating statement: // id = 105 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1512.5--1512.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 106 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 107 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + + // -- Translating statement: if (!!($struct_get($struct_loc(self, 5)): Bool)) -- testsresourcesexamplesauction.vy.vpr@1514.3--1516.4 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + + // -- Translating statement: // id = 108 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1515.5--1515.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 109 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 110 + // self := ($struct_set(self, 5, true): $Struct) -- testsresourcesexamplesauction.vy.vpr@1517.3--1517.48 + self := ($struct_set(self, 5, true): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: if (($struct_get($struct_loc(self, 7)): Int) < ($struct_get($struct_loc(self, 4)): Int)) -- testsresourcesexamplesauction.vy.vpr@1518.3--1520.4 + if (($struct_get(($struct_loc(self, 7): int)): int) < ($struct_get(($struct_loc(self, 4): int)): int)) { + + // -- Translating statement: // id = 111 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1519.5--1519.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 112 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 113 + // self := ($struct_set(self, 10, ($map_set(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), + // ($struct_get($struct_loc(self, 0)): Int), ($map_get(($struct_get($struct_loc(self, + // 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int)): $Map[Int, Int])): $Struct) -- testsresourcesexamplesauction.vy.vpr@1521.3--1521.323 + self := ($struct_set(self, 10, ($map_set(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int), ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int)): $MapDomainType int int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 114 + // self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) - + // ($struct_get($struct_loc(self, 4)): Int)): $Struct) -- testsresourcesexamplesauction.vy.vpr@1522.3--1522.127 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) - ($struct_get(($struct_loc(self, 4): int)): int)): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 115 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1524.3--1524.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 116 + // $contracts := l$havoc -- testsresourcesexamplesauction.vy.vpr@1526.3--1526.24 + $contracts := l$havoc; + assume state(Heap, Mask); + + // -- Translating statement: // id = 117 + // assert ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1528.3--1528.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1528.10--1528.105) [343]"} + ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 118 + // assert ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc($old_self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1529.3--1529.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) == ($struct_get($struct_loc($old_self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1529.10--1529.99) [344]"} + ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc($old_self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 119 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1530.3--1530.102 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 5)): Bool) might not hold. (testsresourcesexamplesauction.vy.vpr@1530.10--1530.102) [345]"} + ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 120 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1531.3--1531.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1531.10--1531.212) [346]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 121 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1532.3--1532.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) == ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1532.10--1532.313) [347]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 122 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1533.3--1533.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1533.10--1533.168) [348]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 123 + // assert ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc($old_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1534.3--1534.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) >= ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1534.10--1534.99) [349]"} + ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc($old_self, 4): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 124 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc($old_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc($old_self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1535.3--1535.243 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1535.10--1535.243) [350]"} + ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc($old_self, 4): int)): int); + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) == ($struct_get($struct_loc($old_self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1535.10--1535.243) [351]"} + ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc($old_self, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 125 + // assert ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1536.3--1536.55 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1536.10--1536.55) [352]"} + ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 126 + // assert ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1537.3--1537.94 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) != ($struct_get($struct_loc(self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1537.10--1537.94) [353]"} + ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 127 + // assert ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1538.3--1538.125 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1538.10--1538.125) [354]"} + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 128 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1539.3--1539.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1539.10--1539.173) [355]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 129 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1540.3--1540.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == ($struct_get($struct_loc(self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1540.10--1540.211) [356]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 130 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1541.3--1541.392 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) + ($struct_get($struct_loc(self, 4)): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1541.10--1541.392) [357]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 131 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1542.3--1542.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_9 && q$a_9 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_9 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_9 != ($struct_get(($struct_loc(self, 0): int)): int)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1542.11--1542.513) [358]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_9): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_9): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_9): int); + } + } + assume false; + } + assume (forall q$a_10_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_10_1): int) } + 0 <= q$a_10_1 && q$a_10_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_10_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_10_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_10_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_10_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_10_1): int) + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 132 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1543.3--1543.87 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1543.10--1543.87) [359]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 133 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1544.3--1544.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_12 && q$a_12 <= 1461501637330902918203684832716283019655932542975) { + if (($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_12): int) != 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1544.11--1544.343) [360]"} + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_12): int) != 0; + } + } + assume false; + } + assume (forall q$a_13_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_13_1): int) } + 0 <= q$a_13_1 && q$a_13_1 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_13_1): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_13_1): int) != 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 134 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1545.3--1545.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_15 && q$a_15 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_15 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_15): int) == 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1545.11--1545.396) [361]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_15): int) == 0; + } + } + assume false; + } + assume (forall q$a_16_1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_16_1_1): int) } + 0 <= q$a_16_1_1 && q$a_16_1_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_16_1_1 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_16_1_1): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_16_1_1): int) == 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 135 + // assert (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1546.3--1546.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + if (*) { + assume false; + } + assume state(Heap, Mask); + + // -- Translating statement: if (l$send_fail) -- testsresourcesexamplesauction.vy.vpr@1547.3--1550.4 + if (l$send_fail) { + + // -- Translating statement: // id = 136 + // inhale acc($failed(($struct_get($struct_loc(self, 0)): Int)), write) -- testsresourcesexamplesauction.vy.vpr@1548.5--1548.73 + perm := FullPerm; + Mask[null, $failed(($struct_get(($struct_loc(self, 0): int)): int))] := Mask[null, $failed(($struct_get(($struct_loc(self, 0): int)): int))] + perm; + assume state(Heap, Mask); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 137 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1549.5--1549.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 138 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 139 + // $contracts := $old_$contracts -- testsresourcesexamplesauction.vy.vpr@1552.3--1552.32 + $contracts := $old_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 140 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@1554.3--1554.20 + $old_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 141 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1555.3--1555.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 142 + // i0$$pre_self := self -- testsresourcesexamplesauction.vy.vpr@1557.3--1557.23 + i0$$pre_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 143 + // i0$$pre_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1558.3--1558.35 + i0$$pre_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 144 + // $contracts := l$havoc$1 -- testsresourcesexamplesauction.vy.vpr@1560.3--1560.26 + $contracts := l$havoc$1; + assume state(Heap, Mask); + + // -- Translating statement: // id = 145 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1562.3--1562.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 146 + // self := l$havoc$2 -- testsresourcesexamplesauction.vy.vpr@1564.3--1564.20 + self := l$havoc$2; + assume state(Heap, Mask); + + // -- Translating statement: // id = 147 + // $contracts := l$havoc$3 -- testsresourcesexamplesauction.vy.vpr@1565.3--1565.26 + $contracts := l$havoc$3; + assume state(Heap, Mask); + + // -- Translating statement: // id = 148 + // inhale 0 <= ($struct_get($struct_loc(self, 0)): Int) && + // ($struct_get($struct_loc(self, 0)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1567.3--1567.152 + assume 0 <= ($struct_get(($struct_loc(self, 0): int)): int); + assume ($struct_get(($struct_loc(self, 0): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 149 + // inhale 0 <= ($struct_get($struct_loc(self, 1)): Int) && + // ($struct_get($struct_loc(self, 1)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1568.3--1568.181 + assume 0 <= ($struct_get(($struct_loc(self, 1): int)): int); + assume ($struct_get(($struct_loc(self, 1): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 150 + // inhale 0 <= ($struct_get($struct_loc(self, 2)): Int) && + // ($struct_get($struct_loc(self, 2)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1569.3--1569.181 + assume 0 <= ($struct_get(($struct_loc(self, 2): int)): int); + assume ($struct_get(($struct_loc(self, 2): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 151 + // inhale 0 <= ($struct_get($struct_loc(self, 3)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) <= + // 1461501637330902918203684832716283019655932542975 -- testsresourcesexamplesauction.vy.vpr@1570.3--1570.152 + assume 0 <= ($struct_get(($struct_loc(self, 3): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) <= 1461501637330902918203684832716283019655932542975; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 152 + // inhale 0 <= ($struct_get($struct_loc(self, 4)): Int) && + // ($struct_get($struct_loc(self, 4)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1571.3--1571.181 + assume 0 <= ($struct_get(($struct_loc(self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 4): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 153 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1572.3--1572.346 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) && ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q0_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_5): int) && ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 154 + // inhale (forall $q0: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1573.3--1573.254 + + // -- Check definedness of (forall $q0: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) } ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), $q0): Int) <= ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q0_7: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_7): int) } + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), $q0_7): int) <= ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 155 + // inhale 0 <= ($struct_get($struct_loc(self, 7)): Int) && + // ($struct_get($struct_loc(self, 7)): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935 -- testsresourcesexamplesauction.vy.vpr@1574.3--1574.181 + assume 0 <= ($struct_get(($struct_loc(self, 7): int)): int); + assume ($struct_get(($struct_loc(self, 7): int)): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 156 + // inhale -170141183460469231731687303715884105728 <= + // ($struct_get($struct_loc(self, 8)): Int) && + // ($struct_get($struct_loc(self, 8)): Int) <= + // 170141183460469231731687303715884105727 -- testsresourcesexamplesauction.vy.vpr@1575.3--1575.181 + assume -170141183460469231731687303715884105728 <= ($struct_get(($struct_loc(self, 8): int)): int); + assume ($struct_get(($struct_loc(self, 8): int)): int) <= 170141183460469231731687303715884105727; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 157 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1576.3--1576.349 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) && ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q1_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_5): int) && ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 158 + // inhale (forall $q1: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1577.3--1577.257 + + // -- Check definedness of (forall $q1: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $q1): Int) <= ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q1_7: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_7): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $q1_7): int) <= ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 159 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // 0 <= + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935) -- testsresourcesexamplesauction.vy.vpr@1578.3--1578.349 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } 0 <= ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935) + if (*) { + assume false; + } + assume (forall $q2_5: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_5): int) } + 0 <= ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_5): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_5): int) <= 115792089237316195423570985008687907853269984665640564039457584007913129639935 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 160 + // inhale (forall $q2: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) -- testsresourcesexamplesauction.vy.vpr@1579.3--1579.257 + + // -- Check definedness of (forall $q2: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) } ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), $q2): Int) <= ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int)) + if (*) { + assume false; + } + assume (forall $q2_7: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_7): int) } + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), $q2_7): int) <= ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 161 + // inhale ($struct_get($struct_loc(self, -1)): Int) == + // 9122519725869122497593506884710 -- testsresourcesexamplesauction.vy.vpr@1580.3--1580.86 + assume ($struct_get(($struct_loc(self, -1): int)): int) == 9122519725869122497593506884710; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 162 + // inhale (forall $a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= + // ($map_get(($struct_get($struct_loc($old_self, 10)): $Map[Int, Int]), $a): Int)) -- testsresourcesexamplesauction.vy.vpr@1582.3--1582.263 + + // -- Check definedness of (forall $a: Int :: { ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) } ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), $a): Int) >= ($map_get(($struct_get($struct_loc($old_self, 10)): $Map[Int, Int]), $a): Int)) + if (*) { + assume false; + } + assume (forall $a_3: int :: + { ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_3): int) } + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), $a_3): int) >= ($map_get(($struct_get(($struct_loc($old_self, 10): int)): $MapDomainType int int), $a_3): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 163 + // inhale ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1583.3--1583.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 164 + // inhale ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc($old_self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1584.3--1584.99 + assume ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc($old_self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 165 + // inhale ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1585.3--1585.102 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 166 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1586.3--1586.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 167 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1587.3--1587.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 168 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1588.3--1588.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 169 + // inhale ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc($old_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1589.3--1589.99 + assume ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc($old_self, 4): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 170 + // inhale ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc($old_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc($old_self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1590.3--1590.243 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assume ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc($old_self, 4): int)): int); + assume ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc($old_self, 3): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 171 + // inhale ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1591.3--1591.55 + assume ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 172 + // inhale ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1592.3--1592.94 + assume ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 173 + // inhale ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1593.3--1593.125 + assume ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 174 + // inhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1594.3--1594.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 175 + // inhale ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1595.3--1595.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 176 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1596.3--1596.392 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 177 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1597.3--1597.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + assume (forall q$a_21: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_21): int) } + 0 <= q$a_21 && q$a_21 <= 1461501637330902918203684832716283019655932542975 ==> q$a_21 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_21 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_21): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_21): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_21): int) + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 178 + // inhale ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1598.3--1598.87 + assume ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 179 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1599.3--1599.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + assume (forall q$a_23: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_23): int) } + 0 <= q$a_23 && q$a_23 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_23): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_23): int) != 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 180 + // inhale (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1600.3--1600.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + assume (forall q$a_25: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_25): int) } + 0 <= q$a_25 && q$a_25 <= 1461501637330902918203684832716283019655932542975 ==> q$a_25 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_25): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_25): int) == 0 + ); + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 181 + // inhale (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1601.3--1601.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: if (l$no_reentrant_call) -- testsresourcesexamplesauction.vy.vpr@1602.3--1606.4 + if (l$no_reentrant_call) { + + // -- Translating statement: // id = 182 + // self := $old_self -- testsresourcesexamplesauction.vy.vpr@1604.5--1604.22 + self := $old_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 183 + // $contracts := $old_$contracts -- testsresourcesexamplesauction.vy.vpr@1605.5--1605.34 + $contracts := $old_$contracts; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 184 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 185 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1608.3--1608.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 186 + // $contracts := l$havoc$4 -- testsresourcesexamplesauction.vy.vpr@1610.3--1610.26 + $contracts := l$havoc$4; + assume state(Heap, Mask); + + // -- Translating statement: // id = 187 + // $old_$contracts := i0$$pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1612.3--1612.40 + $old_$contracts := i0$$pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 188 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1614.3--1614.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 189 + // $contracts := l$havoc$5 -- testsresourcesexamplesauction.vy.vpr@1616.3--1616.26 + $contracts := l$havoc$5; + assume state(Heap, Mask); + + // -- Translating statement: // id = 190 + // $old_$contracts := i0$$pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1618.3--1618.40 + $old_$contracts := i0$$pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 191 + // $old_self := self -- testsresourcesexamplesauction.vy.vpr@1620.3--1620.20 + $old_self := self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 192 + // $old_$contracts := $contracts -- testsresourcesexamplesauction.vy.vpr@1621.3--1621.32 + $old_$contracts := $contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 193 + // label return -- testsresourcesexamplesauction.vy.vpr@1622.3--1622.15 + vreturn: + LabelreturnMask := Mask; + LabelreturnHeap := Heap; + return_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: if ($out_of_gas) -- testsresourcesexamplesauction.vy.vpr@1623.3--1625.4 + if ($out_of_gas) { + + // -- Translating statement: // id = 194 + // goto revert -- testsresourcesexamplesauction.vy.vpr@1624.5--1624.16 + goto revert; + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 195 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 196 + // goto end -- testsresourcesexamplesauction.vy.vpr@1626.3--1626.11 + goto end; + assume state(Heap, Mask); + + // -- Translating statement: // id = 197 + // label revert -- testsresourcesexamplesauction.vy.vpr@1627.3--1627.15 + revert: + LabelrevertMask := Mask; + LabelrevertHeap := Heap; + revert_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 198 + // $succ := false -- testsresourcesexamplesauction.vy.vpr@1628.3--1628.17 + $succ := false; + assume state(Heap, Mask); + + // -- Translating statement: // id = 199 + // self := $pre_self -- testsresourcesexamplesauction.vy.vpr@1630.3--1630.20 + self := $pre_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 200 + // $contracts := $pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1631.3--1631.32 + $contracts := $pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 201 + // $old_self := $pre_self -- testsresourcesexamplesauction.vy.vpr@1633.3--1633.25 + $old_self := $pre_self; + assume state(Heap, Mask); + + // -- Translating statement: // id = 202 + // $old_$contracts := $pre_$contracts -- testsresourcesexamplesauction.vy.vpr@1634.3--1634.37 + $old_$contracts := $pre_$contracts; + assume state(Heap, Mask); + + // -- Translating statement: // id = 203 + // label end -- testsresourcesexamplesauction.vy.vpr@1635.3--1635.12 + end: + LabelendMask := Mask; + LabelendHeap := Heap; + end_lblGuard := true; + assume state(Heap, Mask); + + // -- Translating statement: // id = 204 + // exhale !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) == + // ($map_sum(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1637.3--1637.204 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Exhale might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) == ($map_sum(($struct_get($struct_loc($pre_self, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1637.10--1637.204) [364]"} + ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int) == ($map_sum(($struct_get(($struct_loc($pre_self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 205 + // assert $succ && + // (($struct_get($struct_loc(msg, 1)): Int) > + // ($struct_get($struct_loc($pre_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) != 0) ==> + // ($struct_get($struct_loc(msg, 0)): Int) == + // ($struct_get($struct_loc(self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1638.3--1638.243 + if ($succ && (($struct_get(($struct_loc(msg, 1): int)): int) > ($struct_get(($struct_loc($pre_self, 4): int)): int) && ($struct_get(($struct_loc(self, 3): int)): int) != 0)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(msg, 0)): Int) == ($struct_get($struct_loc(self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1638.10--1638.243) [365]"} + ($struct_get(($struct_loc(msg, 0): int)): int) == ($struct_get(($struct_loc(self, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: if ($succ) -- testsresourcesexamplesauction.vy.vpr@1640.3--1642.4 + if ($succ) { + + // -- Translating statement: // id = 206 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } else { + + // -- Translating statement: // id = 207 + // // LoopDummyStmtInfo() + // inhale true -- + assume state(Heap, Mask); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 208 + // inhale l$havoc$6 >= 0 -- testsresourcesexamplesauction.vy.vpr@1643.3--1643.24 + assume l$havoc$6 >= 0; + assume state(Heap, Mask); + assume state(Heap, Mask); + + // -- Translating statement: // id = 209 + // self := ($struct_set(self, 7, ($struct_get($struct_loc(self, 7)): Int) + + // l$havoc$6): $Struct) -- testsresourcesexamplesauction.vy.vpr@1644.3--1644.96 + self := ($struct_set(self, 7, ($struct_get(($struct_loc(self, 7): int)): int) + l$havoc$6): $StructDomainType); + assume state(Heap, Mask); + + // -- Translating statement: // id = 210 + // $contracts := l$havoc$7 -- testsresourcesexamplesauction.vy.vpr@1646.3--1646.26 + $contracts := l$havoc$7; + assume state(Heap, Mask); + + // -- Translating statement: // id = 211 + // assert ($struct_get($struct_loc(self, 3)): Int) == 0 ==> + // ($struct_get($struct_loc(self, 4)): Int) == 0 -- testsresourcesexamplesauction.vy.vpr@1648.3--1648.105 + if (($struct_get(($struct_loc(self, 3): int)): int) == 0) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1648.10--1648.105) [366]"} + ($struct_get(($struct_loc(self, 4): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 212 + // assert ($struct_get($struct_loc(self, 0)): Int) == + // ($struct_get($struct_loc($old_self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1649.3--1649.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) == ($struct_get($struct_loc($old_self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1649.10--1649.99) [367]"} + ($struct_get(($struct_loc(self, 0): int)): int) == ($struct_get(($struct_loc($old_self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 213 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 5)): Bool) -- testsresourcesexamplesauction.vy.vpr@1650.3--1650.102 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 5)): Bool) might not hold. (testsresourcesexamplesauction.vy.vpr@1650.10--1650.102) [368]"} + ($struct_get(($struct_loc(self, 5): int)): bool); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 214 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1651.3--1651.212 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1651.10--1651.212) [369]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 215 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + + // ($struct_get($struct_loc(self, 4)): Int) == + // ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - + // ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) -- testsresourcesexamplesauction.vy.vpr@1652.3--1652.313 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) + ($struct_get($struct_loc(self, 4)): Int) == ($map_sum(($struct_get($struct_loc(self, 11)): $Map[Int, Int])): Int) - ($map_sum(($struct_get($struct_loc(self, 10)): $Map[Int, Int])): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1652.10--1652.313) [370]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) == ($map_sum(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int)): int) - ($map_sum(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 216 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= + // ($struct_get($struct_loc(self, 7)): Int) -- testsresourcesexamplesauction.vy.vpr@1653.3--1653.168 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_sum(($struct_get($struct_loc(self, 6)): $Map[Int, Int])): Int) <= ($struct_get($struct_loc(self, 7)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1653.10--1653.168) [371]"} + ($map_sum(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int)): int) <= ($struct_get(($struct_loc(self, 7): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 217 + // assert ($struct_get($struct_loc(self, 4)): Int) >= + // ($struct_get($struct_loc($old_self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1654.3--1654.99 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) >= ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1654.10--1654.99) [372]"} + ($struct_get(($struct_loc(self, 4): int)): int) >= ($struct_get(($struct_loc($old_self, 4): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 218 + // assert ($struct_get($struct_loc($old_self, 5)): Bool) ==> + // ($struct_get($struct_loc(self, 4)): Int) == + // ($struct_get($struct_loc($old_self, 4)): Int) && + // ($struct_get($struct_loc(self, 3)): Int) == + // ($struct_get($struct_loc($old_self, 3)): Int) -- testsresourcesexamplesauction.vy.vpr@1655.3--1655.243 + if (($struct_get(($struct_loc($old_self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 4)): Int) == ($struct_get($struct_loc($old_self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1655.10--1655.243) [373]"} + ($struct_get(($struct_loc(self, 4): int)): int) == ($struct_get(($struct_loc($old_self, 4): int)): int); + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) == ($struct_get($struct_loc($old_self, 3)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1655.10--1655.243) [374]"} + ($struct_get(($struct_loc(self, 3): int)): int) == ($struct_get(($struct_loc($old_self, 3): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 219 + // assert ($struct_get($struct_loc(self, 0)): Int) != 0 -- testsresourcesexamplesauction.vy.vpr@1656.3--1656.55 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 0)): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1656.10--1656.55) [375]"} + ($struct_get(($struct_loc(self, 0): int)): int) != 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 220 + // assert ($struct_get($struct_loc(self, 3)): Int) != + // ($struct_get($struct_loc(self, 0)): Int) -- testsresourcesexamplesauction.vy.vpr@1657.3--1657.94 + assert {:msg " Assert might fail. Assertion ($struct_get($struct_loc(self, 3)): Int) != ($struct_get($struct_loc(self, 0)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1657.10--1657.94) [376]"} + ($struct_get(($struct_loc(self, 3): int)): int) != ($struct_get(($struct_loc(self, 0): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 221 + // assert ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1658.3--1658.125 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1658.10--1658.125) [377]"} + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 222 + // assert !($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1659.3--1659.173 + if (!($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1659.10--1659.173) [378]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == 0; + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 223 + // assert ($struct_get($struct_loc(self, 5)): Bool) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 0)): Int)): Int) == + // ($struct_get($struct_loc(self, 4)): Int) -- testsresourcesexamplesauction.vy.vpr@1660.3--1660.211 + if (($struct_get(($struct_loc(self, 5): int)): bool)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 0)): Int)): Int) == ($struct_get($struct_loc(self, 4)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1660.10--1660.211) [379]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 0): int)): int)): int) == ($struct_get(($struct_loc(self, 4): int)): int); + } + assume state(Heap, Mask); + + // -- Translating statement: // id = 224 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) + + // ($struct_get($struct_loc(self, 4)): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, + // 3)): Int)): Int) -- testsresourcesexamplesauction.vy.vpr@1661.3--1661.392 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) + ($struct_get($struct_loc(self, 4)): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), ($struct_get($struct_loc(self, 3)): Int)): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1661.10--1661.392) [380]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) + ($struct_get(($struct_loc(self, 4): int)): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), ($struct_get(($struct_loc(self, 3): int)): int)): int); + assume state(Heap, Mask); + + // -- Translating statement: // id = 225 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 3)): Int) && + // q$a != ($struct_get($struct_loc(self, 0)): Int) ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) -- testsresourcesexamplesauction.vy.vpr@1662.3--1662.514 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 3)): Int) && q$a != ($struct_get($struct_loc(self, 0)): Int) ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int)) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_29 && q$a_29 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_29 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_29 != ($struct_get(($struct_loc(self, 0): int)): int)) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) + ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) == ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) might not hold. (testsresourcesexamplesauction.vy.vpr@1662.11--1662.513) [381]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_29): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_29): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_29): int); + } + } + assume false; + } + assume (forall q$a_30_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_30_1): int) } + 0 <= q$a_30_1 && q$a_30_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_30_1 != ($struct_get(($struct_loc(self, 3): int)): int) && q$a_30_1 != ($struct_get(($struct_loc(self, 0): int)): int) ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_30_1): int) + ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_30_1): int) == ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_30_1): int) + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 226 + // assert ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == + // 0 -- testsresourcesexamplesauction.vy.vpr@1663.3--1663.87 + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), 0): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1663.10--1663.87) [382]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), 0): int) == 0; + assume state(Heap, Mask); + + // -- Translating statement: // id = 227 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != + // 0) -- testsresourcesexamplesauction.vy.vpr@1664.3--1664.344 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) != 0 ==> ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_32 && q$a_32 <= 1461501637330902918203684832716283019655932542975) { + if (($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_32): int) != 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) != 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1664.11--1664.343) [383]"} + ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_32): int) != 0; + } + } + assume false; + } + assume (forall q$a_33_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_33_1): int) } + 0 <= q$a_33_1 && q$a_33_1 <= 1461501637330902918203684832716283019655932542975 ==> ($map_get(($struct_get(($struct_loc(self, 6): int)): $MapDomainType int int), q$a_33_1): int) != 0 ==> ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_33_1): int) != 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 228 + // assert (forall q$a: Int :: + // { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } + // 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> + // q$a != ($struct_get($struct_loc(self, 0)): Int) && + // ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == + // 0 ==> + // ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == + // 0) -- testsresourcesexamplesauction.vy.vpr@1665.3--1665.397 + + // -- Check definedness of (forall q$a: Int :: { ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) } 0 <= q$a && q$a <= 1461501637330902918203684832716283019655932542975 ==> q$a != ($struct_get($struct_loc(self, 0)): Int) && ($map_get(($struct_get($struct_loc(self, 11)): $Map[Int, Int]), q$a): Int) == 0 ==> ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0) + if (*) { + assume false; + } + if (*) { + if (0 <= q$a_35 && q$a_35 <= 1461501637330902918203684832716283019655932542975) { + if (q$a_35 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_35): int) == 0) { + assert {:msg " Assert might fail. Assertion ($map_get(($struct_get($struct_loc(self, 10)): $Map[Int, Int]), q$a): Int) == 0 might not hold. (testsresourcesexamplesauction.vy.vpr@1665.11--1665.396) [384]"} + ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_35): int) == 0; + } + } + assume false; + } + assume (forall q$a_36_1_1: int :: + { ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_36_1_1): int) } + 0 <= q$a_36_1_1 && q$a_36_1_1 <= 1461501637330902918203684832716283019655932542975 ==> q$a_36_1_1 != ($struct_get(($struct_loc(self, 0): int)): int) && ($map_get(($struct_get(($struct_loc(self, 11): int)): $MapDomainType int int), q$a_36_1_1): int) == 0 ==> ($map_get(($struct_get(($struct_loc(self, 10): int)): $MapDomainType int int), q$a_36_1_1): int) == 0 + ); + assume state(Heap, Mask); + + // -- Translating statement: // id = 229 + // assert (forall q$a: Int, q$v: Int :: + // { $accessible$withdraw(18, q$a, q$v) } + // 0 <= q$a && + // (q$a <= 1461501637330902918203684832716283019655932542975 && + // (0 <= q$v && + // q$v <= + // 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> + // q$v == + // ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> + // true) -- testsresourcesexamplesauction.vy.vpr@1666.3--1666.345 + + // -- Check definedness of (forall q$a: Int, q$v: Int :: { $accessible$withdraw(18, q$a, q$v) } 0 <= q$a && (q$a <= 1461501637330902918203684832716283019655932542975 && (0 <= q$v && q$v <= 115792089237316195423570985008687907853269984665640564039457584007913129639935)) ==> q$v == ($map_get(($struct_get($struct_loc(self, 6)): $Map[Int, Int]), q$a): Int) ==> true) + if (*) { + assume false; + } + if (*) { + assume false; + } + assume state(Heap, Mask); +}